The social engineering attack South African companies must watch out for
Businesses are prime targets for hackers due to their large attack area, with many local companies failing to train their staff against attacks.
Attackers also have a lot more to gain from compromising businesses compared to scamming individual people, making off with millions of rand in many cases.
CheckMark cyber security director Rudi Dicks told MyBroadband that even high-level executives can be targeted in attacks.
Dicks is a penetration tester who tests the security of businesses using a variety of methods, including hacking, social engineering, and gaining physical access to sensitive information.
Dicks told MyBroadband that a social engineering attack comprises many of the incidents he encounters in his profession.
“It plays out differently, but the broad strokes are usually the same,” Dicks said.
“These attacks are often conducted by a sophisticated, patient syndicate which does substantial research on the intended victim organisation.”
The attackers begin by corresponding with the company’s CEO, MD, or other executive to determine their writing style and to copy their email signature.
“On occasion, they will also follow him in the real world to get a sense of his day-to-day habits and will wait for him to travel out of the country,” Dicks said.
The attackers then call the finance head of the company and say the following:
I met with Mr. Smith (the CEO) at the airport before he left for his trip, and he agreed to purchase our product.
We agreed that the payment will be processed today to allow us to give you an excellent rate. If we don’t receive the payment today, the pricing will unfortunately change.
I’m going to forward the invoice to you now and he will authorise the payment within the next few hours.
An hour or two later, the finance head receives the following mail from the “CEO”, complete with his signature, which was sent by the attackers:
I’m on a plane, I have Internet but can’t speak on the phone. I know you spoke with the supplier, please pay that invoice today.
“And with that, millions of rand is transferred out of the business’s account. When the CEO walks back in from his trip a few days later, not only has he never heard of the supplier, but he didn’t send the email,” Dicks said.
“Unfortunately, often the money has cleared the account and is now overseas making it very difficult if not impossible to get the transaction reversed.”
Dicks said an attacker’s methodology changes depending on the security implemented by the company targeted.
“The email sent is customised to defeat the technologies the victim companies implemented,” Dicks said.
“Where the victims have little to no security, the attackers will spoof the email address of the CEO exactly, meaning everything from the name, domain, and signature, down to the way he writes emails and the words he uses are identical to a real email.”
“Even the personal assistant of the CEO can’t tell that it was an impersonation.”
Dicks added that for companies with technology which protects against spoofing, attackers use domains which are similar to the real one, substituting an “o” for a “0” or removing a letter.
“This means that unless you carefully analyse the domain that the mail is sent from, which many people don’t know to do, you will correspond with the attackers instead of your CEO,” Dicks said.
“We have seen these attacks defeat excellent mail protection solutions, even going so far as to age the fake domain with legitimate correspondence.”
He added that another common attack financial services companies should be wary of is a man-in-the-middle attack, where attackers intercept an invoice and manipulate it.
“The attackers intercept the instruction and change the banking details to another account or even a different bank,” Dicks said.
“We’ve seen altered PDF files or even Photoshopped changes to pictures to alter the banking details.”
Protecting your business
Dicks said that while improved technical defenses against these types of attacks is helpful, the effectiveness of staff training is often underestimated.
“When it comes to preventing these types of social engineering attacks, we often think that better technology is the answer,” Dicks said.
“While there are excellent technical solutions to identify and prevent these types of attacks, it becomes a game of one-upmanship where the defenders deploy new technology and the attackers find new and innovative ways to defeat the technology.”
He said taking the time to explain to staff that these types of social engineering attacks exist and happen frequently goes a long way towards helping them identify an attack.
“This training also prompts the individual teams to come up with effective policies.”
Dicks said the creation of these new policies allows them to be covered when not releasing a payment that didn’t follow procedure.
“As technical people, we have a natural tendency to try to solve people problems with technical solutions while overlooking our ability to empower staff to be effective defensive tools,” he said.