You know now not to open an attachment for a lower mortgage, or one to help you learn Spanish in your sleep. But when an old college friend makes a wry joke about another friend and sends you an attachment about your recent reunion, or your daughter has a funny attachment to show you about her new braces, you will almost always open it.
This is Social Engineering—which includes using personal detail to trick you into opening an attachment with malware—now reaching new levels of sophistication. The enabler here is a data-mining service called Maltego, which, The Washington Post reports, lets “users to quickly bring together and analyze disparate details about people from all corners of cyberspace, showing an individual’s links to friends, family, work associates and personal interests.”
The people behind these attacks are quick studies, and sophisticated. That is why one expert calls social engineering “the next biggest attack vector.”
A related tactic is the “watering hole.” Instead of sending you a link, which will set off security concerns, they direct your attention to a respectable website that is a touchstone of your industry—after seeding that authentic site with hidden, malicious code.
Where are these attacks coming from? All over. However, The Post reports, some of the most prolific attackers seem to be working a regular 9-5 schedule Shanghai time, and taking off on Chinese holidays.
In our view, there is no way to defeat sophisticated social engineering. The only solution we can imagine is a technological one—some way to view attachments in a safe, cordoned space—in much the same way witnesses view suspects from behind a two-way mirror.