While cyber-attackers can probe Websites to find application flaws and network holes, employees at many financial institutions are just as vulnerable to social engineering tricks.
Why hack a Website when all it takes is a phone call to get into a customer bank account? That is the question Jim Stickley, CTO of TraceSecurity asks when auditing the security measures in place at banks and credit unions around the country. The audits focus on both physical thefts as well as what Stickley called "virtual thefts," where thieves use emails and phone calls to get the passwords they need to remotely penetrate sensitive systems.
TraceSecurity's auditors employ the mindset of a cyber-criminal to determine what would be targeted, and what techniques would be used, Stickley told eWEEK.
"Most of the time, it's bank accounts," Stickley said.
The first step is to identify new employees, Stickley said. Finding out who just started working at the targeted institution, such as a mid-sized credit union or regional bank, is very easy in this day of social networking, as all the attacker has to do is search the targeted institution on LinkedIn.
Once the attacker has a list of employees with a recent start date, the next step is to masquerade as a senior manager.
"New employees are gullible. They don't want to annoy their managers, so they just do what they are told to do," Stickley said, adding they are less likely to question suspicious incidents when a superior is involved.
Attackers can call the credit union's general number directly to find out the name of a manager. The trick works best if the targeted institution is big enough to have multiple branches or offices, because then the attacker can find out the name and phone number of a manager in a different branch, Stickley said.
"New employees are less likely to know what that manager sounds like," Stickley said.
With the phone number and name of the manager in hand, the attacker calls the employee directly. There are software readily available online that let people spoof their phone numbers. With software, the attacker modifies the caller ID information so that the employee, when looking at the phone display, sees a phone number that matches the pattern the company uses and thinks it's a legitimate call. Since the employee already thinks the attacker is actually a remote manager, there is already a sense of trust present, Stickley said.
The supposed manager can claim that the branch's network is down; IT is working on the manager's computer; or a myriad of other reasonable scenarios as to why the manager can't log in to the network and access a customer account. "Don't make it a big deal, just mention it and move on to the actual request," Stickley said.
By asking the employee what account login is being used or reading information to supposedly verify some details, the attacker has obtained sensitive information to compromise the account. The fake manager can also convince the employee to change the password to something else "for security purposes" and then promise to call back after a specified time interval to change the password back, Stickley said.
"That's 45 minutes for the attacker to do whatever is necessary," Stickley said. Some attackers may even continue the masquerade by calling back and saying they were done.
New employees don't want to push back, so it's important for financial institutions to "empower" them to ask questions and feel comfortable pushing back right from the start, Stickley said. Employees need to hear that it's OK to tell managers, "No!" or all the rules go out the window, he said.
It's one thing to teach employees policies, but better to teach them what to do when they are asked to violate policy, especially if it's by a senior executive or the company president. "The policy might be, 'Don't give out private information over the phone,' which is good, but the reality is, when the manager asks, you don't say no," Stickley said. Employees need to be told to say they can't do that, and to offer to transfer the call to a senior manager. Attackers will often hang up at this point, since the manager might know the person they are pretending to be and expose the scam.
Another common social engineering tactic relies on email. Many institutions have a corporate directory available on the phone system. Attackers call the phone number late at night to go through the phone directory. Many systems have a quirk where if the caller doesn't punch in the "first three letters of the person's name," it lists all the names matching whatever was entered.
"So press number '2' and wait a few minutes. The system will time out and then give you every name that begins with the letters A, B, and C," Stickley said.
The attacker can get all the names of the employees relatively fast in this way. The attacker then picks up a free email account from any email provider and sends the employees a spam message. Some companies make this step easy because they publish email addresses online, making it easy to guess what pattern the company follows, whether it's firstname.lastname, first initial followed by the last name, or some other variation, Stickley said. If the attacker can't figure it out, then it's just a matter of entering every possible combination into the message's BCC field.
While most of the combinations will fail, at least one of the addresses won't bounce back, Stickley said. With the list of valid email addresses, the attacker can send out messages with links to malicious Websites, downloaders or infected attachments to try to compromise at least one user. The malicious links can claim to be e-cards sent by a "secret admirer," or messages from industry regulators or professional organizations, Stickley said.
Another method is to pretend to be another employee sending an internal email. It's easy to create domain names that look similar to the legitimate name, such as replacing the o in .com with a 0 to create .C0M, or dropping an "i" in the company name. At first glance, people will not notice the slightly different domain, Stickley said.
Financial institutions need to restrict Internet usage by employees, Stickley said. Most employees generally need to access a handful of sites, and don't need to be able to go to so many places on the Web during the course of their workday, he said.
"Lock down the sites and 90 percent of the risks go away," Stickley said. When users can't go anywhere other than approved sites, the only threat with this kind of social engineering attack is the malicious attachment, and most organizations are "smart enough to strip out the malicious payload," said Stickley.
Most organizations can afford to do two networks and tell users that if they want to access the general Web, they should use the system dedicated for Web surfing, Stickley said. The Web surfing machines should not have any access to internal systems or sensitive data. It's similar to how the intelligence and defense industries have a classified and unclassified network, he said.
"The risk is too great that you can't just let users go anywhere they want," Stickley said.