Social engineering has long been a favorite technique for attackers who want to gain access to computer systems, bank accounts or other secure resources. For those who might not be familiar with the term, social engineering refers to an attempt at manipulating someone into giving access to a protected resource. Those telephone scam calls from tech support, the warranty department or the IRS, for example, are all examples of social engineering. The person behind the call is trying to trick someone into paying for a fraudulent service--it’s a phishing attack with social engineering at its core.
Some social engineering scams are easy to spot. Recently, for example, I received at least a dozen robo calls (with a computer synthesized voice, no less) from “Apple Support” claiming that my iCloud account had been compromised. There were several red flags indicating that the calls were a scam, but the biggest was the simple fact that I don’t use Apple products and do not even have an iCloud account.
A social engineering phishing attack like this one are designed to work at scale.The attackers likely called many thousands of people, knowing that only a small fraction of those calls would ultimately lead to a successful phishing attack.
At the other end of the spectrum, are highly targeted social engineering scams that focus on compromising a specific person. Phishing attacks like this are more difficult for a hacker to pull off, but are potentially far more lucrative than a large-scale social engineering attack might be.
Do I Know You?
One of the targeted social engineering techniques that is starting to gain traction is conversation hijacking. Conversation hijacking is a form of phishing attack in which a hacker attempts to convincingly impersonate someone through email.
I encountered a primitive version of a conversation hijacking attack back in the late-90s. Before I tell you what happened, let me take just a moment and explain how this attack worked so that I can contrast it with what is being done today.
If you have ever set up an email client, then you know that most give you a chance to specify your name. Figure 1, for instance, shows the setup process for an older version of Microsoft Outlook. The name that you enter in the “Your Name” field is the name that message recipients see when they receive a message from you. Mail clients often do little to confirm that you are entering your real name during setup. As such, someone who has a virtual machine, a mail client and a little bit of free time can pretend to be anyone that they want.
So, back in the ‘90s, someone apparently set up a mail client on a spare computer and configured it with my name. Then, posing as me, the person wrote an extremely rude resignation letter to one of the editors I was writing for at the time. Thankfully, the editor was someone that I had known for a long time, and he knew my writing style well enough to realize that I didn’t write the email.
As damaging as that type of attack could potentially be, there is a modern variation that is far worse. The modern conversation hijacking attack is based on the idea that multiple mail clients can access a single mailbox. Think about your own mailbox, for example. You may use a desktop computer to check your email while you are in the office, but you use a smartphone to check the same mailbox when you are away.
So here is how the modern conversation hijacking scam works. Attackers acquire their victims’ login credentials. Rather than using those credentials to launch a traditional attack, however, the attackers set up a mail client and log in as their victims. Because attackers have a legitimate set of credentials, they have the ability to read all of their victims’ email.
Rather than doing something rash, attackers take time to get to know their victims. They learn who their victims communicate with, as well as what those communications typically look like. Once attackers have a solid understanding of victims’ communications, they compose one or more email messages, posing as the victims. These messages are usually designed to trick someone who is close to the victim into handing over money.
The key to success for attackers is being able to mimic victims’ writing styles closely enough that those who communicate with the victims on a regular basis will not suspect that a phishing attack is in progress. While there are probably some attackers who have the skill to pull this off on their own, I have heard stories of attackers composing messages by copying sentences or phrases from some of the victims’ previous messages.
You can imagine that a conversation hijacking attack can be extremely difficult to detect because it does not follow any of the patterns used in more common types of attacks. The best things that an organization can do to keep from falling for this type of attack are to adhere to long-established security best practices (to prevent credential theft) and to train employees to verify messages that are even a little bit suspicious by phone--especially if someone you “know” is asking you for money.