Constantly, we hear that new, emerging technologies pose the greatest threats to our cybersecurity. The fear of the unknown drives organizations to enhance their security measures, aiming to prepare for complex attacks by various threat actor groups. Countless news reports highlight new technologies and innovations in the realm of cybersecurity, all aimed at discovering, tracking, and patching vulnerabilities that could potentially be exploited. While digital vulnerabilities are crucial to consider, it’s essential to recognize that the most obvious vulnerability is quite literally right in front of our faces.
Social Engineering and MGM’s Compromisation
MGM is currently reeling from an extremely detrimental cyberattack, an attack that has shut down the company website, crucial systems that keep the hotels operating efficiently, and slot machines, not to mention the MGM Rewards App. “How could one gain access to such a large system and exploit it so efficiently?”, one might ask. According to Scattered Spider, the subgroup of ALPHV behind the attack, MGM was compromised by using social engineering. The hackers allegedly found an employee on LinkedIn and called the organization’s help desk to access their account. All it took was a quick Google search and a quick conversation with the help desk, who was fooled into believing the person calling was just an employee having trouble accessing their company account. The reason for the intrusion wasn’t within MGM systems being insecure, but in fact human error.
Why is Human Error Such a Risk?
Social engineering, like the method employed by Scattered Spider, is a prime example of how cybercriminals exploit human error to gain unauthorized access to sensitive systems. Phishing, another common technique, preys on the human tendency to trust and respond to seemingly legitimate messages or requests. These tactics are often the most significant threats faced by companies because they target vulnerabilities at the core of cybersecurity, rather than exploiting computer systems directly. In social engineering attacks, instead of preying on vulnerable computer systems, threat actors prey upon human nature, for example in the MGM attack’s case relying on the human nature to be understanding overriding protocol that would prevent ALPHV from gaining access to their system.
Types of Attacks that Exploit Human Error
Social engineering attacks come in various forms, from impersonating trusted colleagues or vendors to using psychological manipulation to extract sensitive information. In many cases, these attacks don’t require advanced technical skills or complex hacking tools; they rely on the art of deception and the willingness of individuals to assist what appears to be a legitimate request. All it takes is one unsuspecting employee to fall victim to a social engineering attack for cybercriminals to gain a foothold within an organization.
Some types of social engineering attacks from malicious actors that rely on human error include:
- Pretexting: Pretexting involves creating a fabricated scenario or pretext to obtain information from individuals. Attackers often pose as someone trustworthy, such as a co-worker, customer, or even a government official. By building a credible backstory, they convince the target to share sensitive information or perform certain actions. For example, an attacker might impersonate a company executive and request financial data from an employee, exploiting their trust in the executive’s authority.
- Phishing: Phishing attacks, as mentioned earlier, use deceptive emails, messages, or websites to trick recipients into revealing personal information, login credentials, or financial details. These messages can appear highly convincing, often mimicking reputable organizations, banks, or government agencies. Threat actors create a sense of urgency or fear to manipulate recipients into taking immediate action, such as clicking on a malicious link or downloading a harmful attachment.
- Baiting: Baiting attacks entice victims by offering something appealing, like free software, music downloads, or other enticing digital content. The attacker typically disguises malicious code within the enticing offer. When victims download the bait content, they unknowingly infect their systems with malware, giving attackers access to sensitive information and/or control over the compromised device.
- Tailgating and Piggybacking: Physical security is just as vital as digital security. In these types of attacks, individuals gain unauthorized access to secure areas by exploiting trust or exploiting the kindness of others. Tailgating involves an attacker closely following an authorized person into a restricted area, while piggybacking occurs when an attacker convinces someone to hold a door open for them. Both methods capitalize on the human tendency to be polite and helpful.
- Quid Pro Quo: In quid pro quo attacks, attackers offer something in exchange for information or access. For instance, they might pose as IT support and promise to fix a non-existent issue on a victim’s computer. In return, they request the victim’s login credentials or other confidential information. This type of social engineering leverages the victim’s desire for immediate help or gain.
The recent MGM cyberattack is only one example in a relentless slew of social engineering attacks that aim to exploit the ever-so vulnerable human nature. Social engineering and phishing attacks, which manipulate individuals rather than computer systems, will continue to pose substantial risks to organizations, which is why it’s incredibly necessary for organizations to provide proper cybersecurity training to employees. All it takes is one small foothold: a click on a phishing link, a held-open door for an attacker to enter the building, or secure information given from an IT help desk to a threat actor pretending to be an employee.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –