Social Engineering Blurring reality and fake: A guide for the insurance professional www.cybcube.com Deception and disguise are criminal the radar of insurance professionals, as they methods that are as old as time. become more widely used. Numerous examples - from Ulysses Cyber insurance products do - and will and his Trojan Horse in Greek continue to - cover claims from social Mythology, to Fagan, the pickpocket, engineering attacks. This paper is designed in Charles Dicken’s Oliver Twist - to educate insurers on developing strains reinforce the long history of criminals of social engineering, so they can engage achieving their goals by hoodwinking with their clients meaningfully on their targets into believing that an cybersecurity and risk management interaction is something that it is not. strategies against these new attacks. Today, that deception is largely being carried CyberCube invests heavily in cybersecurity out in the non-physical realm. Recent huge expertise - both human capital with deep strides made in technology take historic social engineering techniques to new levels experience in the cyber security domain and in terms of both scale and sophistication. also in data sources and security signals that might flag vulnerabilities and risk areas. In this paper, we will outline some of the forms of social engineering and explore This paper combines those resources, to some of the criminal motivations for carrying offer some pointers on what warning signs out these attacks. We will take a deeper enterprises should be alert to, and how dive into four developing areas of social insurers could address this growing trend engineering, which we believe should be on before it becomes a major claims event. Definitions In the broadest context, social engineering is a defined domain within social sciences that focuses on efforts to influence particular attitudes and social behaviours. In recent years, there has been recognition that social engineering plays a huge part in the execution of cyber security attacks. Specifically, social engineering in a technical context can be defined as the act of exploiting human weaknesses to gain access to personal information and protected systems and it relies on manipulating individuals rather than hacking computer systems to penetrate a target’s account.1 1 https://en.wikipedia.org/wiki/Social_engineering_(security) 2 Social Engineering Blurring reality and fake: A guide for the insurance professional Social engineering - almost perfect vectors for social engineering attacks. More and more of our data has to getting easier be online today in order for service providers, The stages of a cyber attack that involve governments and others to make use of it researching the target and manipulating and provide us with service. People have their perception and behavior (referred to created digital avatars of themselves (for the as “luring”) are becoming increasingly easy purposes of engaging with social welfare to conduct. Just in the past year, we have or interacting with the banks online, for witnessed the COVID-19 pandemic leveraged example) and these digital identities are during the luring phases of attacks involving proving to be just as valuable as physical people invited to click on links or open files in human targets have been for centuries. order to find out more information about the Importantly, the definition of a trusted virus only to discover that this action allows relationship has also changed significantly for a criminal to stage a ransomware attack in recent years. Historically, a criminal or steal some personal credentials. leveraging social engineering techniques Increasingly, workers today are hyper- would have had to imitate a close relation connected, data-rich and often blur the lines or colleague in the physical world. Now, the between their public and private information. spoofing of an email address or the creation A person working from home, for example, of a fake social media account may be most likely uses many of the same technical sufficient. resources (e.g. laptop, network infrastructure, As the availability of personal information telephone) for their private conversations increases, so criminals are investing in as they do for the public ones. This same technology to exploit this trend. A balance IT infrastructure will also be utilised for has to be struck between the economic both personal and business purposes. viability and its technical feasibility Electronic communication such as email and, (see below). in particular, social media platforms further prepare the ground for sophisticated social Finding the “economic vs engineering by cyber criminals. technological sweet-spot” Even prior to the COVID-19 pandemic, people Technically were physically meeting less and the tools Feasible that replace these physical interactions Economically were becoming more ubiquitous. In turn, Viable these very same tools started to become Where a sweet spot emerges (i.e. a solution becomes both technically feasible and digital identities are proving to be economically attractive), we will often just as valuable as physical human see aggressive adoption in the emerging targets have been for centuries technique which, in turn, leads to major and influential trends in behavior. 3 Social Engineering Blurring reality and fake: A guide for the insurance professional Attack methods: today Traditionally, social engineering curiosity and anger as well as the use techniques have been categorised as of impersonation. The intersection of either physical or non-physical (often “non-physical” and “technical” social termed “Technical” where computer engineering (sometimes referred to as systems are used as the basis for “socio-technical”) is where criminals are attack). Physical manifestations of social mostly focused today. Using computer engineering involve a physical act on the systems to engage in psychological part of the criminal that grants access or trickery has already proved to be fruitful steals information. Non-physical social for today’s cyber criminal and innovation engineering involves use of authority, in this area should be expected playing on emotions such as greed, to continue. Social engineering style Attack type Typical vectors Physical social engineering Dumpster diving Trashcans, open access Tail-gating to property, office reception areas Physical Social Engineering Dumpster Diving tail-gating Trashcans, open access to property, oce reception Technical social Password hacking Malware, unsecured engineering Online profiling networks & systems, social media Technical Social Engineering Password Hacking Malware, unsecured networks “Socio-Technical” Phishing Email, compromised engineering Watering holes websites Email, compromised websites Phishing watering holes “Socio-Technical” Engineer- 4 Social Engineering Blurring reality and fake: A guide for the insurance professional Where are criminals investing? To predict what the future holds for social sophistication in the coming years. There are engineering techniques in the world of new, emerging techniques, that we believe cybersecurity, CyberCube conducted will fundamentally change the cyber threat research to understand the current and landscape and that are becoming rapidly predicted behaviours of cyber criminals and both technically feasible and analysed trends. This research leveraged economically viable. both data that the company collects in order to model insurance risk as well as insights Here, we focus on three major innovations collected via the dark web as part of our that could be impactful within the next adversarial threat intelligence efforts. 2-4 years. Use of phishing techniques are now well- > Social profiling at scale established in cyber crime (these having > Deep Voice mimicry attained the “sweet spot” some time ago). These social engineering techniques will > Deep Fake video mimicry (with special continue to develop in terms of maturity and mention of “Mouth Mapping” technology) Advanced social profiling at scale Social profiling is the process of information (PII) has created a huge constructing a target’s character profile opportunity for criminals to profile their using their social data. It has long been targets online. This would be enough of the staple of the research phase of a problem if it were limited to hacks of socially engineered attacks. Historically, medical databases, banking networks targeted social data has mainly existed and so on but the problem and potential in the physical realm, perhaps in physical impacts grow exponentially given the bank records that can be retrieved popularity of social media platforms such through dumpster diving or through as Facebook and LinkedIn. stolen medical files. Today, social profiling is largely carried out online (reflecting the transfer of personal information to digital media) and involves the application of certain data science processes to generate a target’s profile using technology. The digitisation of personally identifiable 5 Social Engineering Blurring reality and fake: A guide for the insurance professional Active social media users are a gift their job could be targeted by a bogus to social engineers, especially when recruitment consultant who could extract combined with official records such personal information as a trusted party, as driving licenses, passports, medical over time. records and banking information. Consider To use the banking example here and the following statement, taken from an build out an example scenario,