Social engineering used in the cyber attack on a Santander branch

Police and Santander have thwarted an “audacious” cyber gang that aimed to steal millions of pounds by remotely taking control of a bank branch’s computers. One of the plotters posed as an bogus maintenance engineer pretending to be from a third party to fit a computer in a branch of Santander with a “KVM Switch” that would’ve allowed them to remote control the workstation. The co-operation between the Met Police and Santander prevented any losses.

The physical element of the attack shows organisations need to be aware of social engineering as part of a cyber attack. Gaining access to the network inside the perimeter would make it easier to perform attacks.

This type of physical activity as part of a cyber attack is similar to the unsuccessful $423million attack on  Sumitomo Mitsuis where keyloggers installed by hackers let into the bank by its security chief that allowed account details and credentials to be harvested and used in the attack. The security chief was in on the plan and attempted to disable physical security controls that were in place including tampering with the CCTV.

The importance of social engineering awareness training is known, but how many training programmes concentrate purely on the phishing emails and the importance not to open attachments from unknown senders. Social engineering is an art and practitioners such as Kevin Mitnick; now a leading security evangelist but who was at one time the most wanted computer criminal in the USA; can obtain access to systems and information by effectively just asking. Social engineering awareness needs to cover not only training staff about phishing and email security, but also the importance of not giving information to those not authorised to receive it and the prevention of physical social engineering attacks. If an attacker can get insider your physical perimeter they are often able to access your network insider the network security perimeter and less controls to bypass.