With cybersecurity awareness month in full swing in many countries, now is as good a time as ever to highlight some of the latest social engineering techniques. In fact, the theme for 2023, Secure Our World, specifically highlights the ability to recognize and report phishing as one of the four steps for a secure world. But threat actors go way beyond traditional phishing campaigns in their social engineering attacks; here’s a look at some of the latest techniques to watch out for this month and beyond.
Open Redirect Phishing
Open redirect phishing is an interesting and effective tactic that combines technical knowledge of web app or website vulnerabilities with psychological manipulation. Open redirect flaws happen when a site or app doesn’t restrict or validate how it redirects users from one URL to another. There are many legitimate reasons to redirect users while they’re visiting a site or using an app, such as tracking their activities for marketing optimization, guiding them through multi-step processes, or redirecting people from outdated content to new pages.
Here’s a hypothetical example to further clarify what an open redirect flaw is. Consider the domain http://trustedwebsite.com , which has an open redirect vulnerability. A legitimate redirect URl might look like this:
However, since this hypothetical site has an open redirect flaw, an attacker can craft a deceptive URL, such as:
The issue is that because there is no validation due to the open redirect vulnerability, clicking this link takes the user to http://malwarewebsite.com .
So, where does social engineering come into play? Well, since a user receiving an email with the latter URL might only notice the domain http://trustedwebsite.com and assume the link is safe, hackers can craft convincing emails with malicious redirects in them.
To make matters worse, email security solutions often don’t flag these emails as suspicious because the linked domain itself is not malicious. Hackers discover sites or apps with these flaws with automated scanning tools or by manually inspecting redirect parameters.
Users should be aware of the need to carefully inspect URLs in the emails they receive. URLs with shortened links like http://bit.ly are particularly indicative of obfuscating a malicious domain.
Quick Response (QR) codes are those ubiquitous black-and-white squares scanned by smartphones. These codes have seamlessly integrated into various aspects of daily society that people take for granted—from mobile payments to restaurant menus. The rise of QR codes has also opened up their exploitation as a social engineering threat in the form of QR phishing (or “quishing” as some sources refer to it).
Since QR codes nearly always contain links to websites (although they can encode other content), it’s feasible for cybercriminals to generate a malicious QR code that, when scanned, directs victims to deceptive websites, prompts unwanted app downloads, or initiates malicious actions like payments. Discreetly placing fake QR codes over legitimate ones, such as on public advertisements or payment terminals is a clever way of exploiting the growing trust in these black-and-white patterns.
In one recent example targeting employees, spoofed Microsoft security alerts directed employees to update their account’s security settings via QR codes. But these codes directed users to malicious sites where threat actors stole their credentials. Combating the threat of QR code phishing calls for greater public awareness about this social engineering technique along with using secure QR scanners that offer URL preview features.
While a lot of cybersecurity advice highlights the value of turning on multi-factor authentication (MFA), hackers have started to exploit certain implementations of this stronger authentication method. So-called MFA fatigue attacks prey on the weariness and frustration users might feel when frequently prompted for multiple authentication factors, especially if the process is cumbersome or repetitive.
Over time, repeated MFA prompts can desensitize users and make them more likely to approve authentication requests without thorough scrutiny. Attackers target this fatigue by flooding users with fake MFA prompts in a push bombing attack. Amidst the deluge of push notifications, target users might inadvertently approve a malicious request.
One option for defending against MFA fatigue attacks is for companies to use biometrics or token-based MFA solutions. However, this doesn’t address the threat outside of business contexts for people using personal apps and online services. Companies that use push notifications or one time codes should consider an adaptive approach that only requires these extra authentication steps for high-risk transactions or unusual logins.
With AI continuing to advance at a rapid pace, deepfake technology gets more impressive with each passing month. Even as far back as 2019, the CEO of a UK energy company transferred €220,000 to a scammer after being fooled by a deepfake phone call pretending to be his boss, the CEO of the firm’s German parent company. If deepfakes could fool people four years ago, there is likely to be a coming onslaught of these attacks as the technology improves.
Deepfake phishing is a social engineering technique that uses deep learning algorithms to generate audio and/or visual content that convincingly mimics a person’s speech patterns, facial expressions, and mannerisms. Imagine receiving a video message from your company’s CEO urgently requesting a funds transfer or an email accompanied by a voice memo from a coworker asking for confidential data. If the deepfake is convincing enough, many would comply without suspicion.
Given the strikingly convincing nature of these scams, an important defensive measure is to enforce stricter verification protocols, especially for requests involving sensitive information or financial transactions. Multi-factor authentication, follow-up calls, and in-person confirmations are a few examples of what businesses can do to counteract deepfake phishing attacks.
Awareness Is Key
Defending against the latest social engineering techniques in a business context starts with companies promoting effective and ongoing security awareness among employees.
DIESEC supports modern social engineering awareness by running simulated tests using the latest attack vectors, and tailoring a social engineering awareness campaign based on the results of these tests.