Understanding Social Engineering Email Attacks

 

By Emma Taylor

Today, we will explore the concept of social engineering email attacks, a distinct form of targeted email attack.

Summary

This text outlines the nature and methods of social engineering attacks on email, emphasizing their reliance on psychological manipulation rather than technical system vulnerabilities. It discusses various types, such as spoofed headers, similar domain attacks, account takeovers (ATO), and phishing URL attacks. The process involves target identification, trust building, attack execution, and covering tracks. Specific attack examples include falsifying email header information and using look-alike domains or phishing URLs to deceive recipients. The content also suggests the importance of preventive strategies and awareness in countering these attacks.

1. Definition of Social Engineering Attacks on Email

Social engineering attacks on email threaten email security by manipulating human psychology, in contrast to technical attacks that exploit system vulnerabilities. Various types include spoofed header attacks, similar domain attacks, account takeover (ATO) attacks, phishing URL attacks, and more.

2. Understanding the Exact Concept of Social Engineering Email Attacks

Scope of the Concept

Social engineering attacks encompass a broad spectrum of tactics, extending beyond email to include phone calls, physical interactions, and various forms of communication. Email impersonation attacks, however, are specific to email communication. In essence, email impersonation attacks can be viewed as a subset of social engineering attacks that specifically use email. Particularly, it is important to note that among social engineering attacks, impersonation attacks using emails are the most actively employed.

Focus of the Objective

Social engineering attacks can vary greatly, from stealing sensitive information to persuading victims to transfer funds or disclose passwords. Conversely, email impersonation attacks generally aim to prompt the recipient to undertake specific actions such as transferring money to a fraudulent account, providing sensitive information, or clicking on a malicious link.

Diversity of Attack Methods

The fundamental element of social engineering lies in manipulating the recipient's psychology. Attackers may deploy various tactics, using fear, urgency, authority, or familiarity to deceive victims. In the realm of email impersonation attacks, the essence involves the attacker directly misleading the recipient into believing they have received an email from a legitimate, often familiar and trusted, source.

1) Target Identification and Information Gathering

Attackers collect data about the target, including names, job positions, contact information, and details about their workplace or personal interests. The gathered data is analyzed to identify potential vulnerabilities, focusing on specific needs that can be exploited.

2) Customized Trust Building with the Target

The collected information is used to start building trust with the target, influencing decisions on what type of attack to use, what message to craft, and when to send it. This often involves "amygdala hijacking", a technique aimed at triggering emotional responses that impair logical thinking. By exploiting emotions like fear, anxiety, or excitement, attackers can effectively paralyze the victim's rational thought processes​​. This manipulation is commonly used in social engineering attacks where attackers impersonate known or reputable organizations, creating trustworthy. They approach the target with credible questions, further enhancing the effectiveness of their deceptive tactics.

3) Execution of the Attack

The meticulously crafted email is sent to the target. This email may contain urgent requests, appeals for help, or offers too good to refuse. This includes content designed to build trust or create a sense of urgency, thus compelling the target to respond without suspicion.

4) Damage Occurrence and Trace Removal

The victim unwittingly discloses sensitive information, transfers funds, clicks on malicious links, or download malware. The stolen information serves various purposes, such as identity theft, financial fraud, or facilitating subsequent attacks. Trace removal is conducted through the following methods:

● Erasing or Modifying Logs

Attackers might delete or alter logs and other electronic records. Such actions complicate the detection of an attack by eliminating the digital traces that could lead back to the perpetrators.

● Creating False or Misleading Log Entries

Beyond deleting evidence, attackers often fabricate deceptive or incorrect log records. These records are intended to mislead investigators, giving the impression that the attack originated from an alternative source or happened in a way different from reality. 

4. Types 

Forged Header

Email spoofing has been a persistent issue since the 1970s, gaining prevalence in the 1990s and evolving into a significant global cybersecurity concern in the 2000s. The primary objective behind forging headers in email spoofing is to impersonate an identity—like a colleague, a supplier, or a well-known brand—to exploit the recipient's trust. Attackers commonly manipulate the header, containing details such as the sender's address, the email's path, and its arrival time, to give the appearance of legitimate to their emails. Typically, attackers employ simple computer scripts to alter the sender's email address to any address of their choice, creating emails that seem authentic. Unfortunately, many individuals do not habitually check the detailed header information of emails, a practice crucial for detecting these fraudulent emails. 

*The terms "forged headers" and "email spoofing" are used interchangeably to describe the same concept.

Look-alike Domain

The header information of an email indeed includes the domain as part of the sender's email address. The crucial distinction lies in look-alike domain attacks, where the attacker employs a domain that closely resembles a legitimate one. In contrast, forged header attacks involve altering the email header information to impersonate a trustworthy domain. For instance, an attacker might register ‘jpan.com’ instead of ‘japan.com’. The emails originating from these deceptive domains may appear genuine at first glance. Notably, attackers commonly exploit the visual similarity between the uppercase 'I' and the lowercase 'l' in these mimicked domains. By registering domains closely resembling those of target companies or partner firms, these attacks are specifically tailored for certain victims or groups, differing from large-scale spam mailings that randomly target recipients.

Account take-over (ATO)

The data reveals a significant surge in ATO attacks. According to the Digital Trust & Safety Index (6th Reference) for the second quarter of 2023, instances of ATOs in the first quarter of 2023 witnessed a staggering 427% higher than the total number in 2022. Various attack methods, including phishing, fake websites, keylogging, and security question hacking, contribute to the rise in ATOs. Notably, social engineering plays a significant role in ATO attacks, where attackers impersonate a trusted source to deceive victims into sharing their personal information. For instance, if an attacker acquires account details from a phishing site, they may subsequently send deceptive emails, requesting money transfers to a different account or the transmission of confidential data from the compromised account to an external recipient.

Phishing URL

Phishing URL attacks are a type of cyber attack designed to deceive users to acquire confidential information. Typically occurring through emails or messages, these attacks are disguised to appear as if they originate from a trusted institution or organization, such as a bank or government agency. The objective of phishing attacks is to induce users to input their login information or personal details.

For example, a user might receive a fake email that appears to be from their bank and click on a link within it, only to be redirected to a counterfeit login page where they unwittingly enter their information. Another tactic involves attackers sending emails supposedly offering information about tax refunds or government grants. These deceptive emails often contain links that mimic the design or logos of government agencies, redirecting users to fake login pages where their personal and login credentials are solicited.

Additionally, these attacks may employ delayed tactics. Rather than seeking immediate results, attackers build the victim's trust over time to acquire information. For instance, they may initially send harmless emails to gain the user's trust and later exploit this trust by sending messages with harmful links or attachments.

5. References 

<The Five Stages of a Social Engineering Attack Cycle>

https://www.safeguardcyber.com/blog/security/five-stages-social-engineering-attack-cycle

<Understanding the steps in a social engineering attack: from reconnaissance to covering tracks>

https://sendmarc.com/understanding-the-steps-in-a-social-engineering-attack/

<What is Email Spoofing?>

https://www.proofpoint.com/us/threat-reference/email-spoofing

<Lookalike domains and how to outfox them>

https://securelist.com/lookalike-domains-and-how-to-outfox-them/99539/#:~:text=Here%20are%20some%20examples%20of,is%20required%20to%20spot%20it

<Understanding social engineering and preventing account takeovers>

https://blog.sift.com/understanding-social-engineering-and-preventing-account-takeovers/

<Q2 2023 Digital Trust & Safety Index>

https://resources.sift.com/ebook/q2-2023-digital-trust-safety-index-ai-and-automation/?_gl=1*1k7xb6x*_ga*MjA3OTQ2MTcxLjE3MDAwMTU2MTI.*_ga_R8SV2EK5NZ*MTcwMDAxNTYxMi4xLjEuMTcwMDAxNTczNy4wLjAuMA..