Social engineering is becoming more sophisticated and difficult to spot, and now it is targeting not only users but IT administrators and call center staff too. This complicates protecting customer data, and companies need to be nimbler in spotting attempts to steal information, observers urge.
Two weeks ago, former Gizmodo writer Mat Honan discovered his Google, Twitter, and iCloud account breached within an hour. The hacker sidestepped the usual password security by targeting Apple's tech support instead, using "clever" social engineering to persuade staff he is the owner of the iCloud account and gaining access to the other passwords and deleting all of Honan's data, according to his blog post.
On this, Mark Bower, vice president at Voltage Security, pointed out that social engineering has certainly moved from targeting end-users to companies' IT administrators. This has been happening for the past few years now, he said.
As hackers become savvier, they realize that people are the weakest link in any organization's IT security and conducting social engineering is an effective method in gaining access to customers' data, Bower explained.
Joseph Steinberg, CEO of Green Armor, added that many questions used to "authenticate" customers during by call center staff can often be found rather quickly by hackers who do their research using Google's search engine. Data such as social security numbers can be discovered then used to bypass gatekeepers and administrators on various platforms, he said.
Paul Ducklin, Asia-Pacific head of technology at Sophos, built on Bower's point, saying that cybercriminals are now targeting "anyone and anything that has the data they need". These include administrators and even family and friends of the user by claiming the person is in trouble and the information they disclose will help save him, he explained.
If attackers are unable to get through a particular staff at the contact center, they will try to bypass the other staff, Ducklin added. In the process, hackers can build up information about the organization and its security policies so they can plan a way to bypass it, he said.
"It's easier to reach the staff in bulk, which means crooks may even be able to target everyone in a company--users and administrators alike," the Sophos executive stated.
Adhere to best practices
For companies to better come to grips with this security landscape, Ducklin suggests they provide a platform where users and employees can turn to report suspicious information-gathering attempts. Such systematic efforts to learn about a company or user can be more easily spotted and picked up on with the platform, he said.
Call center staff should also be trained to be firm without being rude when dealing with a caller they are unable to identify and who asks questions they are not comfortable in answering, he added. Employees should not answer the questions, but take down the caller's details and call them back after checking their identities. Those who do not provide contact details tend not to be trusted, he said.
Michael Sutton, vice president of Security Research at Zscaler ThreatLabZ, called on users to exercise better security practices to protect themselves too.
Citing Honan's case as an example, Sutton said: "While Apple, Google, and others can always implement tighter controls, had Mat followed best practices, this attack would not have been as successful as it was, if at all. Data obtained from one account opened the door to another--never a good idea."