What damage does social engineering really cause anyway?

Sometimes in the tech field, we can get so caught up in “what’s new” that we lose sight of the importance of “what’s practical.” The coolest new digital hacks are interesting but when it comes to information security, longevity and popularity of attacks relevant to your industry are what awareness campaigns are built on. The massive amounts of financial damage caused by social engineering attack vectors is hard to grasp because there is no before and after image of a bank vault being emptied. The lack of tangible and easy to see stacks-of-money to show the various types of loss generated from such attacks (loss of confidence, loss of market shares, cost of litigation, etc) makes it easier to focus on the flashy news headlines without understanding the sheer size of the damage caused by SE tactics.

It all comes down to the fact that SE is simple and it works, which means that criminals, hacktivists, and even state-sponsored groups are all more than happy to exploit this vector to get their foot in the door of your organization. To give you that concrete picture in your mind we’ve put together a list of some of the hacks in 2014 made possible by use of social tactics like phishing, vishing, and impersonation:

• Physical damage to German steelworks: spear-phishing and other social tactics initiated a hack which tampered with a blast furnace leading to an uncontrolled shut-down and a great deal of physical damage to the plant.  To further complicate things, the controls for the blast furnace weren’t even directly connected to the internet.
• The entire mess that is the Sony-hack likely began with social engineering against key employees.
• Insider attacks are often carried out using SE tactics, such as the breach that occured when AT&T records were accessed and released.
• There are several articles linking the use of social engineering tactics like phishing to initiate hacks against such companies as Target, Home Depot, and J.P. Morgan, leading to physical and financial losses for these brand-name companies.
• The iCloud hack used SE information gathering tactics to build databases which were then used in brute-force attacks on celebrity accounts resulting in the theft of *ahem* private photos and videos. (not all publicity is good publicity!)
• One advanced persistent threat used phishing to steal millions from various banks (mostly in Russia) but also targeted US-based credit-card information and data for insider-trading on the US stock market.
• Experian was breached when a man impersonated a private investigator and talked his way into access at one of Experian’s subsidiaries.
• eBay employees were manipulated into giving their credentials to attackers which ended up compromising 145 million user accounts.
• In an example of knowing the value of “benign” information, the attackers who hacked JP Morgan Chase likely exploited a simple list they found of the various applications run on the company’s servers.

The damage caused by these compromises was direct financial losses to companies’ bank accounts, financial losses in terms of trust and business lost, financial losses in the form of paying for identity/credit protection for employees or customers whose records were stolen, physical damage to industrial equipment, physical damage to hardware and digital architecture, psychological losses in the form of trust lost or embarrassment to individuals or companies… the list could go on, but I think you get the point.

In looking through these hacks, three things stand out in particular. First, general SE attacks like mass phishing campaigns are still working well enough to get past technical walls designed to keep them out. Second, SE attacks are getting more personal through sophisticated spear-phishing attacks which target people based on OSI and/or vishing. And lastly, social engineering appears to be the preferred method of malicious attackers as the first step to gaining access to your organization. Because of this, more and more pentesters are incorporating SE into their security audits or pentesting, and a variety of products exist to help pentesters understand and exploit these vulnerabilities. In addition, more companies are seeing the need for not only this kind of real-world testing but also realistic policies to keep the SE attack-door closed (or at least monitored).

It’s a new year and yes, there will be new hacks discovered, but the classic reliability of SE as the method for initiating a hack isn’t going anywhere. Given all that, as far as New Year’s resolutions go, you can’t go wrong with brushing up on the principles of influence and tactics of elicitation found right here on Social-Engineer.org. You can download the podcasts and listen to them as you head into work, sign up for the Newsletter to be delivered right to your in-box, or use the nifty search function on this site to find specific SE topics in the Framework or a blog post. Make a resolution to get involved and learn more through our LinkedIn group or Twitter feed. Be part of the conversation and part of the solution in 2015. We look forward to hearing from you.