What is blagging, and why is it costing your organization?
Cyber threats, especially those that steal your credentials, can amount to significant financial and reputational losses. Cybercriminals often use sophisticated tactics like social engineering to deceive people into providing them with access credentials. In fact, according to Mitnick Security's report, 98% of cyber attackers rely on social engineering techniques to compromise a system or enterprise.
Let's dive further into blagging (and what you can do to stop it in its tracks):
"Blagging", also known as "pretexting", is a social engineering technique derived from the slang phrase "to blag." It uses storytelling to create an online presence that engages potential customers and speaks to them in an eye-catching way. (Think of it as a modern version of word-of-mouth marketing, leveraging the power of social media to spread your message quickly.)
The discussion often tempts the victim, increasing the chance of the victim disclosing critical or sensitive information that would be unlikely in ordinary circumstances. Blaggers often use open-source intelligence and details about the victim to create a fake scenario to lure the victim into revealing sensitive information.
What does this look like? Well...
Now that you know what blagging is, what does blagging look like?
Examples of real-life blagging tactics include, but aren't limited to:
Cryptocurrency scams: Scammers do thorough research on victims interested in investing in cryptocurrency. They use pretexting tactics by pretending to be a cryptocurrency trading app agent or experienced investors. After luring their targets with fake tales of financial returns of crypto investment, they persuade them to invest in them or the app. As the scammer gets the money on their dummy app or account, they disappear from the victim's life.
Blagging through online romance: Blagging through romance is a type of social engineering. People on dating sites and social platforms are targeted and manipulated into 'falling in love' with the attacker, who is most likely pretending to be someone else. Cybercriminals use these romance techniques to extract valuable and sensitive information from the victim. These blagging techniques often take weeks or even months.
Blagging through impersonation: An impersonation attack is a bold social engineering attack that requires blagging tactics. The scammer will impersonate a colleague, friend, or unmet agent sent by a high-level executive from a different organization. The attacker will start with a friendship as a blagging technique. They will involve you in gaining access to company information, such as server room location, email ID, and phone number. They will then use tactics like tailgating and piggybacking to drop malware like ransomware or spyware into corporate systems.
Security researchers found that attackers use a particular set of questions to lure victims into a hypothetical conversation and try to steal sensitive information from them. Here are some of the most common questions and tactics we've encountered.
Check the availability of the victim:
Cybercriminals are busy people, so they often check whether the victim is available for a discussion. Then they introduce themselves as someone they are not and try to build a rapport. They use reputable social media platforms like Twitter, LinkedIn, Instagram, and Facebook or email IDs. Based on the victim's reply timing and rate, they try to steal valuable details and credentials.
Tempt you with questions that require pressing needs or action:
Attackers are good researchers. They perform information gathering before blagging. They might also ask leading questions like, "Do you know your credit card is expiring?" or "I am from X bank, and our team found that your account is not secured. We can help you secure it." Then they force you to share your credentials and OTPs under the guise of helping you. But they are stealing your sensitive data.
Do not use unprofessional platforms: Oftentimes, scammers scour the less-trafficked platforms in search of unsuspecting professionals. It is essential that users stay alert and aware while engaging with people they don't know.
Thorough research: Users should thoroughly research a person's detail over digital and open-source platforms. This way, they can distinguish between blagging scammers and a legitimate individual.
Employee awareness and training: Enterprises should train their employees about the different forms of social engineering attacks. Also, employees should know (through awareness and training) about the spoofed domains cybercriminals use to perform blagging.
Constant awareness: Enterprises and organizations should encourage employees to stay aware of blagging activities. Employees should remain mindful of actions like piggybacking or server room access within and outside of the office premises. Through these measures, the workforce can prevent a blagging attack early.
While complete security from social engineering attacks is impossible, organizations can take proactive measures through awareness campaigns and surveillance systems to stay ahead of blagging threats.
Looking for free tips and resources to help keep your organization safeguarded from common cybersecurity tips? Sign up for our newsletter today.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
© 2024 Packetlabs. All rights reserved.