Online Only: Experiment Shows Education No Cure for Social Engineering
A new research experiment conducted by Web security firm Trusteer found that even educated email users click on links that can potentially lead to websites containing malware, the company said.
New York-based Trusteer’s findings shed light on the potential consequences of the recent security breach at marketing firm Epsilon, a subsidiary of Alliance Data Systems Corp., which reported this month that an unauthorized entry into its email system resulted in the compromise of approximately 2% of its clients’ customer names and email addresses.
The marketing firm manages customer email databases for more than 2,500 clients including large financial institutions and retailers.
Security experts say they expect the breach to result in targeted email phishing attacks, and while credit unions were not among the reportedly affected Epsilon clients, several CUs posted messages on their websites warning members that they could be targeted if they opted in to an Epsilon client email marketing list.
The Trusteer experiment entailed sending emails that listed the social networking site LinkedIn as the sender to 100 friends and family members of Trustee researchers. The emails contained a link that claimed to lead users to a new job alert, but instead directed them to an outside website – a common strategy used by attackers, Boodaei said. Within seven days, Trusteer found that 68 of the 100 subjects had followed the link.
The company posted a blog detailing the experiment on its website, which states, “This research clearly demonstrates that social engineering makes it easy to drive corporate users to fake websites that could potentially download malware onto their computer. Education is always recommended and can certainly help, but in this case education did not prevent the attack.”
Trusteer customized the emails crafted for the experiment by creating a new identity on LinkedIn and gathering information about recipients’ LinkedIn connections and their connections’ profiles, the company said. Researchers used Gmail to create the fake LinkedIn email account and included photos of victims’ connections downloaded from LinkedIn.
Since mail programs typically only display the name of the sender – not the sender’s full email address – fooling recipients was simple, Trusteer CEO Mickey Boodaei said.
“It’s very easy to create a convincing email and attack an employee’s desktop,” Boodaei said. “Since it is so easy to execute, I believe this will be the No. 1 attack vector in the next couple of years.”
The lesson learned from the experiment, Boodaei said, is that companies should concentrate on implementing technology that can prevent malware installation, not educating employees about how to spot malicious emails.
“Enterprises should assume employees will click on the links,” he said. “Then they should focus on how to prevent the links from infecting the software, and that comes down to technology.”
Todd Thiemann, senior director of product marketing for San Jose, Calif.-based data security provider Vormetric, said he agrees educated email users can be tricked.
“Human beings are fallible,” he said. “Even a savvy person can make a mistake.”
Thiemann added credit unions can draw two lessons from the Epsilon breach: First, to implement an in-depth data defense strategy, and second, to re-think the definition of “sensitive data.”
“Data is considered sensitive when you’re talking about thousands of client names and email addresses,” Thiemann said. “There’s a high probability of success for the fraudster who has that information.”
An “in-depth” defense strategy should include the following actions, Thiemann said: Only allow certain individuals access to sensitive data and then only via proper encryption, perform database activity monitoring, develop a strong system for security information management, implement a host intrusion prevention system, and run up-to-date antivirus software from a reputable vendor.