Mitigating Social Engineering Threats

TL;DR

In October 2024, our team detected and swiftly thwarted an attempted social engineering attack aimed at compromising our primary account on X.com. The attacker’s strategy included sophisticated identity forgery and social engineering of staff at X.com to circumvent standard security measures, including two-factor authentication (2FA). Our immediate response and coordination with X.com’s support team prevented unauthorized changes and secured the account against future attempts.

In light of this attempt and similar trends observed across the DeFi space, we recommend that companies implement high-assurance verification protocols, such as requiring face-to-face and multi-party confirmation for account modifications, and that premium accounts establish robust communication channels with dedicated account managers.

Summary of attempted attack

In late October, our team received an unexpected email from X.com, indicating a request to change the primary email on our account - a change we had not authorized. An investigation revealed that the attacker had attempted to impersonate our CEO using a falsified ID and other fabricated documents. The attacker’s goal was to gain access to our X.com account by requesting administrative changes through X.com’s support team, bypassing 2FA protections, presumably in order to execute a phishing attack against the community using our brand.

Key details of the attempt and our response:

1. Initial Contact with X.com Support: The attacker initially contacted X.com support under the guise of purchasing ads for our @ethena_labs account, establishing a relationship with a strong pretext without raising suspicion.

2. Targeted Contact with Account Manager: Using information from their initial support interactions, the attacker obtained contact details for our dedicated account manager at X.com, setting the stage for a targeted account change attempt.

3. Unauthorized Email Change Request with Identity Forgery: The attacker submitted a request to change the email associated with our @ethena_labs account, providing forged company documents, and a counterfeit ID, impersonating our CEO in an attempt to bypass multi-factor authentication.

4. Verification Call: Upon receiving the notification about the email change request, we immediately contacted our account manager, confirming that we had not requested any changes and preventing any unauthorized modifications.

5. Account Security Lockdown: In coordination with X.com’s support, we implemented a strict lockdown on the account, requiring high-assurance verification for any future administrative changes.

Key Takeaways and Recommended Security Enhancements

Our response to this attempted account compromise has underscored several essential practices that can protect sensitive accounts against evolving social engineering tactics. We strongly encourage our partners and peers in the DeFi community to consider these strategies for securing high-risk accounts:

1. Recognize and Address Social Engineering Threats

Social engineering attacks are increasing in sophistication, with attackers often targeting internal contacts within platforms and service providers. Recognize that even advanced security features, such as two-factor authentication (2FA), can be vulnerable if attackers use forged documents or insider knowledge to gain access. Awareness across teams of these emerging tactics is critical.

2. Establish Enhanced Verification Protocols with Account Managers

For accounts tied to critical assets, especially those on social platforms or domain registrars, it’s crucial to set strict verification requirements with your account manager. We recommend protocols like face-to-face video confirmation with the account owner before implementing any major changes, such as login or email modifications. Procedural safeguards like these add an extra layer of assurance that technical measures alone may not provide.

3. Consider Premium Support for High-Risk Accounts

For high-value accounts, premium support can be an invaluable tool. Dedicated account managers can enable additional protections, rapid response, and human-led intervention, all of which are critical in mitigating social engineering risks. Premium support benefits include:

a) Human Verification Protocols: Account managers can set up protocols for in-person or video-based identity confirmation for significant changes.

b) Emergency Lockdown Capability: Direct access to support allows for immediate account lockdowns if suspicious activity is detected.

c) Enhanced Monitoring and Escalation: Premium plans often include monitoring and rapid escalation to flag unusual activity and prevent unauthorized access.

4. Implement and Regularly Update Multi-Factor Authentication (MFA)

While social engineering may attempt to bypass MFA, it remains a foundational defense against direct login attempts. Enable multi-factor authentication on all accounts and routinely review the methods in place to meet the latest security standards.

5. Conduct Routine Security Audits

Regular security audits allow you to detect and address vulnerabilities that could be exploited in a social engineering attempt. Maintain an up-to-date list of verified contacts and account managers, and periodically review the integrity of all sensitive accounts to prevent unauthorized access.

6. Educate Team Members on Emerging Threat Tactics

Ensure that all team members are informed about social engineering risks and trained to recognize potential threats. Sharing insights from recent incidents can build a proactive security culture and reduce the risks associated with social engineering.

Conclusion

This attempted breach reinforces the need for vigilance and robust security protocols to protect critical accounts from advanced social engineering tactics. By implementing enhanced verification requirements, maintaining a strong relationship with account managers, and educating teams on emerging threat tactics, organizations in the DeFi community can safeguard against evolving cyber threats.

In our case, close communication with X.com’s support team and rapid detection measures enabled us to secure our account swiftly, avoiding any impact to our operations. We encourage our partners and peers to consider these measures as foundational security practices in safeguarding their accounts and the broader DeFi ecosystem.