The statistics already show Social Engineering is a very effective tactic used against even the most secure organizations to gain access into the inside. But why is this still happening, especially to a large casino like MGM? Are security awareness programs for employees ineffective? Or just not being used and facilitated properly? Let’s talk about the issue at hand here, taking cyber security seriously.

First, lets talk about what Social Engineering is for those that are new here.

Social engineering is a form of manipulation (sometimes referred to as psychological manipulation) that cybercriminals and malicious individuals use to deceive, manipulate, or trick people into divulging confidential information, performing actions, or making security mistakes. Instead of relying on technical exploits, social engineering exploits human psychology and interactions to achieve its objectives. It’s a non-technical method of cyberattack that often involves deception, persuasion, and manipulation.

Below are some common forms of social engineering:

• Phishing: In phishing attacks, attackers send deceptive emails, messages, or websites that appear to be from legitimate sources, such as banks or trusted organizations. These messages typically contain links or attachments that, when clicked or opened, lead the victim to disclose sensitive information like login credentials, credit card numbers, or personal data.
• Spear Phishing: This is a more targeted form of phishing where the attacker customizes their messages to target specific individuals or organizations. They often gather information about their targets from social media or other sources to make their messages more convincing.
• Vishing: Vishing, short for “voice phishing,” involves attackers making phone calls to victims while posing as legitimate entities, such as tech support or government agencies. They use persuasive tactics to extract information or money from the victim.
• Pretexting: Pretexting involves creating a fabricated scenario or pretext to gain the trust of the victim. Attackers might pose as coworkers, contractors, or service providers and use a fake story to extract information or access to systems.
• Baiting: Baiting attacks entice victims to perform a specific action by promising something in return, such as downloading a free software application or clicking on a seemingly harmless link. These actions can lead to malware infections or data theft.
• Quid Pro Quo: In this type of social engineering, attackers offer a victim something in exchange for information or actions. For example, they might pose as IT support and offer to fix a computer issue in return for login credentials.
• Tailgating and Piggybacking: Physical security breaches are also a form of social engineering. Tailgating involves an attacker following an authorized person into a secure area, relying on their trust. Piggybacking is similar but involves asking for access directly.
• Impersonation: Attackers may impersonate a trusted individual or authority figure, such as a company executive or a law enforcement officer, to manipulate victims into providing information or cooperating.

Why attackers target certain organizations

Hackers target organizations for a variety of reasons, but three primary motivations stand out prominently. The first and most pervasive motivation is financial gain. In this realm, cybercriminals relentlessly seek opportunities to infiltrate organizations, aiming to compromise sensitive financial information such as credit card details, bank account credentials, or personal data. Once obtained, this data can be sold on underground markets, fueling the vast and lucrative cybercrime economy. Another financially motivated tactic is ransomware attacks, where hackers encrypt an organization’s data and then demand a ransom payment for the decryption key. This method exploits the urgency organizations face to regain access to their critical data, and it can result in substantial financial losses. This was used in the MGM hack we’re talking about right now. MGM is yet to bring systems back up and online since the attack on Monday, and have reportedly refused to pay ransom.

Industrial espionage, the second primary motivation, comes into play when hackers target organizations with the intent of stealing intellectual property, trade secrets, or proprietary information. This activity is often driven by competing organizations looking to gain a competitive edge in the marketplace. They seek to undermine their rivals by obtaining valuable data that can provide insights into product development, market strategies, or technological innovations. Nation-states may also engage in industrial espionage as a means of bolstering their own economic interests or national security.

The third major motivation behind hacker targeting is hacktivism, which stems from political or ideological beliefs. In these cases, hackers use their skills to advance their convictions or protest against specific actions or policies. They may target organizations, government agencies, or individuals aligned with views contrary to their own, aiming to disrupt operations, deface websites, or steal sensitive information to expose perceived wrongdoing. These hacktivist-driven attacks can have significant social and political implications, making them a unique and potent form of cyberthreat.

How can these attack points be identified?

A properly planned penetration test, including social engineering activities is a valuable tool for uncovering deficiencies in an organization’s defenses against social engineering attacks. Here are five common ways in which penetration testing can reveal vulnerabilities related to social engineering:

1. Phishing and Spear Phishing Simulations: Penetration testers can conduct phishing simulations to assess how well employees recognize and respond to phishing emails or messages. By crafting convincing phishing emails and monitoring employee responses, testers can identify deficiencies in employee awareness and training programs. If a significant number of employees fall for these simulations, it indicates a need for improved training and awareness campaigns. Spear phishing tests, which target specific individuals or departments, highlight weaknesses in tailored social engineering attacks.
2. Impersonation and Pretexting: Pen testers may impersonate trusted individuals, such as coworkers, contractors, or vendors, to gain access to sensitive information or systems. Successful impersonation attempts reveal deficiencies in identity verification processes and procedures, emphasizing the need for stronger authentication and verification protocols. Pretexting, where testers create fabricated scenarios to gain trust, can also expose vulnerabilities in how employees handle unusual requests or situations.
3. Physical Intrusion Testing: Penetration testers can evaluate physical security measures by attempting to tailgate or gain unauthorized entry into secure areas. Any successful breaches reveal deficiencies in physical security controls and employee vigilance. This form of testing highlights the importance of secure access control systems, employee training, and visitor management procedures.
4. Vishing (Voice Phishing) Testing: Penetration testers can conduct vishing (voice phishing) calls to employees, impersonating legitimate entities like tech support or management. Successful vishing attacks reveal deficiencies in employee training and their ability to identify and respond to suspicious phone calls. This testing underscores the need for employee awareness and training regarding phone-based social engineering threats. In the case of MGM, this was the main threat vector that was exploited. The attacker mentioned it was only 10 minutes to find a help-desk employee on LinkedIn, conduct the social engineering, and gain access all within 10 minutes.
5. Review of Policies, Procedures, and Incident Response: Pen testers can assess the organization’s security policies, procedures, and incident response capabilities related to social engineering threats. This evaluation identifies gaps in documentation, procedures that need updating to account for emerging threats, and areas where incident response teams may require additional training. It ensures that organizations are well-prepared to handle social engineering incidents effectively.

After conducting these tests, penetration testers provide detailed reports outlining their findings, including successful social engineering attempts and recommendations for mitigating vulnerabilities. These reports serve as valuable input for improving security measures, enhancing employee training, and implementing technical controls to strengthen the organization’s defenses against social engineering risks.

Current Trends, Social Engineering is a top threat, organizations have to reason not to take action now

Social engineering attacks accounted for a significant portion of cybersecurity incidents in recent years. Phishing (email), in particular, was a leading form of social engineering attack. According to industry reports and surveys at that time, phishing attacks constituted a substantial portion of all cyberattacks, with estimates ranging from 70% to 90% of all successful data breaches originating from phishing.

Find a reputable penetration test company, do not go with a cheap repetitive email phishing company

A reputable penetration testing firm plays a critical role in helping organizations identify and mitigate vulnerabilities related to social engineering threats. Social engineering attacks exploit human psychology and behaviors, making them a prevalent and persistent cybersecurity risk. To effectively combat these threats, organizations often turn to penetration testers to simulate real-world social engineering attacks and assess their security defenses. Here’s how a reputable penetration testing firm is better than a low-cost high-volume phishing platform, and how it can more thoroughly address the social engineering element within an organization.

• Phishing Simulations: Penetration testers craft and execute phishing simulations to gauge the readiness of an organization’s employees to recognize and respond to phishing attempts. These simulations involve the creation of convincing phishing emails or messages, which are then sent to employees. The testers monitor employee responses, tracking how many individuals click on phishing links or download malicious attachments. A high success rate in these simulations highlights vulnerabilities in the organization’s security awareness and training programs. It provides tangible data on how well employees can distinguish between genuine and fraudulent communications. Based on the findings, organizations can tailor training and awareness campaigns to address identified weaknesses.
• Spear Phishing Testing: Going beyond general phishing simulations, penetration testers may conduct targeted spear phishing tests against specific individuals or departments within the organization. This approach mirrors the tactics used by real attackers who conduct thorough reconnaissance before launching social engineering attacks. By customizing phishing attempts to individual employees or departments, penetration testers assess the organization’s susceptibility to highly focused and tailored social engineering attacks. The results offer insights into areas that require additional training, security measures, or stricter access controls to defend against these sophisticated threats.
• Vishing (Voice Phishing) Testing: Penetration testers carry out vishing (voice phishing) assessments by making phone calls to employees while impersonating legitimate entities, such as tech support or management. These calls aim to evaluate how well employees handle phone-based social engineering threats. Testers use persuasive tactics to extract information or assess employees’ susceptibility to manipulation over the phone. Successful vishing attacks reveal deficiencies in employee training and their ability to recognize and respond appropriately to suspicious phone calls. Organizations can then implement targeted training and awareness programs to bolster defenses against voice-based social engineering attacks.
• Impersonation and Pretexting: To assess identity verification processes and an organization’s susceptibility to fabricated scenarios, penetration testers may impersonate trusted individuals, such as coworkers, contractors, or vendors. They may also employ pretexting, where they create fictitious situations to gain trust and obtain sensitive information or access to critical systems. Successful impersonation or pretexting attempts underscore the need for stronger authentication and verification protocols. Organizations can respond by revising their processes and procedures to enhance security in situations where social engineers might exploit trust and familiarity.
• Physical Intrusion Testing: While social engineering often targets digital vulnerabilities, physical security breaches remain a concern. Penetration testers can evaluate physical security measures by attempting to tailgate or gain unauthorized entry into secure areas within an organization. These tests highlight vulnerabilities in physical security controls, employee training, and visitor management procedures. By identifying weaknesses, organizations can strengthen their physical security measures and reinforce employee vigilance against unauthorized access.

Black Hat Pen-Test can create mock scenarios to test the human element and susceptibility to social engineering attacks. Thee exercises will test the effectiveness of your current security awareness initiatives and identify weak-points within the organization. Contact us for more information.