Although social engineering protection isn’t the most glamorous component of network and information security, you have to protect your vulnerabilities or lose. This means that anyone considering a cybersecurity career should be ready to train employees on organization-wide defense strategies against social engineering attacks.
Possibly dating back to the first Trojan Horse, social engineering is the earliest form of attack against information systems. Perhaps Odysseus was the first hacker to exploit social engineering to get around security measures.
He was not, however, the last.
According to Computer Weekly, social engineering assaults were the most widely utilized hacking method in 2015. And there are no signs that it will slow down; in 2016, 60 percent of businesses fell victim to some social engineering attack. And according to EMC, phishing attacks—the simplest and most popular kind of social engineering attacks—led to losses of close to $6 billion in 2013, dispersed among roughly 450,000 distinct intrusions.
Some were more painful than others, but each had a significant enough impact to cause security managers to reevaluate their respect for the vector, look closely at their processes, and prioritize staff training.
5 Most Successful Social Engineering Attacks
2013 Target Third-Party Breach
The retail king’s disruptive 2013 cyberattack hit customers who used Target credit cards an unprecedented 41 million times. According to USAToday, a further investigation revealed that 60 million additional Target consumers without store credit cards were also impacted. Bad actors used malware to get credit card holders’ names, phone numbers, email addresses, payment card numbers, credit card verification codes, and other personal information.
Investigators were able to link the security flaws from a third-party provider that hackers had infiltrated to the leak of client data. The cybercriminals then utilized the third party’s login information to access Target’s computer systems.
Target agreed to pay up to $10,000 to consumers who suffered damages due to the data breach, paying out a total of $18.5 million in the settlement after the two-year class-action lawsuit settlement was finished in 2015. A costly omission for the business’s earnings and brand image.
Lesson Acquired
Many large enterprises collaborate with outside firms to manage and provide tools. You must check the people that manage your data for weaknesses in addition to your own company’s security rules and measures regarding cybersecurity.
Ask to analyze the company’s present security policies and processes when beginning a new partnership with a vendor or partner, and have a reputable security expert evaluate their risk appetite. To ensure that long-term third-party suppliers stay current with changing cyber hazards, this is a great habit to submit each year.
Scam 2020 Twitter Bitcoin
The Twitter Bitcoin fraud, one of the year’s most recent cyberattacks, shows that even the biggest social media platforms are not immune to data thefts.
Famous Twitter users with the reputable blue verification checkmark tweeted their followers a “double your Bitcoin” offer, promising to double any donations made through a specific URL. Affected Twitter accounts included well-known figures, stars, and household names, including former US President Barack Obama, media mogul Mike Bloomberg, tech pioneers Apple, and others. The unscrupulous actors got hundreds of donations in only a few minutes, totaling over $100K in Bitcoin, according to The BBC, because the targeted accounts had millions of followers.
But how did fraudsters access the accounts of many well-known people in one fell swoop? Via several carefully planned social engineering assaults. Employees of Twitter were deceived by malicious actors and infected with malware. They then navigated Twitter’s internal infrastructure to get administrative access to many verified users’ passwords.
Lesson Learned
Employees at Twitter were the firm’s biggest vulnerability, falling for social engineering scams that gave the bad guys a backdoor into extremely private login information. Spend time learning how social engineers deceive employees and teach your team the signs of social engineering.
Since the attack, Twitter has vowed to strengthen several critical vulnerabilities, with a strong emphasis on enhancing their detection and monitoring capabilities, access management procedures, and authentication systems, among other things. The link above is worth reading to learn more about these improvements.
2014 Sony Pictures Phish
Following the release of the new film “The Interview,” Sony Pictures Entertainment finds itself in the sights of the North Korean authorities. The Sony movie, which featured a comic scenario involving the killing of North Korean leader Kim Jong Un, outraged North Koreans, making the movie studio a deliberate target in a social engineering ploy.
Bad actors impersonating Apple sent phishing emails to Sony executives requesting them to confirm their Apple IDs. The cybercriminals got all they needed once the staff members used the spoofed link to the fake verification page and submitted their credentials. The fact that one executive used the same password for both his Apple ID and his Sony account gave hackers everything they needed to break into the network of the business.
According to The Washington Post, the criminals broke into Sony’s computer systems and grabbed sensitive information before leaking it online. This information included specifics on recent movie projects and individual employee information.
Lesson Learned
Controversial material can be upsetting to some viewers. Sony made themselves a good target for retaliation by failing to consider how a comedy about a foreign nation might be received. Keep your audience’s reactions in mind while releasing fresh material. If neutrality is difficult to establish, do a risk analysis to compare the dangers of a daring launch.
The second lesson comes from consideration of the highly focused phishing scam that deceived Sony’s executive team. We advise making it mandatory for executives, not just workers, to undergo in-depth security awareness training and social engineering strength testing to increase their comprehension of deceptive deceptions and hacking methods employed by hostile actors.
2016 US Presidential Election Email Leak
The Democratic campaign’s email dump, which caused internet panic, was one of the biggest breaches of the decade.
Russian cybercriminals impersonating Google sent several spear phishing emails notifying recipients of suspicious behavior on their Google accounts to various members of The Democratic National Convention’s network. The social engineering email shortened the link using a Bitly URL, concealing its actual redirect path.
When the shortened link was clicked, a page requesting password changes appeared. Cybercriminals gained full access to targets’ Google accounts, including their Gmail accounts, after targets clicked the spoofed link and entered their login information. This allowed them to scrub thousands of emails containing sensitive information about Democratic candidate Hilary Clinton’s campaign.
Lesson Learned
Avoid clicking on shortened URL links even if you know the importance of doing so. You can’t see where a URL is being redirected to using shortened links, like those made by sites like Bitly, which raises your chance of contracting malware. Since the URL cannot be examined, shortened URLs cannot also be banned by a firewall.
A trustworthy business will hardly ever send you a shortened URL, so if you encounter a Bitly link, continue with caution, as it can be a malware trap.
2013 Yahoo Customer Account Breach
In a social engineering attack a few years ago, Yahoo had compromised every one of its users’ accounts. A staggering three billion customers’ Yahoo login information was made public, and some of it was sold on the dark web to launch more assaults on people who had already been hacked. This is frequently regarded as one of the worst cyberattacks of the 2000s due to the scope and exposure of the data.
Phishing schemes are widespread and do significant harm. Upon clicking on a phishing email, a high-privilege engineer made a mistake that led to the attack. Observing a pattern with these best hacks of the decade thus far?
Yahoo understated the number of accounts compromised, citing only 500 million affected, making this attack worse. The entire scope of the exploit, which essentially affected everyone who had an account at the time of the attack, wasn’t made public for another four years. It was too late to shield the impacted users from the potential effects of the breach.