"Phishing is still the easiest way to compromise a user," says Ragan. Spear phishing hits specific users with a malicious attachment; for example, an Office document with macros enabled or a PowerShell script that overtakes their system.
Fincher agrees phishing is the simplest means to an end for cybercriminals looking for easy targets. She consistently sees users tricked into clicking on links via email or text, a method known as SmShing.
"The cost and threat is low, requires low technical ability on the part of the attacker, and has the potential to reach many targets as once," Fincher adds.
Wireless hijacking or interception
These attacks occur when a cybercriminal injects malicious payloads into an end-user device, or compromises their Internet traffic and redirects them to installing malware. This can be relatively easy because there are many tools available, says Ragan.
For example, a "wifi pineapple" can compromise an end-user device via wireless attack. An attacker could use this tool to cause an end-user to dissociate from their wifi network and associate with the same one as the threat actor. This would enable the attacker to accept traffic and inject malicious code.
Ragan notes this is only possible with physical proximity to the victim; wireless hijacking can't be done across broad geographical regions.
"The two biggest vectors to hack a device are SmShing or phishing," says Social-Engineer CEO Chris Hadnagy. Phones that are jailbroken or allow for side-loading of apps heighten the risk for users.
As previously noted, SmShing attacks require users to click malicious links sent via text messages. Hadnagy recalls the recent Wells Fargo breach, when there was an influx of SmShing scams with malware and bad links sent to victims.
"The one danger I don't personally see addressed often enough is BYOD policy at the corporate level," says Fincher, explaining the growing risk of end-users bringing devices into the workplace.
"With smartphones, laptops, and tablets being so readily available, many organizations don't realize the risk that they take by NOT explicitly addressing whether or not it's okay to check company emails on phones, or even examining devices prior to approval," she continues.
BYOD increases the risk for organizations because with one successful end-user attack, an attacker can compromise an entire business, says Hadnagy.
Impersonation is commonly used to reset passwords, transfer control of phone numbers, or bypass other security controls, Ragan explains. For example, a hacker may target a specific carrier to hijack a phone number and intercept two-factor authentication tokens and messages. It's a "pretty easy" form of compromise that doesn't require attackers to have a high technical skill level.
"If I, as an attacker, am able to obtain VPN credentials to a corporate network with a phone call, I don't actually need to hack any device at all - I can potentially log in as a legitimate user and browse away at proprietary information," says Fincher. Most end-user attacks are conducted by individuals posing as a legitimate entity.
"With just a little bit of open source intelligence gathering (OSINT), attackers can find just enough information to appear to be a bank, a boss, a customer, or a friend with a normal request," she continues, noting that most people are too busy or careless enough to send personal information without question.
"Physical access to someone's system is almost always game over," says Ragan. With enough time, motivation, and skill, he explains, a threat actor can "almost always" get into a stolen laptop. Physical access attacks could also involve a malicious USB drive, stolen hard drive, boot attacks, or keylogger.
Mobile devices can prove tougher to crack, especially with the right security configurations. Apple's decision to update the iPhone to a 6-digit passcode, and forced lockout after too many login attempts, both protect mobile devices from threat actors.
This is another strategy that relies on human manipulation to download malware and compromise devices, and another that doesn't require much technical expertise for attackers to be successful.
"The recipe goes, take something people want badly and make them install something before they get access to it," says Ragan. The "something" could be anything from a blockbuster movie to a celebrity sex tape.
Malvertising is an effective and accessible way to scam users in an opportunistic attack to hit as many people as possible, he adds. Threat actors need only to pay to run a fake advertisement, and someone who isn't paying attention will fall for it. Ragan recalls a recent example of someone who clicked a bad advertisement after searching to download Adobe Acrobat online.
Unpatched vulnerabilities are among the easiest vectors for cybercriminals to launch attacks, says Ragan. Attackers frequently exploit unpatched flaws by scanning the Internet looking for vulnerabilities, or targeting specific environments, to gain entry. He cites the recent WannaCry ransomware attack as an example.
"It's the lowest-hanging fruit, especially if there's a known exploit published for it," Ragan continues. Publicly known exploits make it easy for threat actors to break into unpatched software and infect the host.
"If there is no known exploit, it's up to the skill set of the attacker to know how to create one," he says, noting how this is more difficult. Attacks on unpatched vulnerabilities target all platforms; Windows, Android, and iOS are all at risk.
Ragan says these types of attacks have become more complex as browser security has improved. It's tough to do on Chrome, for example, because it does automatic updates. It's easier on Firefox or Microsoft Edge.
"It's really tough to develop these exploits because browser developers have stepped up their game, but if there is a known issue or unpatched issue, it's relatively easy for attackers to repurpose that," he explains.