Ross Anderson from the University of Cambridge and Shishir Nagaraja from the University of Illinois have recently published their findings from the Office of His Holiness the Dalai Lama forensics investigation. The office became suspicious they were under surveillance after meetings with foreign diplomats were canceled shortly after initial communication began due to pressure from the Chinese. In their report, the researchers found the office had been compromised via social engineering based attacks originating from China. The attackers harvested the names and email addresses of several monks working within the office from Internet boards and mailing lists. Phishing emails were then sent to the accounts harvested and a malicious attachment was enclosed in the form of a .pdf or .doc file. The emails were so targeted they often pretended to be from someone else within the office or another person the victim knew. Once the attachment was opened, malware was installed with phone home capabilities and data exfiltration capabilities.
The report is just one example that highlights the growing trend of using unsophisticated, but extremely targeted delivery vehicles for compromising an organization. While this attack may have been state sponsored, the techniques are easy to implement and can and ARE also used by criminal enterprises and malicious individuals. Engagements and trending studies support this. However, too many times I see clients deciding not to include social engineering testing as part of an external assessment. They have a tendency to focus testing on attack vectors targeted at systems exposed to the Internet. For whatever reason, users are not considered part of the attack surface when assessing external threats.