Mitnick Security Blog - Cybersecurity News and Articles

How Bots Can Be Used in Social Engineering Attacks

Written by Mitnick Security | Sep 29, 2022 5:30:00 PM

People are social and want to help others whenever possible but doing so in a digital work environment can allow bad actors to deceive unsuspecting individuals into providing access to sensitive information. When threat actors manipulate one of your employees into performing an action or giving information — the definition of social engineering — your entire organization could be at risk. 

Bots are one of the latest programs that can be utilized by a threat actor in a social engineering attack. Below, we’ll discuss what bots are, how they can be used for social engineering scams, and ways you can protect your organization from the inside out. 

 

What Is a Bot?

A bot is a program that simulates human activity by interacting with systems or other users. Typically, they perform repetitive actions to automate tasks. Bots — also called internet bots or robots — are used across many industries for online customer service, scheduling, and more. 

Specifically in the realm of cyber security, bots often assist with detection and response platforms to help reduce the need for cybersecurity specialists amidst a shortage in the workforce. 

 

How Are Bots Used for Social Engineering Attacks? 

Two kinds of bots deployed for cyberattacks are one-time password (OTP) and SMS code bots. While threat actors had to create and code their own bots in the past, there are now “service” providers (threat actors) who rent out bot networks specifically to be used for social engineering attacks. 

 

Fraud for Hire Service

Fraud-as-a-service (FaaS) bots are rented or bought by threat actors for launching phishing attacks on unsuspecting employees to steal log-in credentials and access your organization’s inner network and systems. 

Although two-factor authentication (2FA) can thwart social engineering efforts, OTP bots can launch an attack with just the victim’s name and financial institutions or company information by robo-calling to get the one-time password that allows the threat actor access to the targeted account. A similar approach can be taken with SMS code bots. These attacks eliminate the need for a threat actor to SIM swap and are less traceable than traditional methods.

Both bot types can send information back to the hacker within minutes. Bots allow for automation so that threat actors can breach security defenses faster and without the manual effort of calling and impersonating the target.

 

Automated Phishing Attacks

Bots can send hundreds of phishing emails to multiple email addresses much quicker than a human threat actor. To get around 2FA, phishing links within the emails function as proxies which forward requests to real websites to get a response. The threat actor then receives all the information needed to breach an organization’s security.

 

Scraper Bots

Scraper bots are deployed by threat actors to conduct the investigation and reconnaissance phase of a cybersecurity attack. These bots get their name because they scrape (systematically look for and record) personally identifiable information (PII) from social platforms to obtain information that can then facilitate impersonation of individuals at the targeted organization or to hold profiles for ransom once access is gained. Scraper bots can also be utilized to scale credential-based attacks and other dangerous setups such as:

  • Fake Accounts
  • Inventory Hoarding
  • Credit Application Fraud
  • Client-Side Attacks
  • Refund Fraud

As we continue to learn about bots and their potential uses, so will threat actors. That’s why it’s crucial to stay vigilant and prepare your organization to fight back against cyberattacks.  

 

Defense Against an Automated Social Engineering Attack 

Threat actors are utilizing bots in their social engineering attacks because it’s faster than doing it all manually. But what can you do about it? First, remember that a financial service provider will never call to confirm your personal information. Block all incoming calls that are not part of your address book. 

You can also use scam blocking tools and seek the help of a cybersecurity consultant. Further, consider cybersecurity awareness training to empower your employees and educate them on social engineering tactics. 

Lastly, use routine scans and assessments as part of your security protocols to help ensure that your defenses are up to date and strong enough to foil whatever cybercrime threat actors may attempt against your business.

 

Shore Up Your Cyber Security

Aside from your routine scans and vulnerability assessments, explore penetration testing options to improve the security posture of your organization. Social engineering testing can specifically test your employees against scam attempts and identify vulnerabilities before the threat actors (and their bots) do. To start shoring up your cybersecurity, explore the ins and outs of social engineering testing and test your team’s readiness.