The next 12 months will see major developments in the arms race between cyber attackers and security defenders as they continue to try to stay ahead of each other. Much of the cyber battle will revolve around the creation of new malware and defensive technology, but one of the defining factors of 2018 will be the increased use of advanced social engineering. As high-level techniques begin to trickle down through the criminal community, I anticipate a smarter use of available data and deceptive tactics designed to trick targets and evade security measures.
Increased Use of Multi-Factor Social Engineering
Criminals have discovered the immense power of social engineering-based email attacks, which have become one of the most prominent types of cyber threats to many organisations. However, research suggests that current social engineering methods are nowhere near as effective as they could be.
Recent developments suggest an impending watershed moment among Internet criminals, in which their yields can be doubled by use of sophisticated multi-factor social engineering techniques. One example involves the use of legitimate functionality or infrastructure – such as traditional password reset – in combination with deceptive email messages. By sending a reset code to an intended victim, then immediately following up with a deceptive email request for that code, criminals are able to harvest reset codes on a significantly larger scale. This gives them direct access to user accounts without setting off alarm bells by requesting that the intended victim enter a password.
In another example, phishers who recognise that many of their emails are being delivered to the spam folder (e.g., due to having suspect URLs) may send innocuous-looking messages warning the recipients that their spam filter needs retraining, suggesting that important warnings have been mistakenly placed in the spam folder. This entices intended victims to look in their spam folders and move messages indicated by the attacker to their inbox. A user who does that will be very likely to read the email and take action.
Over the next year or two, we believe a growing number of criminals will “tweak” their strategies to include more multi-factor social engineering such as these in an effort to improve their chances of success, as well as their total financial yields.
Consolidation and Resale of Data Breach Results
While we haven’t yet seen criminals consolidating data from different breaches before re-selling it, it’s an obvious concern in the future as the value-add of this type of data “packaging” would be substantial. When this type of consolidated breach data eventually hits the black market–and this is only a matter of criminal initiative, as all the data is out there – then new and more targeted attacks will be enabled on a much larger scale.
For example, consider a breach where names and social security numbers were compromised, and then a separate breach in which names, email addresses and passwords were stolen. By combining these two data sources, the criminal would be able to find some set of users for whom the criminal would now know all this information. By automatically searching for emails from banks in an intended victim’s email boxes, the criminal would be able to identify and contact the victim’s bank and, posing as the victim, gain direct access to the bank account. The criminal can then add himself as a co-signer and obtain an ATM card, then deposit one or more forged checks and withdraw the corresponding amounts before the checks eventually bounce. This would be the liability of the account owner, unless picked up by the financial institution.
Moving forward, we must be ready to withstand this type of threat. This comes down to having security defences that do not rely to any extent on the caution of the end user, but which identify and address deception in an automated way. While such systems exist today, the extent to which they are deployed is still very limited.
Impending Demise of “Less-Secure” 2FA
Many organisations currently use SMS-based second-factor authentication (2FA) due to the simplicity of enrolment and ease of use. However, new social engineering attacks, technical weaknesses and the rarely discussed problem of friendly fraud have helped expose the risks: when an attacker gets hold of the “secret code” sent by a service provider, they have full access to the associated account. In fact, traditional security methods used to detect intrusions are notably absent when the account is accessed using 2FA. The reason is that when an anomaly is detected for password-based access, the service provider asks the account owner to prove their identity using 2FA … but they don’t have a good approach to fall back on when there is a suspected problem for 2FA-based access.
In 2018, we believe service providers will begin to abandon SMS-based 2FA and instead, use 2FA applications, which require some form of authentication to open the app, e.g. biometric user authentication. For example, users will need to put their finger on the phone’s fingerprint reader, and only then get the code to unlock whatever accounts they have been locked out of.
Exploiting the human factor
In 2018 and beyond, organisations will need to be prepared for their employees to come under attack from increasingly advanced deceptive techniques designed to prey on the psyche and exploit gaps in traditional security measures. Social engineering attacks are too varied and subtle to expect individual users to protect themselves, so the priority must be for organisations to prevent these attacks from reaching them in the first place.