ソーシャル エンジニアリングによるアカウント乗っ取り (ATO) はよく発生します。これは、詐欺の初心者でも簡単に実行できるためと考えられます。詐欺師たちの広大なコミュニティが集まり、成功した方法を共有し、資格情報を販売し、互いにマネーミュールサービスを提供します。
Javelin Researchの年次レポート「個人情報詐欺の調査:仮想戦場」によると、アカウント乗っ取りは2020年と比較して2021年に90%増加し、推定114億ドルに達し、2021年の個人情報詐欺による損失の約4分の1を占めています。
このような広範囲かつ遍在的な脅威があるため、多くの企業は顧客をこれらの攻撃から守るために苦労しています。彼らは、「顧客がログイン認証情報を詐欺師に渡すのをどう防ぐことができるだろうか?」と疑問に思います。不都合な真実は、それができないということだ。
ただし、ATO から不正なセッションを検出することは可能です。どうやって?詐欺師が活動していることを示すシグナル(使用しているブラウザやデバイスの特性、所在地、アカウントの変更、セッション中に実行するページ上のアクション、さらには入力方法やタッチスクリーンのタップ方法など)を観察することによって、詐欺師が活動しているかどうかを判断します。これらすべてが組み合わさって、ユーザーが正当であることを示す全体的なパターンが作成されます。
詐欺師が使用するソーシャル エンジニアリングの戦術について詳しく見ていきましょう。最後に、最新の検出方法によって詐欺師を阻止できる方法を探ります。まず、ソーシャル エンジニアリングとは何か、そしてそれがどのように機能するかを定義する必要があります。
ソーシャルエンジニアリングとは何ですか?
ソーシャル エンジニアリングは、人々に特定の行動を取らせる心理的操作の一種で、通常は機密情報を漏らしたり、アクセスすべきでないアクセスを提供したりします。すべてのソーシャル エンジニアリング手法は、認知バイアスと呼ばれる人間の意思決定の特定の属性に基づいています。
詐欺師は、これらのバイアス、つまり「人間のハードウェアのバグ」をさまざまな組み合わせで悪用し、特定の目標に合わせた攻撃手法をサポートします。目標は必ずしも資格情報を取得することではありません。ソーシャル エンジニアリングでは、ハッカーの手に渡ってほしくないあらゆる情報を収集できます。
たとえば、詐欺師は、低レベルの従業員と話しても、高レベルの資格情報を入手できない可能性があります。代わりに、会社が使用しているアプリケーション、通常の通信チャネル、電子メールの形式、IT 管理者の名前など、他の重要な情報を調べることができます。
このような情報を収集すると、フィッシング攻撃中に、信頼できる同僚や、顧客がやり取りしていると思っているサービスデスクの担当者になりすますことがはるかに容易になります。
ソーシャル エンジニアリングが頻繁に成功する理由は何でしょうか?
この記事を読んでいると、あなたは落ち着いてこう思うかもしれません。「私は決して操られるようなことはしない。」私はあまりにも賢いんです。」真実は、ソーシャル エンジニアリングの影響を受けない人はいないということです。必要なのは適切な影響力や状況だけです。あなたも他の人と同じように脆弱なのです。主要な脆弱性を 6 つの「原則」に分類しました。
権限
攻撃者は権威ある人物を装い、質問もせずにターゲットに従わせようとします。たとえば、セキュリティ管理者、詐欺防止担当者、または上級社員になりすます可能性があります。
This works both internally and externally: employees might comply because they’re outranked; customers may believe an individual who claims to be a “fraud prevention officer” because it sounds important and authentic. In either case, the veneer of authority can be quite convincing.
Intimidation
The victim is made to believe there will be negative consequences if they don’t cooperate. Consequences could include threats such as, “Your bank account will be frozen,” while others might convince the target they’re in legal trouble.
Consensus
Scammers create a phishing page with numerous fake comments or reviews, which leads the victim to believe that other customers are happy with their “purchase.” With this false social proof, the victim follows through with the fraudulent purchase, except they’re handing over confidential information rather than making a transaction.
Scarcity
Bad actors use the sense of scarcity to create an environment where the victim feels they have to make a quick, often irrational, decision. For example, a common tactic is offering a hard-to-find item, such as the highly sought-after Playstation 5, at a competitive (or unbelievably low) price.
But the user “must act now” because supplies are diminishing fast. Of course, this is a ploy to trick the user into handing over private information — the fraudster has no intention of selling a gaming console.
Urgency
Attackers use urgency as a time-based psychological principle of social engineering. For example, saying offers are available for a “limited time only” encourages sales through a sense of urgency.
Familiarity
The attacker manipulates the victim by impersonating a well-known person or trusted individual to endorse the product being sold. The bad actor uses their reputation to build a sense of familiarity with the victim.
A typical social engineering method combines two or more of these, typically leveraging whatever information is available to create a more convincing story.
Social engineering methods used by fraudsters
Now that you understand the vulnerabilities exploited by cybercriminals, let’s explore the most commonly executed social engineering methods.
Phishing
Phishing is the most common social engineering attack. While variants can take place over virtually any communication channel, email is the most frequent. Other forms of phishing via SMS or voice communication, or “smishing” and “vishing,” are described below.
In a typical email phishing attempt, the fraudster sends an email that appears to come from a legitimate party — like a bank or retailer — requesting credential “verification” and warning of dire consequences if they ignore it.
The email contains a link to a fake web page that appears authentic, with company logos, a genuine-sounding URL, and a familiar layout. This fraudulent page contains a form requesting the user “verify” information like credentials, a home address, an ATM card PIN or a credit card number.
Making a fake website or email look authentic by mimicking a legitimate organization’s HTML is relatively simple. By indiscriminately spamming huge groups of people, the fraudster expects at least one of their targets to “bite.” While only a tiny percentage will engage with their scheme, a large number of recipients means they can net a sizeable catch of victims.
Phishing may also be as simple as convincing a target to email back with the requested information simply. Not every phishing scheme requires coding or fake websites, and some victims are willing to provide confidential information by directly replying.
Vishing
“Voice phishing” or vishing is the criminal practice of using voice communication to gain access to private information. Attackers also employ it to gather more detailed intelligence on a target or an organization.
Smishing
Using SMS text messaging for phishing is known as “smishing“. Like phishing, it can be tapping on a malicious link or divulging information. For example, a smishing text message might claim to be from a mail carrier and state a package is in transit with a link provided.
Impersonation
Pretending to be a legitimate person to gain access to a system, account or building. Impersonation is used in SIM swap scams in which a fraudster pretends to be a legitimate user activating a new SIM card on their cell phone plan.
Convincing a mobile carrier employee to activate the new SIM effectively diverts text messages to the bad actor — and allows them to circumvent SMS-based two-factor authentication (2FA)
How Transmit Security detects social engineering fraud
Transmit Security identifies suspicious device configurations, application activity and biometric behavior during the customer’s interaction with your application or web service. By analyzing behavioral biometrics, such as keyboard and mouse interactions, we can draw a sharper contrast between trusted users and would-be imposters. Deviations in keystroke velocity, mouse movement, and session activity are compared to the user’s historical profile.
We can detect attacks in real time by combining behavioral biometrics with complex network and device telemetry. This is true even when the threat actor checks all the typical boxes: correct credentials, proper IP location, and passing the 2FA challenge. While most detection signals aren’t enough to stop a session, they weave together to show a more accurate picture of who is logged in.
Here are four detection signals that can identify potential ATOs, even if attackers have successfully phished a user’s credentials or personal information.
Network reputation
Network reputation tells us when suspicious IPs are trying to access users’ accounts. Fraudsters hide their tracks using Tor (anonymous) browsers, data centers, proxies and anonymizers.
The service detects malicious IPs that have a bad reputation or have been involved in previous attacks by using a network with a reputation of over 1B entities.
Geoanalysis
Geoanalysis uses network data to determine users’ geolocation and flags new locations that are not part of the user’s profile or ones that don’t match learned user behavior, impossible travel, or locations with bad reputations.
Device intelligence
Device intelligence is built by analyzing the user’s trusted devices over time. Devices that are used over some time are trusted due to built-up reputation. New devices lack any reputation and are potential suspects for social engineering.
However, you don’t want to punish a legitimate user for logging in from a new device. Other device and network indicators can be gathered through a device’s browser and raise the appropriate flags. Tools such as emulators, virtual machines, malware, RATs, spoofed devices, or device farms strongly indicate fraudulent activity.
Behavior analysis
We can detect abnormal behavior by analyzing the user’s interaction with the device during the session journey. Interdiction based on behavioral analysis can occur when a user’s interactions differ significantly from their typical behavior.
We can use the historical profile of the user’s actions combined with many behavior-based data points, such as the average time to carry out a specific action.
Learn how to detect fraud without disrupting customers
You’ve learned how social engineering works, why it’s often so successful, and a few of the different signals that can catch fraudsters in the act. Ready to find out more about stopping fraud?
You can explore even more educational resources with our Research Lab hub. Try starting with a related article on why hacking today is so easy.