I've never understood why the IT security world has an obsession with acronyms or the invention of new terms. It may just be that we sit in the driving seat of innovation and so must be linguistically creative with a lack definitive authority. Alternatively, it may be that we simply enjoy feeling more intelligent when someone asks "what is that?"
Egos aside, one area of IT security which swims in a sea of terms (pun intended) less known to the wider population is that of social engineering. Victims take no comfort in being asked if the cause was phishing? smishing? a watering-hole attack? maybe even a spear-phishing attack? but the types of attack are important to understand.
In this blog we will list some of the more popular social engineering terms and their definitions in an attempt to add some clarity to this parallel-language.
Deciphering the Terms
Phishing - Taking its name from the regular term fishing, this type of activity involves a malicious actor sending a genuine looking email to a wide group of users, which actually contains a malicious link or button. Phishing emails emulate services you might already use and apply some priority to, for example an email from the tax authorities, an online retailer or your bank. Clicking on links or buttons in phishing emails will either attempt to steal credentials or more commonly, deliver malware such as ransomware.
Spear-Phishing - The concept is similar to the non-speared flavour of phishing; however, the net is not cast as wide. Spear-phishing gets its name from its targeted nature. For example, it may be a campaign against just one individual who has administrative privileges on your network.
Whaling - The bigger the target the bigger the prize. Whaling is a form of phishing which specifically targets those at the top of an organisation, hence the size reference. Organisation leaders often have higher levels of privilege, less controls on their devices and of course can instruct their employees to carry out tasks such as making payments. All attractive qualities in a target.
Watering-Hole Attack - In the case of phishing, the attacker proactively initiates the communication and the attack. A watering-hole attack uses the opposite strategy where by the attacker monitors a popular website or resource which a group of users frequents. Once the location has been sought, the attacker then infects that location with malware awaiting the return of the members of the group.
Smishing - Otherwise known as SMS phishing, it is just that. Phishing attempts made using SMS as the medium of delivery. Worryingly this type of attack is often more successful due to the number of mobile handsets and IoT (Internet of Things) devices without basic levels of security.
Ransomware - Although not a social engineering technique, it is estimated that up to 98% of all ransomware is delivered by email attacks such as phishing. The purpose of ransomware is to extract a payment from the device owner in exchange for the return of a service being held hostage. The most common types of ransomware today, are those which encrypt files, folders and even entire devices. Consequentially the best way to reduce your chance of encountering ransomware is to become better at detecting phishing attempts.
The Threat Landscape
In a 2016 report by Verizon, it was reported that two of the three most popular ways for cybercriminals to disseminate malware and ransomware was through methods involving email and phishing. With ransomware growth figures topping 400% in 2016, its presumable with a high degree of certainty that phishing emails have an abnormally high success rate in comparison to other attack vectors. Cybercriminals have sharpened their skills over time with some phishing attempts looking remarkably like the real thing. See example below:
The best form of defence is consistent training to look out for the signs of phishing and a method of reporting them. Preventative technologies are of course good at removing those which fail a signature based check or are sending from a blacklisted location. However, when the more determined and sophisticated get through, there is only one form of defence left, your users. As scary as that may sound, a well-trained user is better at spotting the flaws of another human than any machine can be.