Cyber-Security: Social Engineering from Odysseus to Today

Phishing is cyber criminals, state actors of hostile governments, sending emails persuading you to provide your personal information, intellectual property, or cash.  

Traditional cyber security tools include signature based anti-virus, firewalls, and a Virtual Private Network, VPN, for your mobile workforce. Today we add multi-factor authentication, MFA, and website or DNS filtering. However, people are the weakest link.   

Social engineering works because people can be persuaded to trust others whom they should not trust. And exploits are costly.  

A contractor at a university hospital has just completed $3.5 Million of work on a major project. They sent an invoice. An attacker, who had penetrated the hospital’s email environment with a credential phishing attack, was waiting. The criminal hacker has also plagiarized the vendor’s web site, stolen their logo, and has an offshore bank account. His plan is to get that $3.5 million. Immediately before the close of business on a Friday night. The cyber-criminal called the hospital, got someone from accounts payable on the phone, and was pleading, cajoling, and demanding, as the vendor, that the hospital send payment NOW! via wire transfer to this new bank account.

Fortunately for the hospital, a cyber security researcher was on the scene, virtually. He knew about the pending attack. He reached out to the CISO. They retraced the cyber criminal’s steps, then reached out to the CFO, stopped the payment, and saved the hospital $3.5 Million. 

COST OF PHISHING*
Costs of addressing Business Email CompromiseApproximately $6 Million per event
Resolving malware infections$807,506 each
Containing credential compromises$692,531 each
Un-contained credential compromises$2.1 million each
Source: Ponemon Institute, August 2021

*This does not include the cost of lost business, damage to the company’s reputation, going out of business, or damage to national security. 

This is not new. As documented by Virgil in The Aeneid, about 3,200 years ago, at the end of a 10-year siege, Greek forces, led by Odysseus, built a large wooden horse outside Troy. They Greeks appeared to leave. Odysseus and his warriors hid inside the horse and waited. The Trojans, believing that the Greeks had given up and left, towed the horse inside their city as a trophy, as the spoils of war. Night fell. Under the cover of darkness, Odysseus and his men emerged from the horse and opened the gates to the city. The Greek army entered the gates, sacked the city, and won the war. 

In what may have been the first social engineering attack in recorded history, the Greeks tricked the Trojans into “capturing” their horse and bringing the enemy literally inside the gates. Like the people of ancient Troy, we are the targets.  

I recently received a text message from “carl david 3569 @ gmail.com” that read: 

The USPS package has arrived at the warehouse and cannot be delivered due to incomplete address information. Please confirm your address in the link within 12 hours.  
https : // uspsca . info . us
(Please reply to Y, then exit the SMS, open the SMS activation link again, or copy the link to Safari browser an open it)
The US Postal Team wishes you a wonderful day.

It’s clearly phishing.  

The premise is invalid. The Post Office responds to incorrect destination address information by returning the package to the sender.  

The US Postal Service might communicate by SMS messages but will not send a text message from an individual’s GMAIL account.  The phrase, “Please respond to Y,” is unclear. 

Suppose a member of your accounts payable receives an email from an executive: 

Hi,  

I'm in California, so I can't do this myself, but I need you to buy a few gift cards – about 10 – each for $50 and send them to me here so I can FedEx them to a few other members of the team. I'll reimburse you. And keep one for yourself. Thanks,

Jim

Oddly, the email is not from Jim’s internal corporate email address, it’s from J1M.56732@gmail.com – “J 1 M” not “Jim.” And James Smith, the CEO, is always “James,” never “Jim.” 

Or:

Dear Friend,  

This is Joe at LXQ Systems. We have not received payment for this bill, invoice LXQ051.pdf. Please pay immediately. Cut a check and send it via FedEx. Or update your bank info. And note that our bank has changed.

Thanks,
Joe

Vendors sending actual invoices are unlikely to address them to “Dear Friend.”

And as with “Jim’s” email this is not from Joe@LXQ.com; not from a real vendor at his real email address; it is from someone engaged in a criminal hoax.

Someone in your HR department receives an email message from a staff member:

Hi. I changed banks. I need you to change my direct deposit information to HSBC today, before payroll. Click this link to set it up. Thanks, Tom.

A good HR staffer will want to help Tom get paid to the right bank. But if the message is not from Tom’s internal email, it’s from T0M.8843, “T 0 M,” and it’s from a gmail, yahoo or aol account, then it’s really not from Tom.

Most of us, without reading too carefully, would recognize these as phishing most of the time. But we might slip when we have hundreds of unread emails and when we have a stack of bills that need to be paid or must configure payroll by the end of the business day.

As was the case in ancient Troy, our mistakes can be catastrophic. Unlike the Trojans, we have tools at our disposal to combat these kinds of attacks. We have software that looks inside emails for “Trojan Horses” and identifies phishing emails. These software tools use Artificial Intelligence (AI), and Machine Learning (ML).

Training tools include services from KnowBe4, MimeCast, Proofpoint, and others. Detection and remediation tools include software from Abnormal Security, IronScales, Proofpoint, and others.

Training Tools  

Training tools include instructional videos and simulated phishing attack emails. The users watch a short video, generally 10 to 15 minutes long, and answer a few questions. Administrators define the email frequency, subject, and difficulty of the phishing simulation emails. When a user responds to a simulated phishing email by reporting the message as “Phishing”, he or she is praised. When he or she responds by clicking the link, they receive a notification that “This was a Phishing Test.”  

You must strike a balance between keeping users alert and wasting their time. Perhaps one training email every month or every six weeks. You can customize the Phishing training messages, choosing between categories such as Covid, holiday specific messages, or Executive impersonations. 

These reinforce subconscious analysis of inbound email messages: 

  • Is the message signed by someone within the company but coming from an external email address?  
  • Does the message attempt to convince me to wire money or buy gift cards? And do it NOW!  
  • Is the sender from another company but using AOL, Gmail, Hotmail, or Yahoo? Most businesses don’t use these services. 
  • Are there logos in the messages that are clearly copied from another company’s website? Is there, for example, a bank logo in a message from an account at AOL, Gmail, Hotmail, or Yahoo?

Remediation Tools  

The Trojans got one horse, and it cost them dearly. We get 50 to 100 emails per day. Aside from legitimate emails from salespeople trying to sell us things, we may get five or 10 phishing emails trying to steal money or information. One email to the wrong person; to someone who is tired, and not focused, can cost your company $Hundreds of Thousands, even $Millions.  

Fortunately, remediation tools are always alert and, using effective AI and ML, these tools look at the characteristics outlined above to identify Business Email Compromise, Credential Phishing, phony vendor messages, and other attacks. As Abnormal’s DeMusso says, “with advanced AI and ML capabilities available today it is still about finding needles in haystacks; but using metal detectors to find those needles in milliseconds rather than manually examining every inch of every stalk in the haystack. And you don’t want to wait to implement an effective system until after you’ve been attacked and after you have spent $Millions recovering.”