COMMENT
Social engineering is one of them most popular attack vectors used by cyber fraudsters to infiltrate organizations. These manipulative attacks are typically carried out in four phases:
-
Information gathering (the attacker collects information about the target)
-
Relationship development (the attacker engages the target and gains their trust)
-
Exploitation (the attacker convinces the target to perform an action)
-
Execution (Information gathered through exploitation is operationalized to execute the attack)
The first phase is obviously the most important: without the right information it can be difficult to carry out a targeted social engineering attack.
Five sources of intelligence
So how do attackers collect data about their targets? There are five intelligence sources that cybercriminals can use to gather and analyze information about their targets. I am:
1. OSINT (open source intelligence)
OSINT is a technique used by hackers to collect and evaluate publicly available information about organizations and their employees. Threat actors can use OSINT tools to understand their target’s IT and security infrastructure; exploitable resources such as open ports and email addresses; IP addresses; vulnerabilities in websites, servers and IoT (Internet of Things) devices; leaked or stolen credentials; and more. Attackers use this information as weapons to launch social engineering attacks.
2. SOCMINT (social media intelligence)
Although SOCMINT is a subset of OSINT, it deserves a mention. Most people voluntarily expose personal and professional details about their lives on popular social media platforms: their face photo, their interests and hobbies, their family, friends and contacts, where they live and work, their current location working and many other details. Using SOCINT tools such as Social Analyser, Whatsmyname, and NameCheckup.com, attackers can filter social media activity and information about an individual and design targeted social engineering scams.
3. ADINT (advertising intelligence)
Let’s say you download a free chess app on your phone. There’s a small area in the app that posts location-based ads from sponsors and event organizers, updating users on local players, events and chess matches. Each time you see this ad, the app shares some details about you with the ad exchange service, which include things like IP addresses, the type of operating system you’re using (iOS or Android), your carrier name mobile phone address, user screen resolution, GPS coordinates, etc. Typically, ad exchanges store and process this information to serve relevant ads based on a user’s interest, activity and location. Advertising exchanges also sell this valuable data. What would happen if a threat actor or rogue government purchased this information? That’s exactly what intelligence agencies and adversaries did to monitor activities and hack their targets.
4. DARKINT (dark web intelligence)
THE Dark web is a billion-dollar illicit market that transacts corporate espionage services, do-it-yourself ransomware kits, drugs and weapons, human trafficking, and others. Billions of stolen documents (personally identifiable information, medical records, banking and transaction data, corporate data, compromised credentials) are available for purchase on the Dark Web. Threat actors can purchase standard data and mobilize it for their social engineering programs. They can also choose to outsource professionals who will social engineer people on their behalf or discover hidden vulnerabilities in target organizations. Additionally, there are hidden online forums and instant messaging platforms (such as Telegram) where people can access information about potential targets.
5. AI-INT (artificial intelligence)
Some analysts call AI “artificial intelligence.” sixth intelligence disciplineon top of the five fundamental disciplines. With recent advances in generative AI technology like Google Gemini and ChatGPT, it’s not hard to imagine cybercriminals using AI tools to extract, ingest, process, and filter information about their targets. Threat researchers are already reporting the presence of AI-based malicious tools popping up on Dark Web forums like FraudGPT and WormGPT. Such tools can significantly reduce social engineers’ research time and provide actionable insights that they can use to execute social engineering schemes.
What can companies do to mitigate social engineering attacks?
The root cause of all social engineering attacks is information and its careless handling. If companies and employees can reduce their exposure to information, they would significantly reduce social engineering attacks. That’s how:
-
Train staff monthly: Using phishing simulators and classroom training, teach employees to avoid posting sensitive or personal information about themselves, their families, coworkers, or the organization.
-
Draft policies on the use of artificial intelligence: Clarify to employees what is acceptable and unacceptable online behavior. For example, asking ChatGPT for a line of code or proprietary data is unacceptable; responding to unusual or suspicious requests without proper verification is unacceptable.
-
Take advantage of the same tools used by hackers: Use the same intelligence sources highlighted above to proactively understand how much information about your organization, your employees, and your infrastructure is available online. Develop an ongoing process to reduce that exposure.
Good cybersecurity hygiene starts with addressing the root causes. The root cause behind From 80% to 90% of all cyber attacks is attributed to social engineering and bad judgment. Organizations need to focus primarily on two things: reducing exposure to information and controlling human behavior through training and education exercises. By applying efforts in these two areas, organizations can significantly reduce their threat exposure and the potential downstream impact of that exposure.