Types of advanced social engineering attacks
These are the main types of advanced attacks we are seeing as cybercriminals try to stay one step ahead of common security controls.
In a pass-the-cookie attack, the attacker can access web applications without knowing a user ID or password, and also without the one-time passcode from a Multi-Factor Authentication (MFA) system.
If malware is installed, it will capture when a user is authenticated to a website using their credentials and MFA code, once their session is created in the form of a ‘session cookie’ which stores user settings and authentication information.
The attacker can copy the session cookie and attempt to log in to the website using the active session. As long as the session stays open, it gives the attacker trusted access if they provide the session cookie — negating the need for any user authentication. Essentially, stealing a session cookie is like stealing a master key, allowing the attacker access to sensitive data and the opportunity to plant further malware and exploit vulnerabilities.
SMS forwarding and SIM swapping
SMS forwarding means redirecting text messages from one phone number to another. SIM swapping is replacing a SIM card in a mobile device to gain unauthorised access to the victim’s phone number and associated accounts.
In order for such attacks to be successful, attackers must first gather personal information of a victim to impersonate them. The aim is to fool the mobile provider into swapping the mobile number to a new SIM card. If successful, the attacker will receive all of the victim’s text messages. If they have successfully captured their credentials, the attacker can access the MFA code to authenticate the login.
QR Code Injection (Quishing)
QR code injection is a relatively new social engineering technique whereby malicious actors manipulate QR codes to redirect users to malicious websites or execute unauthorised actions on their devices. If the attack is successful, the victim will attempt to log in to a portal and their credentials will be harvested.
The recent increase in QR code attacks causes concern for security administrators because these attacks typically bypass anti-phishing filters, which primarily detect malicious links or attachments. The simplicity of a QR code in an image format means they can easily go undetected.
How can organisations respond to the threat?
- Employee training: An organisation’s people have the potential to be its best line of defence or its biggest weakness. If your employees know how to detect the red flags and — just as importantly — how to report their suspicions quickly and easily, the risks posed can be drastically reduced. Simulated drills can test employees’ resilience, honing their real-world defence capabilities.
- Next-generation anti-phishing solutions: Advanced anti-phishing techniques can be employed, such as Optical Character Recognition (OCR) or image capture technology to scan a QR code within the email and validate the link before the user receives it.
- Strengthening MFA controls: SMS has been identified as the weakest method of Multi-Factor Authentication. Encouraging users to use an MFA application such as Microsoft Authenticator, Duo or Google, or the use of a hardware token instead of relying on SMS can help provide greater protection.
- Geolocation and browser fingerprinting controls: These controls can be enabled to protect against stolen cookie sessions. This will ensure only legitimate users from approved locations can log in using the authorised devices.
How Gallagher can help
Raising cyber awareness and vigilance is a low-cost but high-reward solution to social engineering threat vectors. Many organisations benefit from the Secure Humans cybersecurity training webinars hosted by Gallagher’s Cyber Defence Centre. To find out more about these sessions or to speak to us about improving your cybersecurity controls in response to the changing risk landscape, please contact our Cyber Risk Management team.