Get Our Email Newsletter

Social Engineering Attacks Remain the Primary Vehicle for Retail Data Breach

Assuming that basic technical blocking-and-tackling issues are addressed,like not having SQL injection exploitable databases, limiting brute force attempts, and using robust egress traffic monitoring/data loss prevention infrastructure,the most vulnerable components of any corporate network are humans. Most breaches start with an employee electing to open the door for an attacker after being socially engineered.

The most basic social engineering attacks still take place by spoofing email addresses of known colleagues or contacts found during initial reconnaissance on sites like LinkedIn or Facebook and sending malicious content.The Syrian Electronic Army has used this method with surprisingly effective results to access web-based work email accounts that can then be used to subsequently cause more damage, like changing DNS and accessing social media accounts or document theft. Hacktivist groups like Anonymous will often use similar reconnaissance to take advantage of call centers and customer support to reset passwords in order to gain access to corporate servers and inboxes.

Unsurprisingly,other social engineering campaigns have leveraged the global connectedness that social media offers. A China-linked campaign in late 2014 targeted employees of male-dominated sectors like technology and nuclear engineering. Attractive women “friended” engineers using Facebook and then passed along links to malicious files in chat messages.

- Digital Partner -

Similarly, a recent financial-related network attack began with a targeted employee being contacted on Skype by a supposed trade organization.An initial registration document was passed to the victim, which was not malicious.A subsequent Word document was passed along that contained custom-written malware. From there the attackers gained access to the network and made off with over $1 million and credentials for attacks on partners.

For more about other network security issues as well as some basic best practices from a network security training consultant, read the article “Basic Training in Network Security” in the July-August issue of LP Magazine.

Loss Prevention Magazine updates delivered to your inbox

Get the free daily newsletter read by thousands of loss prevention professionals, security, and retail management from the store level to the c-suite.

What's New

Digital Partners

Become a Digital Partner

Violence in the Workplace

Download this 34-page special report from Loss Prevention Magazine about types and frequency of violent incidents, impacts on employees and customers, effectiveness of tools and training, and much more.

Webinars

View All | Sponsor a Webinar

Whitepapers

View All | Submit a Whitepaper

LP Solutions

View All | Submit Your Content

Loss Prevention Media Logo

Stay up-to-date with our free email newsletter

The trusted newsletter for loss prevention professionals, security and retail management. Get the latest news, best practices, technology updates, management tips, career opportunities and more.

No, thank you.

View our privacy policy.