The recent security events at RSA and Epsilon have raised once again the question of social engineering attacks against enterprises. RSA employees were targeted by an email titled “2011 Recruitment Plan.” The subject seemed relevant and interesting enough for the targeted employees to open it. This email included an attachment that exploited a Flash vulnerability in order to install malware on the employee's computer. This is the entire essence of social engineering - how do cyber criminals trick users into voluntarily doing something thay really shouldn't.
The recent massive data leak from email service provider Epsilon will result in more employees being exposed to such attacks. At Trusteer, we have been monitoring social engineering attacks for some time and consider this method one of the most effective tools available to criminals. In a recent blog we discussed how cyber criminals can use Google Alerts to place malware on a user’s computer. Today, I'd like to share with you the results of a new research project we conducted into social engineering attacks and whether user education would defend against them.
While many experts believe that social engineering attacks can be defeated using proper user education, our research has shown otherwise. We have found that a carefully crafted attack will fool most educated users.
As a security best practice, users are told that if something looks too good to be true, uncommon, unlikely, or calls for immediate action then it's most likely an attack. For example, phishing emails that encourage a user to click on a link in order to unblock their bank account meet most of these criteria - it's unlikely for a bank to contact customers this way, and it calls for immediate action. Similarly an email from the tax authorities about a pending refund is probably too good to be true and unlikely to happen over email. These types of attacks can be explained to users and most likely avoided. Of course, in large populations some users will still fall for these attacks regardless of how much effort is put into education. The tools that organizations have to train their customers are not effective enough to reach all customers and convey the message in a way that all customers understand.
But what if the attack email is commonplace, likely, doesn't call for immediate action, and isn't too good to be true? Most users today get updates from social networking websites such as Facebook, Twitter, and LinkedIn. These updates arrive on an almost daily basis and are reviewed by users. All these social networking websites include links, and usually many links, in their email communication, and it's very common for users to click on these links. We know that fraudsters actively use fake messages from social network websites in order to place malware on victims' computers. But how easy is it to create an effective attack and how likely are educated users to actually fall for this attack? This is the question our research was designed to answer.
We decided to focus on LinkedIn, even though we could have equally chosen Facebook or any other social networking website. We picked a population of 100 users - these are people we know - friends and family and estimated to be fairly educated about security. We asked their permission to take part in a security experiment that would not in any way put them at risk. However, we didn't tell them what we were testing and how.
First, we created a new identity on LinkedIn for the purposes of this study. Next, through very simple data mining techniques we were able to gather information about our targets – specifically their list of connections and their connections LinkedIn profiles.
Since LinkedIn sends an alert when one of your connections has a new job, we decided to use this update method to create a fraudulent email. For each one of our targets we crafted a fictitious new job alert. We chose one of their LinkedIn connections, and announced that this person was now working for a company that directly competes with our victim's company. We included a big button "View [friend's name] new Title" - just like LinkedIn does in these alerts. And we also included the friend's photo, just like LinkedIn does. Clicking on the button redirects the victim to a different website, not LinkedIn. The website we used was innocuous, but it was a place holder for a potentially malicious website that places malware on the victim's computer.
We released this email to all 100 subjects on the same day – a Tuesday morning – and monitored who clicked the link and reached our landing page.
41 subjects reached our landing page within 24 hours.
52 subjects reached our landing page within 48 hours.
68 subjects reach our landing page within 7 days.
The total time we invested in this project in building the attack was 17 hours.
We approached the 32 subjects who didn't reach our landing page and asked why they didn't click on the link. Sixteen said they haven't seen this email (it probably went into their spam folder). Seven said they usually don't read LinkedIn updates. Nine said that the update was not interesting enough for them to click the link.
This research clearly demonstrates that social engineering makes it easy to drive corporate users to fake websites that could potentially download malware onto their computer. Education is always recommended and can certainly help, but in this case education did not prevent the attack. As we learned, cyber criminals have access to the information needed to create fraudulent emails that can fly under the suspicion radar of even the most security savvy users.
The solution to this problem must be based on technology and probably using more than one method. Based on these findings, we strongly recommend that organizations re-evaluate their approach to targeted attacks since they represent, as we witnessed in recent breaches, the most dangerous type of threat to their business. One of the options for protecting against Zero-day attacks used in social engineering schemes is of course Trusteer Rapport, which prevents redirection to malicious websites and blocks sophisticated malware from stealing sensitive corporate information entered and presented in web browser sessions.