1000px-trojan-horse

TRANSACTION TRENDS EXCLUSIVE CE SERIES: Social Engineering

Forget the Nigerian Prince Scam. More sophisticated attacks that exploit human vulnerabilities and target payments are on the rise.

By Christine Umbrell

We’ve all heard the stories in the news about cyberattacks enabled by unwitting consumers: fraudsters hacking into individuals’ email accounts and sending messages to their contacts requesting money; consumers providing payment information to phony websites; cybercriminals pretending to be relatives “in urgent need of funds.” These are just a few examples of social engineering fraud, which is a growing problem for consumers and companies—and, by extension, payments professionals—as scam artists evolve into increasingly sophisticated criminals and their attacks become more targeted.

“Social engineering fraud” can come in many forms, with the most problematic for payments professionals being virtual attacks, carried out online. These often involve “phishing” schemes, such as initiatives where fraudsters send out mass emails containing fraudulent links to a wide range of recipients, or “spearphishing” schemes that have a higher degree of sophistication and are targeted to specific individuals or companies.

“Social engineering is the manipulation of a person to get information or have them perform some type of act they wouldn’t otherwise perform,” explains Ryan Jones, managing principal, labs, at Coalfire. Hackers use phishing and other social engineering methods to target organizations with legitimate-looking emails, social media messages, and phone calls that trick users into providing confidential data, such as credit card numbers, Social Security numbers, account numbers, or passwords, according to the PCI Security Standards Council (SSC). Most commonly, hackers use phony emails, containing malicious software that could infect computers and systems, or that contain links to lookalike sites. Fraudsters also exploit website and software vulnerabilities and compromise credentials to gain remote access to a network, by using unauthorized usernames and passwords.

Over the past few years, social engineering has been the main entry point for the majority of breaches, according to Jones. “They’re easy to do, they don’t require a lot of technical knowledge, and they’re an easy way [for criminals] to get a foothold into the internal networks of a company,” he says.

“When they’re successful, phishing attempts can have a significant impact on you personally, as well as on your workplace,” explains Mark Carl, CEO of ControlScan. “Spearphishing attempts can be very targeted and very sophisticated, and were the most expensive—and successful—types of attacks last year.”

Kaspersky Labs detected more than 46.5 million general phishing attempts in the second quarter of 2017 alone, and while the overall number of spam incidents decreased in 2017, phishing attacks increased. “These tend to be the most costly because the attacker is often looking for something that has value, such as payment card data [from which they can] print their own cards for use online,” says Carl. “They may also be looking to install ransomware.”

Exploiting Vulnerabilities

Last year, social engineering attacks were utilized in 43 percent of all breaches in a broad dataset examined by Verizon. “Almost all phishing attacks that led to a breach were followed with some form of malware, and 28 percent of phishing breaches were targeted,” according to the “2017 Verizon Data Breach Investigations Report.” Phishing was the most common social tactic in the dataset (93 percent of social incidents).

These numbers match what Jones is seeing at Coalfire. His company’s research revealed that midsized companies are at greatest risk of social engineering penetration—despite being more secure overall. Smaller organizations tend to be more intimate environments, where individuals are more in tune with the operation of the business and employers personally promote awareness, according to “Coalfire’s Penetration Risk Report, 2018.” Conversely, large businesses benefit from having “seen it all,” by nature of having such a large staff and frequently engaging in strictly administered, recurring, and regularly audited security training and awareness programs. But midsized organizations, according to the research, “are stuck being too big to provide staff with a natural awareness of company operations, yet too small to have assembled formal training, awareness, and draconian email controls. This leaves them susceptible to the broadest range of social attacks.”

Cybercriminals themselves have evolved from individuals or small groups into large, organized criminal entities, according to Michael Aminzade, vice president of global compliance and risk services for Trustwave. “They are well-funded,” he says. “We have been able to identify specific large organizations and have found that they do feasibility and ROI studies” to determine whom to target.

Robert Capps, vice president and authentication strategist at NuData Security, offers rationale for the uptick in social engineering attacks: “Fraudsters are awash in stolen data—there are more stolen data records out there than there are human beings. So now [criminals] need to figure out what is relevant data,” says Capps. Phishing, and spearphishing in particular, help criminals do that.

Payments professionals should understand that retail spaces, which typically have high staff turnover and low margins, are especially susceptible to social engineering attacks. “It’s hard to get employees to a level [where they can successfully serve] as a first line of defense,” says Jones. “They usually have firewalls and conduct limited testing to protect themselves at the perimeter, but hackers are able to get to the systems on the inside. Just one person who responds to spearphishing or otherwise compromises the system is needed” to infect a system.

In fact, Trustwave Spiderlabs investigated malicious data breaches affecting thousands of locations in 21 countries as part of its “2018 Trustwave Global Security Report” and found the largest single share of “incidents” involved the retail industry (nearly 17 percent), followed by finance and insurance (13 percent), and the hospitality industry (nearly 12 percent). Half of the incidents involved corporate and internal networks, followed by e-commerce environments, at 30 percent. Incidents affecting POS systems accounted for 20 percent of the total.

“Threat actors” targeted payment card data in the majority of incidents, with magnetic-stripe data comprising 23 percent of incidents and card-not-present data comprising 20 percent, according to Trustwave. In addition, 47 percent of the POS system compromises were accomplished via phishing and other social engineering attacks. “These can happen when administrators don’t properly segregate the cardholder data environment from the rest of the network,” the report states. The hotel and restaurant sectors were especially vulnerable to these types of attacks.

Trustwave also reported that remote access attacks were the second most common method of compromise at the point of sale. “Often, the attacker gained remote access to multiple locations by obtaining service-provider remote access credentials, either by compromising the service-provider network (and thus VPNs) or by simply obtaining default passwords in cases where remote access tools were internet accessible,” the report states. “The human factor is still the highest source of weakness for corporate environments, with phishing contributing to more than half of such compromises.”

In addition to compromises stemming from fraudulent email, the retail industry is seeing more attacks that draw customers to copycat merchant websites. Cybercriminals are using international typographical characters to create a website URL that’s very similar to a legitimate website, explains Capps.

A new report from Farsight Security found an increasing prevalence of Internationalized Domain Name (IDN) lookalike names, or homographs. IDNs enable a multilingual internet by allowing users to register and use domain names in different languages. Because IDN homographs are easy to register and often go undetected by traditional security solutions, the lookalike domains are increasingly being used to commit phishing and other malicious activities against unsuspecting consumers who mistakenly believe they are on legitimate websites, according to the Farsight research.

Capps notes that while phishing scams and the use of internationalized characters in domain names are not new, “the resurgence of embedding foreign characters with subtle differentiations to English language ones to draw customers to phishing sites is an interesting twist. It shows that hackers are constantly evolving and changing tactics to lure customers into surrendering their personal and payment data—even if those techniques are not new or novel.”

Prevention and Response

Many organizations are adjusting their security practices and working with partners in prevention strategies, but keeping pace with fraudsters’ constantly evolving attack practices can be challenging. “We’ve done a lot of good in educating people on what links [are OK] to click, and what calls to take,” says Aminzade. While new security technologies help prevent and minimize attacks, “criminals also realize what areas are hard to attack—for example, areas that have shifted to EMV,” and concentrate their efforts in alternate, more vulnerable areas.

“It’s very difficult to prevent these types of attacks,” concedes Jones. “There’s no silver bullet for security—social engineering or otherwise. But you have to train employees, make sure they know who to report compromises to. And it’s important that everyone use strong passwords and apply patches internally as well as externally.”

The PCI SSC offers several recommendations to decrease the likelihood of an attack causing damage. Companies should reduce unwanted email traffic by installing and maintaining basic security protections, such as firewalls, antimalware software, and email filters. In terms of website and software security, companies should separate and update computers and software—for example, use basic security tools and keep computers used for social media sites, email, and browsing separate from computers used for processing financial transactions. And everyone should be practicing good password hygiene, updating strong passwords regularly, and implementing two-factor authentication.

Sources caution that PCI compliance is only a minimum standard. “Merchants need to be conducting risk assessments and more sophisticated testing, and adhere to stricter standards as they are developed,” Aminzade says. “Compliance standards will always fall behind [the capabilities of criminals] so merchants need to take a ‘security first’ approach.”

“Social engineering is going to be a threat to any business,” Carl says. “Anywhere you have a connected employee, you are susceptible.” He recommends limiting access to IT systems so only those who truly need it have access to data. He also suggests training employees not to click on suspicious links. In addition, “have a security system in place 24/7, so if a PC gets infected with malware, endpoint security can take it offline immediately,” suggests Carl.

Point-to-point encryption (P2PE) surrounding payments is critical, sources agree. “You need to de-value the data coming in,” says Carl. “P2PE must be applied at the point of interaction, immediately when the card or chip is read.” He cautions organizations to remember that even if attackers can’t get access to payment card data, companies still may be susceptible to ransomware.

Aminzade also urges the retail sector to adopt P2PE systems. And he suggests that payments professionals survey the evolving landscape; actively work with QSA and security partners to stay up on the latest happenings; check the blogs of security experts and the card brands; undergo relevant training; and understand how payments are developing—particularly mobile and contactless payments.

He further emphasizes that securing payments should involve a comprehensive approach. “You can’t just focus on payments; you need to look at the identity of the person making a payment, and not just the card,” Aminzade says. “You need to really understand personal data regulations, and expand your focus area into protecting personal data.”

Capps suggests that all parties associated with transactions, and anyone with a loss budget, focus on “tying the individual at the keyboard—the consumer—with the rightful owner of the account data,” and ensure appropriate credentials are provided. This will devalue stolen data, eventually reducing the incidents of phishing and data breach.

Some merchants and financial institutions are responding by moving past the user’s personally identifiable information as a way to authenticate them—as this could have been stolen by phishing, for instance—and incorporating multilayered solutions with passive biometrics and behavioral analytics, says Capps. “These technologies thwart the reuse of data by fraudsters and, instead, verify users based on their behavioral information. The hundreds of subtle nuances in customer behavior—together with many other factors such as device identity—create a dynamic user profile that bad actors can’t mimic.”

Many companies offer services designed to help protect data and prevent social engineering attacks. ControlScan, for example, has an Active Monitoring Services Division that offers managed detection and response services. Its services are designed for enterprise security as well as retail.

Aminzade notes that companies that leverage Trustwave’s security systems, or similar systems, have an advantage because they receive warnings of attacks being carried out on other entities. “If we see an attack starting to happen in a certain vertical, we can create targeted defenses for other merchants in that vertical,” says Aminzade.

Ongoing Vigilance

Just as security technology is getting more sophisticated, so, too, are the attacks, sources agree. “We expect more phishing attacks will become spearphishing—more targeted,” in the future, says Carl. “Humans will always be the weakest link.”

Jones predicts that today’s “simple” phishing attacks will become much more intricate tomorrow. He speculates that criminals will conduct in-depth research on individuals at the companies they are targeting, perhaps learning details about their hobbies and their friends, to “create an even more targeted attack.”

Capps believes the coming months will bring “more attacks on consumers.” He urges payments professionals to “be aware of the latest trends, and adapt businesses to be more resilient to attacks.” To prepare for social engineering attacks, he suggests that payments professionals aid merchants in looking at the competitors in their space to evaluate how similar companies are being compromised. “The attackers usually start with the biggest companies, then as those companies protect themselves, they move down to the smaller companies who are not likely to be prepared,” Capps explains.

“These types of attacks are not going away,” says Jones. It’s time to “stop looking at employees just as the weakest link and start thinking of them as the first line of defense” to help protect companies, consumers, and payments systems.

Christine Umbrell is a contributing writer to Transaction Trends. Reach her at [email protected].

Image credit: MR1805/iStock/Getty Images

ETA CPPs: earn ETA CPP Continuing Education (CE) credits. Read this article, then visit ETA CPP Quizzes to test your knowledge and earn 2 ETA CPP CE credits per quiz!