This year’s Black Hat and DEF CON 2018 conferences demonstrate how cybercriminals are taking a detailed look at their potential victims in order to get past “the human firewall”.
Phishing is already a very effective means of fooling your users into becoming unwitting prey. All it usually takes is a bit of social engineering, a dash of personalization, and favorable timing, and users quickly turn into victims.
But as users become more conscious about the prevalence of phishing attacks and their seemingly personalized content, what constitutes “phishy” differs from one user to another. Spear-phishing was the next step in the evolution, but a session at Black Hat presented by Matt Wixey, technical research leader for PwC in the UK introduces us to a new form of longer-term, hyper-targeted phishing he refers to as ROSE – Remote Online Social Engineering.
ROSE involves many tactics that, over a period of time, seek to gain the trust of the intended victim. They, generally, follow a 4-step process:
- Analyze the Victim – A detailed examination of their victim’s personal profile is performed – this includes their online profiles, personal details (such as schools, jobs, hobbies, names of friends and family, etc.).
- Create a Fake Online Profile – a profile of an individual with some means of establishing a conversation (e.g. interests, work, mutual acquaintances, etc.).
- Build Credibility – Over time, the attacker posts content to reflect “details” about their fake persona, working towards direct contact with the victim with actions such as “liking” content from the target’s friends.
- Begin the Scam – the attacker communicates directly with the victim, asking for help or with a business proposal, levering additional online contact to establish and build trust.
The key to the success of this kind of scam rests firmly on my previously mentioned determination of what a user considers “phishy.” Getting past firewalls, antivirus, and endpoint protection is child’s play for some cybercriminal organizations. It’s getting past the user’s own sense of suspicion that requires so much work.
Organizations using Security Awareness Training can elevate their user’s natural inclination to scrutinize every communication, online social interaction, email, web link, and attachment – even those coming from a seemingly known entity. It’s through this raised sense of security that attacks as sophisticated as ROSE – which is aimed squarely at the user and their sensibilities – can be rendered powerless.
ROSE represents the amount of work cybercriminals will go to in order to take your organization for its money or data. It also demonstrates the importance of your organization having an appropriate proactive defense in place to stop it through new-school Security Awareness Training.