Following a database breach that affected up to 400 customers, Marriott International announced that it had been the result of a hacking technique called social engineering.
In this article, CS Hub explains what social engineering is and how companies can guard against this manipulative threat?
What is social engineering?
Social engineering is an attack vector that uses psychological manipulation in order to convince a human agent to either divulge classified information or perform actions on the hacker’s behalf. It relies on human error rather than software vulnerabilities.
While social engineering can encompass a range of tactics, they all include threat actors attempting to impersonate trusted sources in order to manipulate victims into taking further action.
Mike Wilkes, CISO at Security Scorecard, which provides cyber security ratings, said that the four motivations that make phishing successful are fatigue, curiosity, greed and vanity.
Wilkes also notes that the fight against social engineering attacks can be difficult.
“It is a tough, multifront battle, what we call ‘asymmetric warfare’. The bad guys only have to win once and the good guys have to defend perfectly 100 percent of the time,” said Wilkes.
How to guard against social engineering attacks
Multinational technology conglomerate Cisco, said in a statement that social engineering attacks have grown increasingly sophisticated: “Not only do fake websites or emails look realistic enough to fool victims into revealing data that can be used for identity theft, social engineering has also become one of the most common ways for attackers to breach an organization’s initial defenses in order to cause further disruption and harm.”
To protect individuals and organizations from these attacks, a number of procedures can be put in place:
- Multifactor authentication
- Email security with anti-phishing defenses
- Strong password management
- Employee training to identify and avoid such attacks
Additionally, Wilkes notes that social engineering attacks can be exacerbated by customer service agents’ responsibility and desire to help people.
Bad actors can use social engineering in order to encourage them to click on emails and authorize their details, Wilkes explained. This can then be used to gain access to data infrastructure.
“They bypass multi-factor authorization by getting a support person to give them a whole new identity and access. [Our defense here is] security awareness training: teaching people to be skeptical and to follow the process that has been defined and not be so ‘helpful’,” said Wilkes.
Become a CS Hub member and gain exclusive access to our upcoming digital events, industry reports and expert webinars
Case study: Mailchimp phishing attack
On March 26, 2022, Mailchimp suffered a social engineering attack wherein hackers gained access to and exported data from Mailchimp accounts. This information was then used to target customers of companies that used Mailchimp for business-related services.
In a statement, Mailchimp said that the incident was “propagated by a bad actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised”.
The bad actor also attempted to send a phishing campaign to a user’s contacts from said user’s account by using the information they obtained during the attack.
Mailchimp said: “319 Mailchimp accounts were viewed and audience data was exported from 102 of those accounts. Our findings show that this was a targeted incident focused on users in industries related to cryptocurrency and finance.”
Additionally, bitcoin hardware wallet Trezor confirmed it had an inside compromise of a newsletter database hosted on Mailchimp as a result of the attack. This resulted in its users being targeted by a malicious phishing attack on April 3, 2022.
This attack included false information about Trezor experiencing a “security attack”. It then prompted victims to download and connect their Bitcoin wallets to Trezor suite lookalike app, in addition to entering their seed phrases into the app.
Trezor said stated: “For this attack to be successful, users had to install the malicious software on their devices, at which point their operating system should identify that the software comes from an unknown source. This warning should not be ignored as all official software is digitally signed by SatoshiLabs.”
The company went on to say that users should only be concerned about their Bitcoin funds if they had entered their seed phrases into the malicious app.