A new report from Intel Security and endorsed by the European Cybercrime Centre at Europol reveals the latest persuasion techniques leveraged by cybercriminals to manipulate employees to do things they normally wouldn’t, usually resulting in the loss of money or valuable data.
The report comes days after more than 100 banks worldwide are said to have been hit with malware which inflicted an estimated $1 billion in damage. Bank computers and networks were breached by targeted phishing attacks, demonstrating the inherent weakness in the “human firewall” and the need to educate employees about the top persuasion techniques in use in the digital world.
Free Cyber Security Training! Join the revolution today!
“The most common theme we see when investigating data breaches today is the use of social engineering to coerce the user into an action which facilitates malware infection,” commented Raj Samani, EMEA CTO at Intel Security and advisor at Europol’s European Cybercrime Centre.
Paul Gillen, Head of Operations at the European Cybercrime Centre at Europol, agreed: “Cybercriminals today do not necessarily require substantial technical knowledge to achieve their objectives. Some well-known malicious tools are delivered using spear-phishing emails and rely on psychological manipulation to infect victims’ computers. The targeted victims are persuaded to open allegedly legitimate and alluring email attachments or to click on a link in the body of the email that appeared to come from trusted sources.”
Today’s report reveals the extent and severity of social engineering, with McAfee Labs identifying a dramatic increase in the use of malicious URLs with more than 30 million suspect URLs identified towards the end of 2014. The increase is attributed to the use of new short URLs, which often hide malicious websites, and a sharp increase in phishing URLs. These URLs are often ‘spoofed’ to hide the true destination of the link and are frequently used by cybercriminals in phishing emails to trick employees. With 18% of users targeted by a phishing email falling victim and clicking on malicious link, the increased use of these tactics is cause for concern.
The team of 500 researchers at McAfee Labs points to the fact that two-thirds of all global email is spam that aims to extort information and money from the recipient. This provides more incentive for consumers and employees to be on guard for the most prolific phishing and scams techniques currently in use.
“Today, cybercriminals have become expert at exploiting the subconscious of a trusted employee, often using many of the ‘selling’ tactics we see in everyday life. Businesses must adapt and employ the right mix of controls for ‘People, Process and Technology’ to mitigate their risk,” concluded Samani.
The importance of security training and policy management has never been more apparent, yet a recent study by Enterprise Management Associates found that only 56% of all workers had gone through any form of security or policy awareness training. Intel Security’s ‘Hacking the Human OS’ report reveals some of the basic persuasion techniques currently in use by cybercriminals, which all businesses and employees should be aware of:
The Six Levers of Influence To Watch for in the Digital World
1. Reciprocation: When people are provided with something, they tend to feel obligated and subsequently repay the favour.
2. Scarcity: People tend to comply when they believe something is in short supply e.g. a ‘spoof’ email claiming to be from your bank asking the user to comply with a request or else have their account disabled within 24 hours.
3. Consistency: Once targets have promised to do something, they usually stick to their promises because people do not wish to appear untrustworthy or unreliable. For example, a hacker posing as a company’s IT team could have an employee agree to abide by all security processes and then ask him / her to perform a suspicious task supposedly in line with security requirements.
4. Liking: Targets are more likely to comply when the social engineer is someone they like. A hacker could use charm via the phone or online to ‘win over’ an unsuspecting victim.
5. Authority: People tend to comply when a request comes from a figure of authority. This could be a targeted email to the finance team that might appear to come from the CEO or President.
6. Social Validation: People tend to comply when others are doing the same thing. For example, a phishing email might look as if it’s sent to a group of employees, which makes an employee believe that it must be okay if other colleagues also received the request.
About Intel Security
Technology has the power to enrich the life of everyone. To transform how we live and work. But as technology becomes more deeply integrated into life, security must be more deeply integrated into technology.
By combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision is becoming a reality.
Security that’s built-in by design, seamlessly integrated into every device at every layer of the compute stack. Protecting valuable intellectual property, data, devices, and identities. So in everyday and business life, people can feel secure in the digital world.
It’s why Intel Security is taking a “security connected” approach. Across every architecture of every platform from chip to cloud — smartphones and tablets to PCs, servers, and beyond. Its teams are moving security from discrete solutions to an integrated approach as pervasive as computing itself.
As a first step, Intel Security is making mobile security free across devices and platforms around the globe. It’s the beginning of a journey that’s full of possibilities.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.