When a eBay suffered a massive data breach a few weeks ago, most of the attention revolved around the compromise of passwords and the vulnerabilities in the site’s security. While those are legitimate concerns, they obscure the most glaringly weak link in the security chain: people.
Indeed, it was not a sophisticated exploit that facilitated the eBay breach, but an old-fashioned con. It’s been determined that as many as 100 eBay employees were likely victims of a social engineering scheme: an attack where the perpetrators arm themselves with enough information to pass themselves off as a known and trusted individual or organization and convince the victim to reveal valuable personal information—in the case of the eBay employees, their logins.
That’s actually not surprising. When I recently asked a number of security experts to weigh in on innovative new attacks we should look out for, I was told the most concerning trend couldn’t be remedied by patching and updating applications or thwarted by your security software.
“The lowest hanging fruit is still humans,” said Ken Westin, a security researcher for Tripwire. “As long as attacks against humans still work consistently attackers will use them on their own, or as part of sophisticated, integrated campaigns.”
Increasingly, those campaigns are tightly targeted to individuals and use carefully mined personal data to gain their trust. A person is likely to dismiss a typical phishing attack message that starts “Dear Customer” and contains only general information. But if a criminal can tailor a message that addresses the recipient by name; includes their personal details such as home address, phone number, or birth date; and looks like it comes from a company they do business with, the odds are much higher that even a cautious person will respond or take action.
The more pertinent personal information attackers can obtain, the easier it is for them to craft realistic-looking spearphishing scams. This is what makes companies like Target and eBay so appealing to hackers—their customer databases are a treasure trove of data about millions upon millions of consumers.
“Look, for example, at the eBay breach,” says Dwayne Melancon, CTO of Tripwire. “Millions of users’ personal information was disclosed—far more than just email addresses and user names. Those who possess the eBay data are now armed with dates of birth, locations, and even phone numbers , from which they can craft some of the most convincing phishing sites we’ve ever seen. By mentioning details from your local area, adding details that would appeal to you based on your age, and so forth cybercriminals can greatly increase the odds you will respond to a phishing email.”
This doesn't mean you should abandon conventional security measures. You should absolutely have a firewall in place and antimalware tools that are kept up to date. Those things are table stakes that are required just to maintain the status quo for computer security. But they’re not enough. You also have to exercise some degree of skepticism about emails, text messages, or other communications you receive.
Users have been conditioned for years not to open file attachments or click on links in email messages from unknown or suspicious sources. The way attacks are evolving, though, you now need to approach everything with similar caution. Attackers go wherever there are potential victims. As social networks and mobile devices have spiked in usage, cybercriminals have targeted users there as well, and many users who know better have been caught off-guard.
The second—and more important—issue is that it’s no longer just about communications from “unknown” sources. The sheer volume of sensitive, personal information that has been compromised means that attackers know a lot about you, where you live, and which companies you do business with. It means that attackers who just used to cast a wide net and hope to find a gullible victim can now target victims with much greater precision using accurate and relevant information.
Your security software can’t help you here—only awareness and common sense can block these types of attacks.
“Users must be ever vigilant, otherwise they will become victims,” Melancon said. “Unfortunately, vigilance doesn’t come naturally to most users.”