In the ever-evolving realm of cybersecurity, social engineering stands out as a particularly cunning adversary. As we enter the last quarter of 2024, the methods used by cybercriminals (Threat Actors) are becoming increasingly sophisticated, blending technology, AI, and psychology in ways that can catch even the most discerning individuals off guard. This year, the tactics of social engineering are not just evolving—they’re advancing at an unprecedented pace. Black Hat USA 2024 & DEF CON 32 explored many of the latest trends in social engineering, uncovering the new strategies and technologies that are shaping the future of these deceptive practices. Understanding these trends is crucial for staying ahead of the curve and protecting yourself and your company in a digital landscape that’s more complex than ever.
It should come as no surprise that many of the emerging trends in social engineering center around the use of AI. This intersection of social engineering and artificial intelligence is particularly dynamic. At DEF CON 32, one of the highlights was the John Henry Competition: Humans vs. AI, where the evolving capabilities of these technologies were put to the test. DarkOwl had the opportunity to witness this intriguing contest firsthand.
The human team featured the renowned “Human Hacker” Snow and her co-founder of the Social Engineering Community Village, JC, both of whom brought their profound intuition, creativity, and understanding of human behavior to the challenge. In contrast, the AI team, consisting of Lisa Flynn (Human Systems Engineer & AI Researcher) and Perry Carpenter (Author & Cyber Evangelist), demonstrated the formidable precision and efficiency of advanced algorithms. Throughout the competition, both teams showcased their vishing tactics through live calls to companies.
The AI team presented cutting-edge techniques in voice modification, including both traditional robotic tones and more sophisticated, human-like audio, such as that produced by deep fakes. They also illustrated how AI models could adapt and evolve, learning from previous calls to refine their approach. Despite the impressive performance of the AI team, the human team narrowly secured victory, highlighting the enduring strength of human intuition in the face of rapidly advancing technology.
When discussing social engineering and AI, it’s crucial to recognize not just how AI can be used for malicious purposes but also how AI systems themselves can fall victim to social engineering. This is particularly relevant in the context of large language models (LLMs) like ChatGPT. While these models are designed with safeguards to prevent them from assisting in illegal activities, including hacking, they are not impervious to social engineering campaigns.
At DEF CON 32, Jayson E. Street, a renowned speaker, author, and Simulated Adversary featured in National Geographic’s Breakthrough Series and Rolling Stone Magazine, delivered a compelling presentation that captivated the audience. Street, who was named one of Time’s Persons of the Year in 2006, demonstrated how LLMs can be manipulated through social engineering techniques. His talk, which drew an overflow crowd, showcased how LLMs, despite their advanced programming, can still be susceptible to Layer 8 attacks—an informal term for cybersecurity attacks aimed at human operators.
Street’s demonstration revealed that, because LLMs are ultimately built and influenced by human inputs, they can be tricked into providing information or instructions that could be used for unethical purposes. By employing sophisticated social engineering tactics, Street successfully coerced multiple LLMs into revealing codes and procedures for hacking various devices, networks, and systems. This eye-opening presentation underscored the vulnerabilities inherent in even the most advanced AI systems and highlighted the ongoing need for vigilance and robust security measures in the face of evolving threats.
Social media has become a double-edged sword in the realm of cybersecurity. While it connects people, facilitates communication and can be used for marketing, it also serves as a rich resource for social engineers seeking to exploit personal and organizational vulnerabilities.
One of the primary tactics used by social engineers is data harvesting. Cybercriminals meticulously collect personal information from social media profiles to craft highly targeted attacks. By analyzing the details shared on platforms such as Facebook, LinkedIn, and Instagram, they can tailor their schemes to exploit specific weaknesses, whether it’s in the form of phishing emails, vishing phone calls, or physical penetration.
Impersonation scams represent another significant threat. Social engineers often create fake profiles or hijack existing accounts to deceive individuals or organizations. These fraudulent accounts can be used to gain unauthorized access to sensitive information, manipulate key contacts, or spread malicious links. The deceptive nature of these impersonation tactics makes them particularly dangerous, as they exploit the inherent trust people place in their social networks.
Moreover, the influence of social media personalities can be harnessed for malicious purposes. Influencer manipulation involves exploiting the trust and reach within a social media influencers command. By co-opting these figures, cybercriminals can leverage their established credibility to disseminate harmful content, promote phishing schemes, or even orchestrate more complex social engineering attacks. The vast reach of influencers amplifies the impact of these deceptive practices, making it crucial for both individuals and organizations to remain vigilant.
As social media continues to evolve, so too will the tactics of social engineers. Understanding and recognizing these strategies is essential for safeguarding personal and organizational information against increasingly sophisticated threats.
As social engineering tactics continue to evolve, cybercriminals are employing increasingly sophisticated methods to exploit human psychology and technological systems. Psychological manipulation techniques are at the forefront of these developments. Social engineers are leveraging urgency and fear tactics to compel quick responses from their targets. By creating time-sensitive threats or amplifying fear, they manipulate individuals into making hasty decisions without proper scrutiny.
Similarly, the use of social proof and authority figures has become more prevalent. Attackers often pose as trusted figures or leverage perceived authority to gain compliance and manipulate their targets. Emotional appeals are another powerful tool, with attackers crafting messages designed to evoke strong emotions such as sympathy or excitement. These emotional triggers can cloud judgment and make individuals more susceptible to deception.
In response to these growing threats, regulatory and legal frameworks are adapting. New legislation is being introduced to address the challenges posed by social engineering attacks. These emerging laws aim to create a more robust legal foundation for combating such threats and ensuring better protection for individuals and organizations. Compliance requirements are also evolving, necessitating that organizations adjust their cybersecurity practices to meet new standards. This often involves implementing more stringent security measures and training programs. Global cooperation has become a vital component of these efforts, with countries and organizations working together to share information, best practices, and strategies to combat social engineering on an international scale.
Another significant trend is the rise of hybrid attacks, where attackers combine multiple channels and platforms to enhance their effectiveness. By integrating email, phone, and social media attacks, cybercriminals create more complex and convincing schemes. Cross-platform exploits are particularly concerning, as they involve coordinating attacks across different communication platforms and devices, increasing the likelihood of success. Contextual attacks further heighten the danger by utilizing specific, context-relevant information—such as recent events or personal milestones—to make the attack appear more credible and targeted.
Additionally, recent insights from Black Hat and KnowBe4 have identified several noteworthy trends in social engineering:
Understanding these evolving tactics is crucial for staying ahead of potential threats. By recognizing the sophisticated methods employed by cybercriminals, individuals and organizations can better fortify their defenses and respond more effectively to emerging social engineering challenges.
As we navigate the final stretch of 2024, it’s clear that social engineering is not just a challenge for today but a growing concern for the future. The insights gained from DEF CON 32 and other sources highlight how cybercriminals are leveraging advanced technologies and psychological tactics to craft increasingly sophisticated attacks. Staying informed about these emerging trends is not just a defensive measure—it’s a proactive strategy for safeguarding yourself and your organization in an ever-complex digital world. By understanding and anticipating these evolving tactics, you can better fortify your defenses and remain one step ahead of those who seek to exploit vulnerabilities. Remember, in the world of cybersecurity, knowledge truly is power. Stay vigilant, stay informed, and stay secure.
Products
Services
Use Cases