Social Engineering Attacks Prove Failure of User Education

BOSTON — A prominent security consultant is urging a rethink of the way businesses handle user education and awareness, warning that the way attackers have latched on to social engineering techniques makes it difficult to cope with hacker attacks.

BOSTON — A prominent security consultant is urging a rethink of the way businesses handle user education and awareness, warning that the way attackers have latched on to social engineering techniques makes it difficult to cope with hacker attacks.

During a presentation at the SOURCE conference here, SANS incident handler and Savvis consulting manager Lenny Zeltser warned that current approaches user education “has failed” because it’s “too boring” and recommends that security practitioners look closely at the evolution of social engineering attacks.

“The outsider is now on the inside,” Zeltser said while presenting actual cases of social engineering attack techniques that have lured business and consumer end users to land on malicious sites or give up sensitive user credentials.

“Maybe the way we’re going about security awareness training is too boring these
days.   We need to train employees and end users on the alternative channels in social engineering … they way they’re [attackers] are using personally relevant messaging, social compliance and the reliance on
security mechanisms.

“The way things are today, we should assume that social engineering will work.  We need to train our users in a different way to understand exactly why these attacks are working.  We need security awareness around social engineering to work and measure it via pen testing,” Zeltser added.

Zeltser discussed the way attackers have bypassed technology controls by making use of social engineering techniques such as:

  • Starting attacks in the physical world, rather than the virtual Internet.  Examples included the use of fliers left on windscreens of  cars in parking lot asking people to log into a web site.  Once a user visited the site, they were asked to download a player to view media.  The download turned out to be a fake anti-virus (scareware) attack.  
  • Attack that begin with voice messages on phones, welcoming users to a financial institution and tricking them into confirming account information.  “The more uncomfortable you make the target, the more he is likely to click a link or give up information because they want to remove that discomfort.”
  • Attackers purchasing advertising campaigns on legitimate Web sites by using information from real advertising agencies.  “In one case, the attacker actually engaged the target on the phone over a span of several days, used the ad agency lingo, convinced the target that it was a real campaign,” he explained.  It turned out to be a malvertising campaign that served PDF exploits to visitors. 
  • The Waledac Trojan used personally relevant messaging lures to increase the efficiency of the attacks. The malware used e-mail lures about breaking news of a bomb explosion and wne the user visited the rigged Web site, they saw a fake Reuters news report that used geo-location to determine where the victim was coming from.   Based on the location of the target, the message was customized to the specific city.
  • E-mail attachments that purport to be UPS invoices and malware purveyors that use live Web chat software to interact with victims in real time.
  • Clickjacking on Facebook that lured users into clicking on a “want 2 see something hot?” button to spread a malicious link using invisible iFrame tricks.

“So far, we’ve been failing at educating end users.  We must find a better way to do this,” Zeltser said, urging businesses to focus on  internal segmentation and the principle of least privilege to limit the damage from attacks.

“We need to focus on what’s going on inside the organisation because an outsider can easily become an insider.”

Suggested articles

Facebook Graph Search Mines Potentially Rich Data for Phishers, Attackers

Facebook is serious about its new Graph Search feature, which helps users of the social media site narrowly search for friends with common interests in a much more intuitive fashion than a Google search, for example. Founder Mark Zuckerberg had tagged Graph Search the third Facebook pillar, right alongside the site’s news feed and timeline. So why are security and privacy experts nervous? There’s some serious horsepower behind Graph Search, and there are users whose interests aren’t as benign as finding friends of friends in a particular location who happen to like country music, fine wine and yoga.


  • packets on

    The malcontents only have to be successful some of the time where security has to be successful all the time...fighting a losing battle. Whitelisting is the only real solution and it seems no one wants to truly go there!

  • NoticeBored on

    The claim that security awareness programs are failing because social engineering attacks succeed is a classic demonstration of flawed logic.  How many more social engineering attacks would have succeeded if users knew nothing about phishing, malware and a host of other threats?  I submit that expecting awareness programs to offer perfect security is no more reasonable than expecting fire alarms to prevent all fires, or seatbelts to prevent vehicle fatalities.  It's unrealistic.  Nuts even.

    This crazy argument is trotted out so often that I wonder if perhaps the vendors of technology-based security products are behind it!  The fact is that firewalls and antivirus software are also flawed, offering partial security.  Technological controls have an important place in a sensible information security strategy, alongside and supplementing other non-technical forms of control such as policies, compliance checks, audits, legal/regulatory controls and, most certainly, information security awareness, training and education.  Slating  at any one element in isolation from the others fails to take in the bigger picture. 

    Just for starters, how do you expect IT people to know how to configure firewalls, harden servers and run cryptographic systems unless they have a working knowledge of information security?  And where do you think they are supposed to get that knowledge, if not through awareness, training and education?

    I'll admit, though, there is one fly in the ointment.  Security awareness, training and education programs vary on a continuum from lousy to brilliant.  Anyone who has been forced to sit through one of those tedious once-a-year 'sheep-dip' security lectures will surely appreciate how bad they can be, but that's not to say they have to be that way.  There are far more innovative and cost-effective approaches available these days, with fun and variety and engagement being very much part of the mix at the top end.  Just as most of us fondly remember teachers who inspired us to greater things at school, and others who bored us rigid, there are good and bad awareness, training and educational programs.  Expecting an out-and-out IT geek to suddenly become the world's most fantastic trainer is, unfortunately, doomed in most cases, at least without support in the process of designing and delivering more effective sessions, materials, events and activities. 

    Email me if you'd like to know more! 

    Kind regards, Gary Hinson,

  • higB on

    Sounds like Lenny gave a great presentation about the need for -- Were at Source Boston. We'll try to come say hi. :)

    Aaron Higbee

  • Rob Lewis on

    Nice one. Counter-espionage or insider threat technology should assume that social engineering will take place successfully.

  • Dave K on

    If education is the solution, why hasn't it worked yet?  For twenty years I've been hearing, "user education."  We've got some outstanding educators in the field.  We've got all sorts of collateral material some free, some for a fee.  Yet even in enterprises that spend a fortune in time and materials, we still hear of failures and cries for more "user education."  

    If it was going to work it would have.  We need to move on and find other solutions.  

    Insanity: Doing the same thing over and over and expecting different results.

    - Albert Einstein

  • Matt in Australia on

    @Dave K,

    I think may you have missed the point - user security awareness of security threats and social engineering is not expected to stop all attacks. It is required to help the non-IT savvy end user, and even seasoned security professionals, be aware of things they may not have otherwise considered. Security awareness is a journey, not a destination, and the message needs to be constantly refreshed taking in to account the latest techniques used by the bad guys.  Of course we need to address security awareness, but also use the technology controls we have available to limit the impact of a successful attack. Remaining vigilant is the key.

    What's the point in throwing up your hands and saying "it's useless"? That is simply taking the easy way out and giving up - I can assure you the bad guys would love that as it would make their objective so much easier.



  • Chicken Coop Building Plans on

    Great right and wrong post by the most provable user educators in the world today.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.