Social Engineering And Political Campaigns
Advanced Persistent Treat (APT) attacks use social engineering against political campaigns as part of a multi pronged strategy by either organized crime, nation-state actors, or both. Campaigns can be particularly susceptible, as many of those with access can be either a small number of staff with an heavy workload or even just volunteers.
In this preview of the upcoming educational session entitled "Social Engineering and Political Campaigns,” speaker Vance Long, of The Skain Group, talks about how a staffer recognizes APT motivations, and the common methods used by social engineers to victimize campaigns.
“Several factors are drawing focus of APT’s to political campaigns instead of the private sector. As loose organizational structure, heavy reliance on volunteers and constant fundraising makes for a perfect storm in the eyes of APT’s.”
The world of politics is a target-rich environment, when combined with, what can be at best described as loose organizational structure, this places campaigns well behind corporations in Cybersecurity defence. Without the dedicated security teams employed by most companies, campaigns are a more vulnerable and therefore more appealing target.
"What are the questions APT’s ask when selecting a target?" Long asks. "First ‘Are they supported by a strong and mature information security program?’ ‘How much fundraising are they doing? ‘How active is the candidate in the media or on social media?’ ‘Who are their famous, wealthy or notable donors?’ ‘Do they rely more on volunteers or staff?’"
Even outside the world of grass-roots campaigns, it is impossible not to rely heavily on volunteers. This being the case the onboarding process should include even a basic level of social engineering training.
And the fundraising never stops. Anyone with financial responsibilities for the campaign needs to be trained in the tactics and methods of social engineering as they will be priority targets for this type of attack.
"All employees and volunteers working with campaigns need to understand the common methods used in a social engineering attack," says Long. "detecting social engineering is all about being able to recognize these tactics. Social engineering is considered to be the ‘ultimate hack’ as the actor is not compromising a system but a person.”
"Social engineers attempt to build relationships. The quickest way to do this is by researching a target and then building a small story where the target will find common ground, to validate them and increase their credibility," he continued.
"Proactive training aligned with a risk assessment is the only way a campaign can prepare," he continued. “Finally, It is important to recognize the three main social engineering attacks. Most people have some knowledge of Phishing – emails purporting to be from reputable source to induce individuals to reveal information or take action. Two other less well known attack methods are: Vishing – voice elicitation and Smishing – using text messages. And with every campaign having a social media presence, these tactics could all be combined into a single platform.”
