Breaches get worse and attacks keep happening, as threat actors have all of the capability thanks to user’s habits.
Speaking at Infosecurity North America in New York City, author, speaker and chief hacking officer of KnowBe4 Kevin Mitnick said that threat actors are able to collect information on their victims all too easily, and when evaluating a company it is also straight-forward to determine suppliers, customers, partners, vendors and employees to enable a social engineering exercise.
In his opening keynote 'How to fight back against hacker attacks', Mitnick cited several examples of how to socially engineer a company and bypass traditionally strong security tools like anti-virus and two-factor authentication.
In one example, he said he had been hired by a Canadian retailer for an assessment and he was able to determine who an HR provider was, so he set up a cloned website using the Canadian .ca domain, called a member of the company and told them they were “standardizing top level domains” and to try .ca first, which allowed him access to all payroll data, and all salary history.
He said: “The attack was not so interesting to me, but the longest part of it was waiting for the DNS to propagate on the .ca domain, which took about half an hour.”
Mitnick was also able to demonstrate how to bypass two-factor authentication as “most companies offer one type of authentication” in the case of Paypal invoice which asked for credentials and once these were intercepted, so was the victim’s session cookies. To prevent this, he recommended using U2F protocol tokens, but said that these can also be stolen.
Overall, Mitnick demonstrated how simple it is to hijack a victim with a small amount of personal data when doing testing, and to defend against such attacks, to try using tactics that “the threat actors use” and create tools that the employees want to use.