Last week I wrote about a technically advanced, highly sophisticated cyber-attack in Hong Kong, that netted the attackers $25m – it all started with some simple social engineering pretexting.
You may not have $25m in your bank account but here is the state of play of deep fake hacking
What is pretexting?
Think of it as gift wrapping the victim and adding a bow, making them ready for the main cyber-attack event.
Pretexting is a social engineering tactic where the threat actor fabricates a story to bait their target into, among other things, revealing sensitive information including credentials, transferring money, clicking on a link or installing malware. The attacker presents a false scenario to gain the victim’s trust and may pretend to be a person in authority, the CEO or in the Hong Kong incident the CFO or a responsible person in their organisation such as an HR representative or IT technician. These stories are designed to overcome the victim’s natural scepticism and cyber security training.
But you advocate cyber security awareness training?
I do, and cyber security awareness training is essential, as without it every cyber-attack would get through and you would be out of business yesterday! But the threat actors also read my website and they know you buy into our cyber security awareness training, so they know they have to come up with something extra special to deceive your team if they are to steal from you.
Now the Hong Kong incident involved deep fake avatars on video calls, including one of the CFO, to reassure the victim that it was OK to transfer 200 million Hong Kong dollars to a variety of back accounts.
I know what you are thinking now – this cannot happen to me as we do not have enough assets to make the investment by the cyber-criminals worth it. And again you are right.
So what was the point of this social engineering article?
The Hong Kong incident included some very simple steps that did not require much in the way of hi-tech.
- They researched the victim’s company to work out who would reassure the victim into transferring the money – this is usually quite easy to do using open source intelligence (OSINT) including the company’s own website.
- They stole Hong Kong ID cards for user information.
- They crafted an initial phishing email, and although it made the victim suspicious, it also led them into the next step of the attack.
All of which can be applied to any other organisation regardless of their size – although substitute Hong Kong ID card for UK ID – including your own company ID cards.
Combatting Social Engineering
I will not be giving away our knowledge here – clients pay to access that and protect themselves, but I will give you two of my top tips:
- Educate Yourself and Your Team.
- Establish robust security policies and procedures within your organization.
Understand you need more then spam filtering and an industry standard anti-virus to defend against today’s cyber security attacks.
Clive Catton MSc (Cyber Security) – by-line and other articles
p.s. I made my contribution to today’s tidal wave of Valentine’s Day social media content last Friday:
Because It’s Friday – Mixing Valentine’s Day and Viruses!
Further Reading
Featured Photo by Karolina Grabowska