Attacks within digital communications channels (like Slack, TEAMS, Twitter, Facebook, LinkedIn)  have grown more targeted, more social engineering-focused, and the payloads have become "softer,” and the risks are not in files and links/IP's alone anymore. Instead, recent attacks are laser-targeted and evade traditional detection by focusing on human connections.

To find out more about these “soft attacks,” we talk to Otavio Freire. As the President, Chief Technology Officer and Co-Founder of SafeGuard Cyber, Freire is responsible for the development and continuous innovation of SafeGuard Cyber’s enterprise platform.

Freire has extensive experience in company strategy and engineering for cyber and risk-based scalable platforms, including social media applications, internet commerce and information technology serving the pharmaceutical, financial services, high-tech and government verticals. He has a BS in Civil Engineering, an MS in Management Information Systems and an MBA from the University of Virginia Darden School of Business, where he currently serves as a visiting executive lecturer.

Security magazine: Can you explain what “soft attacks” are, and how they evade traditional detection by focusing on human connections?

Freire: At a high level, we’ve been seeing attacks in digital channels have grown more targeted, more social engineering-focused, and the payloads have become "softer." By "softer," we mean that the risks are not in files or links alone anymore. Instead, recent attacks are laser-targeted and evade traditional detection by focusing on human connections and language. Attackers are now moving beyond mass-phishing and malicious payload blasts. Instead, they’re researching targets in social channels, like LinkedIn, before sending socially engineered messages. Issues of data loss, payroll fraud, account takeover, vendor invoice fraud, blackmail, credential phishing are other examples of types of "soft" attacks that take place in all digital channels for example: WhatsApp, DMs in social media, in Teams, Zoom etc. to name just a few.

Security magazine: Why are attackers moving beyond mass-phishing and malicious payloads blasts, and are researching their targets on social media channels before sending socially engineered message?

Freire: Attackers have realized that mass attacks have a low conversion rate, and that targeted spear-fishing however more time-intensive, has a much higher success rate. Traditional security defenses also simply do not detect and stop these attacks. From a cybercriminal’s point of view, spear phishing is the perfect means to deliver a broad array of damaging exploits. For example, threat actors are increasingly targeting VIP/executives and other high-level employees - also known as MAPs (most-attacked persons) - tricking them into activating malware that grants access to their companies’ environments.

These exploits might be ransomware that encrypts company data, then extorts fees from the victim to remediate the situation, or attacks that are focused on cyber-espionage, where the attacker moves laterally to avoid detection, seeking to gain long-term intelligence from those executives. For example, drug trials information, earnings, manufacturing contracts, etc.

Security magazine: What are some recent examples of these attacks?

Freire: We saw examples of these tactics in Operation Sharpshooter and more recently with the North Korean threat actor, Labyrinth Chollima which has been doing recon on targets and reaching out on LinkedIn. They then lure targets to WhatsApp, where they deliver attachments with malware. According to the FBI, over $26 billion is lost to business email compromise (BEC) alone every year, and this takes place in all channels, not just email, so perhaps the term needs to evolve.

Security magazine: How can security team leaders protect against these attacks? What are a few steps they can take?

Freire: It’s not easy, and it's hard for a human to comprehend and identify spearfishing by themselves, with all the deception techniques that are deployed alongside a social engineering campaign. We’ve heard of even Chief Information Security Officers getting compromised with fake keynote solicitations within 12 minutes of a red teaming exercise! That said, we recommend employees and executives pay close attention to the following elements of the communication. Does the communication:

• Convey a sense of urgency or secrecy?
• Use an element of authority to ask you to conduct an action?
• Deem itself as “private”?
• Contain unusual misspellings?
• Relate to financial transactions?
• Have URLs containing an IP address?
• Contain disparities between “href” attributes and the link text?
• Contain mentions of “Link,” “Click,” or “Here” in a text link?
• Contain Javascript?

This is just a partial list and that is why we have built machine learning and natural-language processing into our risk analytics engine, because these phishing communications change over time. We need to be able to identify them quickly and take action before any harm is done.