Socially Engineered Emails a Threat

Wednesday, April 11, 2012 @ 12:04 PM gHale


By Nicholas Sheble
Social media like Facebook and LinkedIn may be a boon to marketing and human resource departments, but conversely they cause major security fears in production departments and strategic areas of companies.

The personal data and peer networking that have become important sales tools and product referral vehicles are weapons in the hands of hackers seeking entrée to computer systems and databases where the miscreants prospect for value assets.

RELATED STORIES
IT Security: Physical, not Just Cyber
McAfee: Abundant Gaps in Security
GOP Sen.’s Offer Own Security Bill
Cyber Security Bill Launches in Senate

Hackers use information they glean to learn details about the lives of employees of targeted companies so they can trick the victims into opening a malicious application on their work computers.

These ploys – social engineering techniques – exploit vulnerabilities in human nature and make the targeting more effective.

Francis deSouza, group president of enterprise at security company Symantec Corp. told The Wall Street Journal he saw one attack where a hacker learned that a systems administrator had five children. The hacker constructed an email with a malicious file attachment that appeared to come from the company’s human-resources department and contained information about a new benefit program for families with four or more kids.

Attackers often garner clues from social-networking sites like LinkedIn and Facebook where the criminal can identify an employee and his or her department within an organization, deSouza said.

Further, the criminal can troll sites like Facebook to learn the names of the employee’s friends and that person’s interests. The hacker can even visit Twitter to get a sense of how a person writes, how he or she constructs their sentences.

Once the hacker identifies the employee and learns more about him or her, the attack is on. The hacker will send the victim an email that appears to be from a friend or colleague. The email will include an apparently legitimate attachment that actually contains code that will allow the intruder access to the target’s computer. The code is sophisticated and of such quality, that antivirus software won’t detect it. Then, it’s off to the races.

In 2007, the Oak Ridge National Laboratory reported someone successfully targeted that facility using emails socially engineered to appear as though they were legitimate official communications. The escapade compromised computers and a database containing information about visitors to the facility. The hackers had the capability to steal data from that database.

In 2009, coordinated covert and targeted cyber attacks took place against global oil and petrochemical companies, according to McAfee Foundation Professional Services and McAfee Labs. These attacks, dubbed Night Dragon, used socially engineered emails along with Microsoft Windows operating system vulnerabilities to gain access to computers. Using the access obtained, the hackers stole information on operational oil-and-gas-field production systems and financial documents relating to field exploration and contract bidding.

In 2011, RSA told its customers it had suffered attack via socially engineered emails containing malicious attachments that exploited a zero-day Adobe Flash vulnerability. Hackers successfully gained access to the network and exfiltrated information including that related to RSA’s SecurID two-factor authentication products. Subsequently, the stolen information helped in the targeting of defense contractors.

All this tells us humans remain the weakest link in the security chain. Given the success of social engineering and email to hack systems, the security of the systems is moving away from perimeter defense, away from protecting the infrastructure to securing the valued information, the valued asset itself.
Nicholas Sheble (nsheble@isssource.com) is an engineering writer and technical editor in Raleigh, NC.



Leave a Reply

You must be logged in to post a comment.