Here’s How Social Engineering Hackers May Be Targeting Your Information
Forget about high-tech espionage. Many of the headline-grabbing hacks from the past few months hinged on low-tech social engineering—the use of deception to manipulate users into giving up their passwords and other data, writes LeClairRyan attorney David Z. Seide in a new post on the national law firm’s “Information Counts” blog.
“This kind of hack takes many forms—examples include security alerts from what appear to be trusted websites to update passwords, and phishing emails from what appear to be known, trusted contacts asking to download files or click on provided links,” writes Seide, a partner on LeClairRyan’s Compliance, Investigations and White Collar team, based in the national law firm’s Alexandria, Va., and Washington offices.
In the Feb. 27 post (“Cyber Security and Social Engineering: A Big Low Tech Problem”), Seide notes that the consequences of computer network penetration through social engineering have been dire for victims. He cites a prime example: the hack of Hillary Clinton’s 2016 presidential campaign.
“There, the campaign chair received what appeared to be a genuine email from Google’s ‘Gmail Team’ informing him that a Ukrainian computer had just used his password to try to sign in to his Gmail account,” Seide explains in the piece. “The email went on to say that Google had stopped the attempt, advised the chair to change his password immediately, and provided a ‘Change Password’ link. Believing the email to be authentic, the chair clicked on the link and changed his password.”
As the world now knows, of course, the new password went straight to hackers, who promptly downloaded 30,000-plus emails in the account and sent them to WikiLeaks for publication. “This hack succeeded only because hackers used social engineering techniques to trick the unwitting user into effectively giving a secure password to what appeared to be a trusted source,” writes Seide, an experienced litigator and internal investigator, who led multiple high-profile internal and financial investigations for several federal agencies prior to joining LeClairRyan last month. Those roles included leading the Department of State Office of Inspector General team that reviewed and published multiple reports in 2016 concerning the use of personal email for official business by Hillary Clinton and four other Secretaries of State.
For the foreseeable future, he notes, low-tech social engineering hacking will continue to be a dominant cyber risk. “If anything, it is likely to proliferate across growing and emerging technology platforms—mobile and other Internet-enabled devices (Internet of Things) and social media,” he explains.
This is precisely why defending against such hacks requires more and better “cyber hygiene,” which Seide describes as “no different than regularly washing hands to prevent infection.” Toward that end, he offers a set of best practices for guarding against social engineering. They include ramping up education about social engineering; closely monitoring the level of security-protocol compliance within your organizations; maintaining vigilance and skepticism, and engaging in timely reporting of hacks or potential hacks.
“Cyber security is an ongoing process that changes as fast as technology changes. And technology changes fast,” the attorney writes in the conclusion to the piece. “These suggestions are by no means cure-alls. But they will reduce social engineering risk and may demonstrate a prudent effort to address a serious problem we all regularly face.”