Social Engineering Attacks Out of Control
by Stephen Comeau
Before the pandemic, social engineering attacks were prevalent.
I used to get calls on them once a week on a regular basis. Who would have thought we would wish we could go back to that once-a-week scenario as being relatively favorable? Social engineering attacks have since taken on a life of their own. Now, I deal with 20 to 30 calls per day on this issue at minimum.
Social engineering attacks have not only grown more frequent, they have become more sophisticated. Not only are regular users having difficulty separating the false from the true, but career IT people are having the same problem. And this is particularly troubling, for it directly affects our overall ability to adequately respond.
To focus on the specifics, one out of ten adults falls victim to social engineering attacks every day. Currently, the most prevalent of these attacks is the phishing scam. Phishing scams target email and phone communications alike. There are also plenty of new attack vectors - less common but likewise troublesome. Some involve text messaging. These have come naturally to the fore with the development of emerging technologies within the larger IT realm.
Looking back in time, we see that phishing attacks are not new, and have posed a problem of longstanding duration. However, since the pandemic, these types of attacks have increased exponentially in a way that had not been properly predicted, causing them to occupy center stage in modern efforts to keep communications systems secure. Phone scams (or phone attacks) have increased by more than 150 percent since the start of the pandemic. In fact, phone attacks have become so problematic that the Federal Trade Commission has taken particular and serious notice of them, putting the weight of the federal government behind a larger national effort to mitigate them.
Over the summer (July 2021), the Federal Trade Commission (FTC) began enacting statutes requiring providers to implement Caller ID authentication. This new regulatory focus represents one of the most extensive campaigns undertaken by the federal government to combat the phone scam epidemic. This overall effort has been particularly aimed at reducing the growing number of robotic phone attacks.
While this federal-level effort is reassuring, it is at best a temporary Band-Aid solution. It will undoubtedly help to stem the overwhelming tide of phone attacks for a short time. But, as we know, the "game of cat and mouse goes on," with bad actors becoming ever more sophisticated in their own efforts. As expected, new software has already been developed to evade the FTC countermeasures. Some of it involves a novel implementation of traditional cloning technologies, making use of cloning software that is readily available and simple to use. All that remains to do, upon utilizing such software, is to dial the first unwitting victim's number. Beyond that point, it takes only two seconds after the individual accepts the incoming call for his or her phone number and device identity to be acquired. This device identity, or International Mobile Equipment Identity (IMEI), is a 15-digit identifier that links the phone with a specific phone number. On the victim's end it looks like the scammer's call is coming from you. All this occurs with your active participation, yet without your knowledge of what has actually occurred - and the FTC countermeasures are evaded. Scary, right?
As previously noted, cloning software like Dr.Fone and CLONEit is nothing new, I remember messing around with similar software for learning purposes a decade or so ago. I further remember some of the troubling discoveries I made. It was scary then, it is scarier now. In the old days, you needed to be physically near the victim's phone to compromise it. Nowadays, such attacks are far easier to implement and with more sophisticated software that is more readily available. You don't have to be an uber-hacker to run a cloning phone attack on the average phone user anymore. Anyone with enough knowledge to run a kiddie script level attack could easily deploy one nowadays. This accessibility highlights the need for preventative measures to be adequately employed.
Some such basic measures are as follows:
- Always keep your phone software current with the latest updates.
- Always keep you phone properly locked down.
A minimal level of security on any phone should always include:
- Having a passcode lock on your phone.
- Encrypting your phone to protect your information, especially your IMEI number. (Encrypting your phone in this way makes efforts to steal a copy of this critical number vastly more difficult.)
- Never leave your phone unattended, especially in a public place.
- Do not leave Bluetooth on when you're not using it.
Protect yourself by educating yourself as to the sophistication and diversity of modern cyberattacks. Attackers will often use several different techniques to get what they want from you, some of which we have covered, and others of which we will cover now.
The first of these techniques is the social engineering attack, by which you pose as someone else, likely someone important, working for ether a regulatory agency, key vendor, or authoritative management team within one's own company. So, if you are ever unsure of the legitimacy of a call, hang up. Then call back the specific agency or company on their known public line to verify their identity.
Another technique phone attackers or scammers will often use is to create a sense of urgency. They will create a scenario where you will need to do something or give them something right away to keep something else bad from happening. Note that nothing is ever urgent enough for you to avoid properly verifying their claims. Never provide any personal information or financial data to anyone who calls you whose authorization to receive such information remains in doubt. To emphasize, you can always hang up and call back the agency or company's legitimate known number for verification.
Also know that official government agencies like the IRS will never call you randomly. Doing so is a clear indication of a scam. Always verify any call you get from a party you would otherwise hope to trust, especially if what you are hearing sounds too good to be true. I can't emphasize this point enough!
Another sure sign of a scam attack is a demand for immediate payment. No company or agency will expect you to respond on the spur of the moment without adequate thought. Additionally, if they demand a specific form of payment, like a gift card or Western Union payment, this is a sure sign of a scam. Hang up.
Also, never let anyone you don't know have access to your personal devices. You have no idea how many times I have heard the same story. "Oh Mr. (Blank) called me from (Blank) Company and asked for access to my computer to fix (blank) issue I was having." No! Wrong! Do not give anyone unauthorized access to your computer or personal device without first verifying the legitimacy of that access. A legitimate company, without a partnership or vendor relationship, will never ask you for access to your device. Remember, as before, to verify this request by phoning the company on their main line as the best way to handle any access issue about which you have significant concerns.
Another method of dealing with scammers is to record the number you were called from, and then to block it on your own phone.
Finally, you should always report any phone scams or phone attacks to the Federal Trade Commission (FTC). It is very important that you remember to fill out the pertinent - and simple - form at the FTC website. By reporting the scam attempt, you are helping the FTC keep track of changes in and frequency of different attacks. You are, in the process, keeping others from being victimized. The FTC has the power to flag compromised numbers through phone companies and to place those numbers under review. By this means they can hope to apprehend those who have compromised phone identities.
You can report any such issue to the FTC here: reportfraud.ftc.gov
I do hope this article serves as a needed wake-up call (no pun intended), adequately informing the public on how social engineering and spoofing attacks occur, and in particular from a phone attack perspective. It was also my intent to describe what should be done to prevent this form of attack from occurring on such a large scale in the future.
My hope is that with some effort and better public security education, the attacks I have enumerated in this article will finally start to, once again, become few and far between. We may even return to that more-desired point where we are getting just one social engineering attack inquiry per day.
It's a nice dream, right? Either way, it is now clear just how big of a problem social engineering attacks have become, and that something effective needs to be done about them now.
Stay tuned for further updates.