Social Engineering Social Engineering

Estimates of the number of Social Engineering based cyber-attacks into private or government organizations

Written by Enrico Frumento, CEFRIEL

Today, only about 3% of malware tries to exploit an exclusively technical flaw. The other 97% involves targeting users through social engineering (source KnowBe4), i.e. an approach in which attacks use humans as channels to reach their target. Hacking attempts focused on human vulnerabilities in a system instead of lapses in software or hardware.

This is an improving trend, the “Phishing activity trends report. Unifying the global response to Cybercrime”, periodically released by the Anti Phishing Working Group (APWG)...

Read more

 

Which are the limits of a SDVA?

Written by Enrico Frumento, CEFRIEL

Today most of the companies are increasingly doing simulated phishing campaigns to test or train the vulnerability of their human layer of security, in other words, how easily their employees are falling into the threat of phishing. When the DOGANA project started, two years ago, the market was almost inexistent. Today instead, we assist to a growing number of companies offering simulated phishing frameworks, not considering the several companies that are doing simulated phishing tests on their own, without the help of any framework.
The market of simulated phishing and efficient training for the mitigation of the human layer of security is rapidly growing in the US, because of several big acquisitions.

Read more

 

Social Engineering to the extreme: the Cambridge Analytica case

Written by Davide Andreoletti, SUPSI and Enrico Frumento, CEFRIEL

In our post about Privacy Issues in Social Media, we highlighted how our data-driven world is built on the acceptance of a compromise: the value of services offered over the Internet comes at the price of users’ privacy. In fact, the more it is known about users, the higher will be the quality of the offered services. As an example, let us think how much valuable can be a service that suggests the most attended events within a given area. The more users make their location available to the service engine, the more attractive and valuable the service itself will become. Without users allowing to expose this information, that not few people consider a sensitive one, the service inevitably performs poorly.
Online Social Networks have turn to be revolutionary platforms also because of their role of intermediary between users and third business-oriented parties. Such entities perform analysis over users’ data in order to run business campaigns and, in exchange, foster the economy growth of the Social Network itself, thus contributing to realize one of the initial dreams of Internet pioneers: develop a digital network where information are freely accessible for the welfare and the economic growth of the entire society...

Read more

 

Protect the weakest link in a cyber-security chain – protect the human

Written by Erik Kamenjasevic, KU LEUVEN

In the context of information security, Social Engineering (SE) is a very old concept referring to the ability to obtain information from human sources. It may be defined as a “psychological manipulation of people into performing actions or divulging confidential information”. The SE is used to violate the information security of a company by violating the confidentiality, integrity or availability of its assets. Such violation is exploited through techniques and methods that leverage on the natural human tendency to trust other humans, systems or ICT devices. Traditionally, it has been conducted in a real-life scenario or over the telephone communication. However, this definition may not be relevant anymore nowadays due to the recent developments of the social network and the appearance of some new technologies which allowed to greatly automate most of the SE steps against a large number of targets at the same time...

Article originally written for www.law.kuleuven.be.

Read more

 

Awareness through play: DOGANA cards game

Written by Cyrille Martins, THALES

Advanced persistent threats (APT) usually start with a compromise phase, to penetrate a target organization’s network and gain a foothold in the environment. This phase targets the organization’s individuals, making use of social engineering skills to exploit human vulnerability, gain people trust, and get knowledge on the best way to hit the organization.  But while everybody can be a potential breach for an attacker, everybody cannot be a cybersecurity expert. Then, how to make people aware of this kind of attack and realize the criticality of the slightest information they disclose, in a way that will entertain them and that they will remember?

Photogallery available in this article.

Read more

 

The latest evolution of URL-less phishing attacks through rendezvous algorithms

Written by Enrico Frumento, CEFRIEL

The traditional concept of phishing that most people have, even among the IT Security workers, is an email with some deceptive text or in general a hook, which contains an URL, where the innocent user is driven to. Wherever the text is (into the email body or into an attachment), the threat model is the same: there is a component of the email (i.e., the body or the attachment) that leads to a malicious URL.
Most of the defence anti-phishing instruments are built around this paradigm. The systems that inspects the body of the emails or, the URL filtering instruments integrated into the email clients, are deeply tied to this model of phishing...

Read more

 

Privacy issues in social media

Written by Davide Andreoletti, SUPSI

In this post we discuss some of the main privacy issues that characterize the use of social media. Since the topic is really broad, the aim is just to give an overview of the possible risks and make the reader aware of the fact that privacy and social network usability are two conflicting objectives. A distinctive trait of the last decade is represented by the advent and widespread diffusion of social media platforms, being Facebook, Twitter and Instagram some of the most successful examples. The benefits that such platforms bring to the Internet community are countless, ranging from business-oriented ones (e.g., targeted advertisements) to the social-related ones...

Read more

 

Laocoonte and Social Engineering

Written by Enrico Frumento, CEFRIEL

Laocoonte was an Apollo trojan priest who, during the siege of Achaeans, tried to dissuade his fellow citizens from trusting the wooden horse left by its enemies. At the wish of the goddess Athena, who had already established the outcome of the war with the victory of the Achaeans, two sea snake attacked him and his two sons in order not to compromise the divine design.
This figure is strongly connected to the Social Engineering and security in general, because of the connections to the Achaeans story, through the concept of Trojans malware...

Read more

 

CopyPhish: a recent case of a successful contextualized phishing attack which resulted in stealing the entire IP of a SME and damaged also their reputation

Written by Enrico Frumento, CEFRIEL

This recent attack dates back to end of July, beginning of August and involves some interesting issues about tangible and intangible stolen assets of an SME.
The affected company produces Copyfish, an quite good OCR recognition browser extension (apparently installed 37.000 times). Ironically, due to their  name (the hashtag CopyPhish was immediately used on the social media), they fallen in a well contextualized phishing attack (as well explained by themselves)...

Read more

 

Domino effect and darkhotel APTs

Written by Enrico Frumento, CEFRIEL


One of the most interesting aspects of the Hacking Team exploit is not only the impact on the enterprise itself both in terms of tangible and intangible assets (which a lot of studies started to investigate, but not many), but also the impact on other enterprises in a domino effect, due to the tangible assets stolen to hackin team (their hack tools, their 0days exploits and so on) and used against others.

A situation under this point of view very similar to the NSA exploit ad tool leackage. Interestingly, the intent of the Hacking Team hacker was to spread the stolen asset and their intellectual property worldwide, only to increase their defeat and thus at the end, to more heavily affect the impact on their intangible assets...

Read more

 




This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618