Caught out

Middle East enterprises are as likely to be targeted by social engineering attacks as any other worldwide. However, not many are ready to face them yet.

  • E-Mail
By  Sathya Mithra Ashok Published  November 1, 2007

It is rather easy to define social engineering. In its simplest form, social engineering involves a combination of methods to extract information from people, using the natural instinct to ‘trust.'

"It is the art of using a combination of different confidence gaining techniques to persuade people to perform a particular action or in the context of security to divulge specific information that has a certain confidentiality value," says Ivor Rankin, senior consultant for security at Symantec ME.

There is little evidence to suggest that the majority of organisations have done anything substantial to address this problem. That is a major problem.

Befitting that definition, social engineering comes in different forms or rather, people who practice social engineering tricks use various techniques to extract information from their victims.

"Social engineering can take multiple forms, but we can distinguish two main ones immediately. The first is the one-to-many fashion. In this case, a social engineering vector, often - but not only - an e-mail, is massively distributed to as many users as possible, in a non-targeted blind shot or moderately targeted way. In that case, the social engineering speech is generally utterly simple and often exploits human curiosity," says Guillaume Lovet, manager, threat response team EMEA at Fortinet.

The goal behind such a social engineering operation is usually to have a large number of users infecting themselves with a virus or a Trojan by executing the attachment. Since many viruses and Trojans make bots out of systems, this practically results in the attacker taking total control of the infected machine. The controlled machine can then be used for launching more attacks, serving as a host for illegal data or compromising and stealing personal information. Phishing is a sub-case of one-to-many social engineering tricks.

"Then there is the one-to-one fashion. This case of social engineering, albeit more rare, is tremendously effective: the attacker has a pre-determined target, which allows for profiling. This includes personalised e-mails, snail mail, phone calls. One of the most basic schemes of one-to-one social engineering is to call your victim and, posing as a network administrator, ask the victim for his or her credentials. Study shows that human resistance to that simple scam is very low. Hence, when a more complex scheme is employed, the success rate is close to 100%," adds Lovet.

While one-to-many attack forms are the ones that are aimed at individuals at large, most one-to-one attacks are fashioned for corporates, though it might be an idea to get to them through an individual within the organisation. In both cases though, the corporate stands to suffer, since an individual who falls victim to a one-to-many attack can affect the entire enterprise network or give away confidential information that he should not.

"We have seen fairly significant network infections of late and upon investigation we have found that the source of a lot of these infections have been various forms of IM, where people are chatting with unknown people and they are told to receive a file. In the process, we have seen major corporate networks infested with botnets that can be attributed directly to social engineering using Trojan horses," says Rankin.

So much so that according to Rankin, almost 80% of attacks that he has seen over the last three months in the region can be attributed to social engineering. This, combined with the rising incidence of targeted attacks and attacks that are created here for the regional populace, makes social engineering attacks an area of increasing concern.

However, the question is, are organisations in the region paying enough attention?

Waking up to reality

Social engineering comes in many forms, but most vendors agree that the most prevalent and the ones that are most likely to affect Middle East enterprises are the ones that come through the web.

"E-mail protection is quite frequent in the enterprise, but web protection is less so. Given the fact that web attacks are increasing rapidly as the main attack vector, it is a good suggestion to start looking at web protection systems. Web and e-mail reputation are also a good combination to help the company stay clean from malware attacks," says David Sancho, senior AV researcher at Trend Micro.

While most regional organisations have been increasing their security spend and implementing technology to ensure endpoint security, not many in the region are prepared for social engineering tricks. What's more some of them are not even aware of the concept. Not surprisingly though, awareness and education are the key weapons to counter the attacks.

"There is little evidence to suggest that the majority of organisations have done anything substantial to address this problem. That is a major problem. Not many companies do any form of due diligence or investigation to determine the source of actual outbreaks - most treat outbreaks from a tactical or fire-fighting approach and contain the problem," says Rankin.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code