As security and privacy experts have repeatedly warned us, scammers and tech-savvy fraudsters constantly come up with new ways to crack the system, bypass security systems or find new ways to defraud people, with a combination of technology and psychographics. It is essential to stay vigilant and adapt your own strategies to protect yourself from spam and fraud calls. If you receive a suspicious call, it is better to err on the side of caution and not engage with the caller.
However, what happens if a fraudster's phone call appears to be from a well-established company
valued at about US$13.6bn (billion)? One assumes that a company that is so big, with a hefty pile of cash, follows all security practices very strictly to safeguard its infrastructure. It turns out that this is not always true.
If you are wondering how MGM Resorts International could even possibly be hit by such a gigantic cyberattack, the answer is quite simple and, hence, not readily available in any standard operating process on security issues. All the ALPHV ransomware group (Muddled Libra aka Scattered Spider/UNC3944) did to compromise MGM Resorts was hop on to LinkedIn, find an employee, and then call the help desk, says
vx-underground (@vxunderground on X).
The ALPHV ransomware gang, also known as BlackCat and Noberus, is a ransomware family that writes programs in
Rust (a programming language) and first appeared in November 2021. Muddled Libra is one of the affiliates of the ALPHV ransomware group.
"The threat actors claim this was their attack method to compromise MGM Resorts. I am sure we will learn the details soon. For now, I will say that the attack method they claim worked for them does indeed work for me often. Most organisations are not ready for phone-based social engineering," says Rachel Tobac (@RachelTobac), a hacker and chief executive officer (CEO) of SocialProofSec,
in a series of tweets.
"One of the easiest ways for me to hack is simply to look up who works at an organisation on LinkedIn. Call the help desk, spoof the phone number of the person I am impersonating and tell the help desk I lost access to the work account and help me get back in," she says.
According to Ms Tobac, the attack on MGM Resorts may be the best example of social engineering exploitation. "Most organisations focus on email-based threats in their technical tools and protocols — many are not yet equipped with the social engineering prevention protocols necessary to catch and stop a phone-based attacker in the act. Teams need protocols to verify identity before taking action."
She says, "The first teams I go after when hacking are the folks who deal with requests from people constantly — IT, help desk, and customer support. I often pretend to be an internal teammate to convince them to give me access, and I usually start with phone attacks because they work fast."
Email phishing attacks can get caught in good spam filters and reported, Ms Tobac says, adding, "The soft spot for many teams are the folks who handle the phone call requests. There is a perfect storm: lack of verification protocols, easy spoofing, compensation tied to how fast they handle requests."
So what are the social engineering prevention protocols, and how can they help any organisation and thus the end user (read: customers) protect their business and database from cyberattacks?
Social engineering is a form of manipulation where attackers exploit human psychology to gain access to sensitive information or systems. Preventing social engineering attacks requires a combination of education, awareness, policies and technical controls.
Here are some steps for preventing social engineering attacks on an organisation…
• Regularly train employees to recognise common social engineering tactics, such as phishing emails, pretexting, baiting, and tailgating—a passage of an unauthorised person, forced or accidental, behind that of an authorised user.
• Implement the principle of least privilege (PoLP) to limit user access to only the resources and information necessary for their roles.
• Enforce robust authentication methods, like two-factor authentication (2FA), for accessing sensitive systems and data. Make sure to have a strategy to verify the identity of individuals requesting sensitive information over the phone or through other communication channels, especially in situations where requests involve financial transactions or account changes.
• Use email filtering and anti-phishing solutions for all official emails to detect and block malicious emails from entering your mail servers.
• Develop and enforce security policies that address social engineering risks, including policies on password management, data handling, and incident reporting.
• Keep software, operating systems, and applications updated with the latest security patches to prevent attackers from exploiting known vulnerabilities.
• Assess and manage the security practices of vendors and third parties who have access to your organisation's systems or data.
• Conduct security audits and assessments to identify vulnerabilities and areas where social engineering risks may exist.
Ms Tobac suggests moving from knowledge-based authentication (KBA) like date of birth (DoB) to one-time passcode (OTP) on a second verified communication channel, call back to thwart spoofs, service codes, pins and much more.
But remember, preventing social engineering attacks requires a holistic approach that involves technical measures and a strong emphasis on employee education and awareness. Regularly reviewing and updating security protocols is essential to adapt to continuously evolving threats.
Stay Alert, Stay Safe!
