Social engineering

The social side of hacking

casey pechan / 08.15.17

Perhaps one of the most devious forms of phishing is social engineering, or the gleaning of critical information about individuals or organizations through social media, email, or other social interactions. In fact, the most recent global cyber infections – WannaCry and NotPetya were initially spread in this way.

Take for example the infamous Mia Ash, a British female photographer (according to her Facebook and LinkedIn), whose account had been targeting several employees at a Middle Eastern company for over a month. The goal was to gain the employees’ trust, eventually prompting them to open a malicious email while on their office network.

Mia Ash is a unique case. It’s rare to find a hacker willing to spend so much time playing the long game in order to gain the trust of so many employees at one company, but social engineering itself is widespread.

Hackers looking to gain insight into companies or individuals can easily create a fake LinkedIn, Facebook, or Twitter account, using these profiles to gain the trust of a victim. That’s why now more than ever, it’s critical to train employees to recognize these attacks and the many forms they take. A LinkedIn request sent by an individual with no mutual connections to a user, and no in-person previous connections through prior employment, could easily be an imposter looking to gain insight through a professional platform.

And as the security team at Tesla can tell you, not all attacks are as direct as you might think. Remember when the Tesla website and Twitter accounts were hacked in 2015? The hacker promised a free Tesla to anyone who would follow certain Twitter accounts and call the phone number provided. The attackers gained access through the social engineering of AT&T and Network Solutions employees.

The best way to prevent a social engineering attack is education and vigilance. Employees should be taught how to recognize the signs of a fake account, and be wary of striking up a conversation with individuals who have no prior connection to them.

See below for some tried and true tips to stay safe!

  • Do not open emails that aren’t from a trusted source
  • Do not provide company information or details about your job to people you do not know
  • Read your company’s security policy and understand what constitutes as private information and intellectual property