Beyond Phishing: A Maze of Deception — Exploring New Frontiers in Social Engineering
Phishing may be the tried-and-true weapon in the social engineering arsenal, but cybercriminals constantly innovate, weaving intricate webs of deception to trap unsuspecting victims. Gone are the days of clunky emails with misspelled words and apparent giveaways. We’re entering a new era of sophisticated manipulation, where the line between reality and fabrication blurs into a dangerous grey area. AI has contributed a lot to this, and since the mainstream release of ChatGPT in November 2022, the game has changed forever.
This article dives into the murky depths of the evolving social engineering landscape, unmasking some of the most potent and unsettling tactics currently employed by attackers. We’ll explore:
- Deepfakes: The rise of AI-powered “deepfakes” allows attackers to fabricate realistic videos and audio recordings, manipulating the voices and appearances of trusted individuals like CEOs, colleagues, or family members. Imagine receiving a seemingly genuine video call from your CEO requesting urgent financial transactions or a voice message from your parent needing immediate financial assistance — the emotional impact and potential for manipulation are immense. A very recent incident that went through the news was the Deepfake porn images of Taylor Swift, which is yet another side to the story. I give you an example link here but many other resources discussed it:
- Voice phishing (Vishing): While phishing emails were the scourge of yesteryear, vishing leverages phone calls and voice technology to impersonate legitimate individuals or organizations. Attackers utilize spoofing techniques to display fake caller IDs and employ AI-powered voice generators to mimic voices with uncanny accuracy. This can particularly effectively target older adults or those accustomed to phone-based communication. Many solutions offer this service; https://murf.ai/ is just one to look at to know what you are up against.
- Spear Phishing 2.0: Gone are the days of generic spam emails targeting broad demographics. While Speak Phishing has been around for a long time, today’s spear phishing campaigns are very different. They are crafted and personalized attacks customized to exploit specific individuals or groups. Attackers gather information from social media, data breaches, and even employee directories to craft hyper-realistic scenarios that prey on individual vulnerabilities, financial situations, or professional anxieties.
- Smishing: SMS phishing (smishing) exploits the prevalence of mobile technology, delivering malicious links and deceptive messages masquerading as legitimate offers, bank alerts, or delivery updates. Smishing often combines urgency with the inherent trust in text messages, increasing the potential for victim interaction and compromise. While many Carriers have moved to block clickable links in SMS messages, this is still a threat we see frequently, and contraryary to popular belief, SMS is not dead. Here a sample message recieved just 2 minutes ago on my own number
- Pretexting: This classic social engineering technique uses elaborate storylines and fabricated scenarios to manipulate victims into divulging sensitive information or granting access to systems. Attackers might pose as tech support, legal representatives, or debt collectors, weaving a believable narrative to gain the victim’s trust and exploit their emotional state.
- Baiting: Offering seemingly irresistible freebies or exclusive deals through social media posts, pop-up ads, or text messages, baiting lures victims into clicking malicious links or downloading infected files. The promise of free software, exclusive discounts, or early product access can cloud judgment and lead to accidental compromise. Remember, if it sounds too good to be true, it is usually too good.
Recognizing the Red Flags:
So, how do we navigate this labyrinth of deception? Here are some crucial red flags to keep in mind:
- Unsolicited requests: Be wary of unexpected requests for money, personal information, or access to systems, especially from unverified sources. As the saying goes, never trust, always verify.
- Excessive urgency: Pressure tactics and time constraints are often hallmarks of social engineering attempts. We often see unusual urgency in phishing emails or other forms of social engineering, creating an environment of pressure where mistakes are more common. We often see that more sophisticated actors do long research to find patterns in a person’s activity to choose a time when stress and load are already high.
- Too good to be true offers: If something seems too good to be true, it probably is. Be skeptical of unbelievable deals and unexpected windfalls. That goes for any offer, supposed winnings, job opportunities, or anything that sounds like a once-in-a-lifetime chance that might never come again.
- Suspicious links and attachments: Never click on suspicious links or open unknown attachments, regardless of the sender or apparent urgency. I know that this is something cumbersome, but always try to verify links and use websites like VirusTotal to possibly check attachments if you are not using a browser isolation tool (I like using KASM, which is pretty easy to set up and run yourself, though I know it is not practical for every user, it requires some technical knowledge, but many cheap or free alternatives out there offer some protections without the need for much skill)
Check out VirusTotal and use it for free to verify urls and attachments.
If you want to take the step and set up your own KASM environment, maybe this Video that I did some time ago will help you:
- Grammar and spelling errors: While not foolproof, glaring grammatical and typos can indicate phishing attempts. With the increased use of AI since late 2022, this is becoming less of an indicator as threat actors learn how to leverage that technology to eliminate such mistakes.
- Verification and cross-checking: Always verify the sender’s identity through independent channels before responding to requests or divulging information. This can include calling a known number of a person sending you an email you are suspicious about or looking up some company’s landline number and contacting themdirectly instead of using the number provided in the email.
- Multi-factor authentication: Implement multi-factor authentication wherever possible to add an extra layer of security. Of course, this is not a silver bullet either, but every additional layer of protection helps. Do not think that having MFA enabled makes you 100 percent safe; there are many ways for threat actors to bypass it, not to mention more sophisticated actors like nation-states, who indeed have ways of circumventing it that are not even public knowledge at this time. You can use tools like Authy, Google Authenticator, or Microsoft Authenticator, usually for free, with most services you use today. Personally, I do prefer Authy, but your mileage may vary.
Combating the Tide:
Beyond individual vigilance, organizations must bolster their defenses against evolving social engineering tactics. Here are some critical steps:
- Security awareness training: Regularly train employees on social engineering techniques and equip them with the knowledge to recognize and report suspicious activity. Why Regularly? As you can see here, techniques evolve, new trends surface, keep your users updated, and have a great ROI. I have written about the need for a security awareness program; you should check the following article.
- Phishing simulations: Conduct simulated phishing attacks to test employee awareness and identify vulnerabilities in your security posture. If you do not have the manpower and skillset in-house to maintain the platform or infrastructure, do this. In that case, another great option is to engage a third party to conduct phishing tests against your users, with the option to customize phishing templates and emails to see how well your awareness program works; for this, I can help you with a service we offer. Reach out to us for more information.
- Strict access control: Implement strict policies to limit access to sensitive information and systems. This should be a no-brainer but still is often not in place.
- Data security: Encrypt sensitive data and implement data loss prevention measures to minimize the potential for information breaches. Implementing Data Loss Protection tools is a great thing to do, even though, at times, it can be complex. Do not hesitate to engage a third party to help you get this done; it is critical to your cybersecurity strategy, and if it is not yet, it certainly should be.
- Threat intelligence: By leveraging threat intelligence resources, stay informed about the latest social engineering trends and tactics. There are many great products out there on the market for Cyber Threat Intelligence, but sadly, they usually come at a price. I recommend KELA from personal experience; refer to the link at the end of this paragraph. But I will also share a few other reasonable solutions that cover external threat landscape management, CTI, and many other aspects of this area of cybersecurity. I have also written a short article about the topic of Cyber Threat Intelligence and its importance in modern SOC Operations; you may want to check that out, too:
As promised, here are some links to CTI solutions
https://www.socradar.io/ — they offer a free tier, which is a great start if you do not have a budget for a fully-blown solution
A special mention would be FalconFeeds — they offer a free and professional tier at a very reasonable price that covers dark web monitoring and search, which is good for cybersecurity researchers.
Closing Thoughts:
As Bruce Schneier aptly said, “Security is a process, not a product.” Let’s embrace this ongoing process, stay vigilant, and work together to create a digital landscape where deception has no place. While social engineering threats will undoubtedly evolve, so will our collective defenses. By empowering ourselves with knowledge and taking proactive steps, we can build a brighter, more secure digital future.
If you or your organizations need help navigating the cybersecurity jungle, feel free to reach out to me, and I am happy to discuss options to assist you.