Unmasking the Art of Social Engineering: A Series on Cyber Intrusions
Introduction
Welcome to Securiment's series on social engineering, where we expose the tactics behind real-life cyber intrusions for your awareness and learning. In this first episode of this series, we explore the dark art of manipulating human psychology to gain unauthorized access to sensitive information.Social engineering exploits the trust and helpfulness of individuals, bypassing even the strongest security measures. Through phishing, pretexting, baiting, and tailgating, attackers deceive and manipulate their targets. Our series will provide real-world examples and insights to help you recognize and defend against these tactics.
Join us as we uncover the techniques employed by malicious actors and empower you with knowledge to protect against social engineering attacks. With Securiment's expertise, we aim to strengthen your organizations’ security posture from within.
Stay tuned for captivating stories, cautionary tales, and expert analysis that will equip you with the tools to thwart cyber adversaries. Together, we can defend against the unseen threats that lurk behind the screens.
Instant New (and Benign) Look in Office… How!!?
MS Office macros continue to be a persistent security risk in social engineering attacks. These macros have the ability to execute malicious code within seemingly harmless documents, making them an attractive tool for cybercriminals. By exploiting human curiosity and trust, attackers can entice users to enable macros in innocent-looking files, unknowingly granting access to their systems and sensitive information.
In this attack scenario, following was (and can be) the set of actions. Here, ‘attacker’ has shown up as an applicant for an open vacancy in the company. The attacker embedded their macros in an Office document and expects the employee (present in the company network) to open the document along with clicking on enable macros (which needs to be very convincing so that the employee does not find it suspicious).
- A Finance Analyst manager of a German company receives an email of a job application for hiring of an Finance Analyst. The email has an attachment (applicant’s CV) that the manager is supposed to review.
- The attachment interestingly says “(encrypted)” making it a bit more appealing to an employee who cares about security in general.
- When the manager (named, Giulio) opens the attachment from email, it naturally displays the warning that this file has Macros (may be the attack will fail because the manager sees “Security Warning”. Well.. no, the attacker had a solution!
- When the manager reviews the contents of the contents of the file, these seem a bit convincing that actually by enabling content, the manager is ensuring security as shown below. The attacker intentionally put the words like GDPR, privacy, encryption along with a random text block (encrypted CV :) ).
- Now, as soon as (and if..) the manager clicks on Enable Content, he does not feel disappointed (and neither does the attacker..). What happens is that the manager sees a very convincing applicant’s profile because the macro had actually replaced the random text with a very strong candidate’s profile so that the manager is busy with reviewing it.
- Now comes the interesting part, the attacker would also have compromised this manager’s workstation because the macro did 2 things: A. it gave the manager a convincing profile to read B. It created a reverse shell to attacker’s C2 server as it can be verified below.
- Now, the possibilities from here are endless for the attacker. They can initiate the lateral movement and several post exploitation activities which would be part of another series of Securiment blogs, so stay tuned!
What I should do as an Employee to Ensure my Company’s Security
- Be cautious of suspicious email messages, especially those requesting personal information or login credentials. Verify the sender's email address and look for any red flags, such as misspellings or unusual formatting.
- Exercise caution when opening email attachments, particularly Microsoft Office documents (such as Word, Excel, or PowerPoint files), as they can contain malicious macros or embedded links. Always scan attachments with an up-to-date antivirus software before opening them.
- Enable macro security settings in Microsoft Office applications to prevent the automatic execution of macros in documents, as this is a common method used in phishing attacks to deliver malware.
- Regularly update and patch your operating system, web browsers, and Microsoft Office applications to ensure you have the latest security enhancements and fixes, as cybercriminals often exploit vulnerabilities in outdated software.
For assistance with Social Engineering or any other security topic, please get in touch with us: info@securiment.com