It’s easy to assume that the future of cyber security will be set by the ability to discover and defend against advanced new malware. After all, one of the defining features of 2017’s cyber landscape were the huge WannaCry and NotPetya attacks, which racked up billions in costs after grinding organisations around the world to a halt. The attacks both used the EternalBlue SMB exploit from a stolen NSA cache of vulnerabilities, leading to fears that we can expect an increase in attacks using advanced, previously unknown exploits.
More important than any individual exploit discovery or malware development however will be the increasing ability of attackers to deceive their victims. Advanced social engineering techniques that were previously limited to more sophisticated attackers are becoming more common, and businesses will have to adapt to deal with several new deceptive tactics in the next few years.
Using existing data for smarter targeted attacks
We have seen so many large-scale data breaches in recent years that the chances are most people have had at least some of their data stolen. The Equifax breach alone involved the theft of records for more than 145 million people, while the more recently reported breach of analytics firm Alteryx saw data from 123 million households stolen.
With such a vast amounts of data now available to criminals, we will inevitably see criminals begin to consolidate information from different breaches to create even more powerful targeted attacks, and on a larger scale.
For example, consider a breach where names and social security numbers were compromised, and then a separate breach in which names, email addresses and passwords were stolen. By combining these two data sources, the criminal would be able to find some set of users for whom they would now know all this information. By automatically searching for emails from banks in an intended victim’s email box, the criminal would be able to identify and contact the victim’s bank and, posing as the victim using name and social security number, gain direct access to the bank account. The criminal can then add himself as a co-signer and obtain an ATM card, then deposit one or more forged checks and withdraw the corresponding amounts before the checks eventually bounce. This would be the liability of the account owner, unless picked up by the financial institution.
Deploying multifactor social engineering
Alongside using data to craft more believable targeted email attacks, I also anticipate criminals improving their social engineering attacks by taking advantage of multi-factor systems that are ironically intended to provide more security. For example, attackers can exploit the traditional password feature used by most services by sending a reset code to an intended victim, then immediately following up with a deceptive email request for that code. This approach enables criminals to harvest reset codes on a significantly larger scale, granting direct access to user accounts without setting off alarm bells.
Another approach could see phishers taking advantage of the standard email spam folder. They could send a message warning that their spam filter needs retraining, and that important warning emails have been placed in the spam folder by mistake. The victim will then naturally check their spam folder and move the apparent emails back into their main inbox -- and of course, reading them, potentially falling for the deceptive attack.
We believe a growing number of criminals will start to integrate techniques such as this into their strategies in an effort to sidestep improved security measured and increase their success rates.
The end of “less-secure 2FA?”
Other multifactor security measures are also ripe for misuse by criminals, particularly the SMS-based two-factor authentication (2FA) currently used by many organisations. SMS has long been a favourite verification method for many services, but new social engineering attacks, technical weaknesses and the rarely discussed problem of friendly fraud have resulted in the process being much less secure than most organisations will realise.
If an attacker gets hold of the “secret code” sent by a service provider, he has full access to the associated account. In fact, traditional security methods used to detect intrusions are notably absent when the account is accessed using 2FA. There are currently few reliable fall-back plans for security verification if 2FA-based access is compromised.
As a result, I believe we will see SMS-based 2FA starting to be abandoned over the next year in favour of more secure measures. 2FA applications which require some form of authentication to open the app, e.g., biometric user authentication will take the place of SMS and become more prominent. If a user needs to put her finger on the phone’s fingerprint reader to get the unlock code, it will be far more difficult for criminals to exploit the system and gain access.
Unmasking the deception
While there are many different deceptive techniques deployed by criminals to reach their targets, they are all united by the use of what appears like trusted identities and authorities. Phishing and business email compromise (BEC) attacks impersonate a known identity – whether it’s a friend, colleague, boss, consumer brand or governmental body – to trick their victims into action. Likewise, more recent attacks taking advantage of multifactor verification play on the user obeying messages that appear to come from their email system itself. Once that trust has been gained, the victim will lower her guard and is more likely to comply with the message, even though requests like entering personal details or arranging payments should be suspicious.
Relying on users to spot these attacks themselves has always been a risky proposition, but will become even less tenable as attackers use contextual data to craft more convincing social engineering attacks and take advantage of trusted verification systems. To catch everything, a worker would need to spend all her time scrutinising each and every email for tell-tale signs – not the most productive use of her time. Many of these attacks are also coupled with strategies designed to fool traditional email security measures by avoiding malicious attachments and keywords.
To counter these threats, organisations will need to equip themselves with the ability to identify fraudulent messages through other means, such as by detecting mismatched display names and email addresses. By spotting these signs, organisations can identify and stop even the most well-crafted deceptive email before it ever reaches its intended target.
Dr Markus Jakobsson, Chief Scientist, Agari
Image Credit: ESB Professional / Shutterstock