Social engineering attacks are becoming ever more sophisticated, and individuals and companies are at risk. As one recent case demonstrates, even trustworthy third-party services that store information are often significantly vulnerable and cannot be fully relied upon.
Social engineering is the act of manipulating users in order to obtain confidential information or make users perform a desired action. Recently, team collaboration platforms, websites/e-shop management systems, and email marketing platforms have all been used for this purpose. And one of them was recently attacked.
All over the world, MailChimp is a synonym for newsletter distribution. When its system got hacked, this added worry lines to many marketing managers’ foreheads. After all, they use the system extensively to send out various campaigns (such as information, marketing, and special deals). “Hackers managed to gain access to more than 100 customer accounts in MailChimp. One of the affected email lists was the database of Trezor ‒ a company that produces crypto wallets. The attackers then tried to obtain the login details for crypto wallets by sending an information email to the wallet owners on behalf of Trezor directly from MailChimp,” Martin Lohnert, a cybersecurity specialist at Soitron, explains in revealing this malicious practice. In the email, Trezor’s clients received information that their accounts had been compromised due to a data leak. The email contained a link to an allegedly updated version of Trezor Suite along with instructions for setting up a new access PIN. But, of course, this was a spoofed phishing site designed to obtain their login information.
This case clearly shows how difficult it is to secure all sorts of services or applications that can now be easily subscribed to or which are available for free. Cloud services are a phenomenon, but are they safe to use? “Corporate IT departments may have the best protection in the internal environment, but unless they also address what their suppliers are doing, or under what conditions the company uses external systems, this will not suffice. Even a single compromised service or application can jeopardise a company’s entire business or reputation,” Lohnert points out.
Due to strict rules, employees in financial institutions – such as banks and insurance companies – are not allowed to decide to start using any new application at work, even if it is free; by contrast, many other organisations are far more benevolent. In addition to that, if a company decides to use a third-party solution, they should always address how secure it is. Rather than just being satisfied with some marketing claims, it is necessary to dig deeper and think about and prepare for situations such as the one that hit MailChimp.
An important thing to realize is that one of the greatest dangers of social engineering is that one successfully deceived victim can inadvertently provide enough information to launch an attack that could adversely affect the operation of an entire organisation.
“This should be a big enough reason for any organisation to start considering which suppliers they decide to work with. It is simply not enough to assume that if the system of a reputable company is used by another large or well-known company, it should automatically also be suitable for your organisation,” says Lohnert.
Social engineering is a very important tool for many current hacking groups because it opens up access to data and identity. Cybercriminals will continue to focus on companies with a large number of clients or customers in order to attack their systems and subsequently use the acquired access for their own enrichment.
We are in the process of finalizing. If you want to be redirected to our old version of web site, please click here.
