“Social engineering” attacks are based on the fact that humans are the weakest link in the cybersecurity chain. Come and join us in this article to learn how to safeguard yourself against this widespread attack. Naoki Hiroshima was an ordinary Twitter user like you and me, except that his Twitter handle was a unique and single-letter username (N@), and some were willing to pay $50,000 to buy it. However, in 2014, Naoki was compelled to relinquish his $50,000 single-letter username to a hacker who managed to achieve their goal using a straightforward tactic.
The story goes that the hacker called PayPal customer service to steal Naoki’s Twitter username, claiming to be an employee from another department of the company, and obtained the information related to Naoki’s credit card’s last four digits from them. Subsequently, the hacker reached out to the web hosting and domain registration company, GoDaddy, where Naoki’s website was being hosted. With the four digits of the credit card, the hacker asked GoDaddy to reset the password for Naoki’s website. Now the hacker had the power to delete all of Naoki’s website information, and this threat was enough for Naoki to agree to give his username to the hacker.
Fortunately, Naoki later succeeded in regaining his username, but what happened to him was a type of social engineering attack that caused serious problems for many internet users and employees of small and large organizations for years. Hackers have repeatedly taken control of users’ accounts or transferred large sums to their bank accounts by playing various roles, making threats, and using other tricks. The safety of online accounts has become a real concern for a lot of individuals.
What is Social Engineering?
Social engineering is a term that may be modern but the practice has been around since ancient times when people started to interact with each other. The underlying concept of social engineering is that one individual wants something that another person possesses and will go to any lengths to obtain it, even if it causes harm to the other person. Essentially, it involves convincing someone to either give up what they have or do something against their own best interests.
Social engineering doesn’t involve hacking computers, instead, it targets the human mind.
The term social engineering has become widely known thanks to Kevin Mitnick, who is himself one of the most famous social engineers of our time (but has since repented and now works as a cyber security expert). In modern times and in the field of cyber security, social engineering is the art of deception, taking advantage of weaknesses, and influencing individuals to perform an action that is detrimental to them or to gain access to personal and sensitive data in computer systems. A hacker or social engineer can succeed in their objective not through malware and cyber attacks, but simply by asking the person who has access to the information or using clever tricks via telephone, text message, email, infected USB drive, or in-person interaction.
That’s why it is said that in social engineering, it is the minds of individuals that are hacked, not computers. In social engineering attacks, information that the person did not intend to reveal is obtained by the attacker without their knowledge or they are encouraged or coerced through what is called psychological manipulation to perform an action that they will later regret. Simply put, humans themselves are considered a type of security threat, and as hackers say, the weakest and most vulnerable link in the cybersecurity chain. We humans make almost 80% of our decisions based on emotions, and since logic has a very small role in these decisions, the remarkable success of social engineering attacks can be well understood.
History of social engineering
The roots of social engineering can be traced back to ancient stories, especially Greek myths, from the story of Prometheus who tricked Zeus and gave fire to humans, to the famous story of the Trojan Horse which actually gave its name to the most common type of malware.
The story of the Trojan Horse is arguably one of the most fascinating examples of social engineering. During the Trojan War, when the Greeks had been besieging the city of Troy for ten years, a cunning Greek warrior named Odysseus, who was a skilled social engineer, devised a plan to allow his fellow soldiers to enter the city; not by force and breaking through the city walls, but through the Trojan’s own hands. Under Odysseus’ command, the Greek soldiers built a giant wooden horse and hid inside it. Then, some of them sailed away with the Trojan horse, making the city think that the Greeks had accepted defeat and were retreating.
However, a Greek soldier named Sinon remained outside the gates of the city next to the giant horse. Sinon told the people of Troy that this horse is a Greek offering to the gods to protect their lives during the return journey home; this horse was made so large for this purpose that the people of the city could not bring it inside and the Greeks on board the ship would face difficulties. The Trojans fell for Sinon’s words and decided to bring the horse inside the city; unaware that Greek soldiers were waiting inside the horse to set fire to the city. Thanks to Odysseus’s social engineering attack, the Greeks emerged victorious in the war they had lost in the eyes of the Trojans.
Kevin Mitnick was known as the father of social engineering because he, in the 1990s, after years of using scams and tricks to gain access to information and manipulate people’s psychology, popularized the term social engineering in the cybersecurity world. While only 13 years old, Mitnick used social engineering tricks to ride the buses of Los Angeles for free and later succeeded in gaining unauthorized access to the networks of Digital Equipment Corporation and Pacific Bell. Mitnick’s adventures in social engineering were so diverse that when he finally went to prison, people said of him that he could “launch a nuclear war by whistling through a phone line.”
Social Engineering Techniques
In the movie “Catch Me If You Can” (2002) directed by Steven Spielberg, Leonardo DiCaprio plays the role of a skilled con artist named Frank Abagnale who, before the age of 19, successfully made millions of dollars by posing as an airline pilot, doctor, and lawyer. Abagnale later used his talent for social engineering to work as a security consultant.
Abagnale’s story bears a striking resemblance to that of Kevin Mitnick, the father of social engineering, as he too was successful in fraud and unauthorized access to organizational information through scenario planning and role-playing, and after being caught and imprisoned, he decided to use his talent as a cybersecurity consultant. In fact, the stories of social engineers have a lot in common, as the methods they use for their attacks are almost identical. Here are 10 of the most famous social engineering techniques you will become familiar with:
Role-playing:
In this common method, which is considered the first step in most social engineering tricks, the attacker first researches the victim to obtain accurate and truthful information about them, such as their date of birth or national code. Then, using this information, they design a fictional scenario, contact the victim, gain their trust, and through role-playing (such as a user in need of a manager requesting urgent help from an employee), they ask them to provide important information. Often, everything starts with a friendly greeting or the sentence “Can I take a little of your time?” and at the end of the call, the organization and the targeted individual suffer significant financial damage.
diversion theft:
Diversion theft occurs both traditionally and online. In the traditional model, the thief convinces the delivery driver to take the package to a different location and deliver it to someone else who is not the intended recipient through social engineering tricks. Online diversion theft is when the thief forges a company email and requests sensitive and important data to be sent to the wrong person’s email address from one of the targeted company’s employees.
Phishing:
In the phishing technique (referring to fishing where bait is used to catch prey), the attacker impersonates a trusted person or organization and, through role-playing, attempts to gain access to sensitive information such as usernames, passwords, or credit card information. Emails that claim to be from reputable websites, banks, auctions, or IT departments of organizations, asking the recipient for their personal information, are a type of social engineering phishing.
The phishing technique itself is divided into various types:
- Angler phishing, where the attacker creates a fake customer service account on social networks;
- Business Email Compromise (BEC), where the attacker impersonates a senior manager of an organization and asks an employee to transfer money to their account or send sensitive data via email;
- Pharming, where the attacker redirects users to a fake and cloned website instead of the real website, stealing the information entered by the user;
- Spear phishing is reminiscent of spearfishing, where the attacker focuses their attack on a specific individual to infiltrate the entire system through them.
- Tabnabbing, where the attacker replaces inactive browser tabs with malicious content and convinces the user to enter their information on the fake page to access the website.
- Whaling, where the attacker targets senior managers or board members instead of ordinary users and tries to directly steal vital organizational information through social engineering tactics.
Water-holing attack:
In the water-holing technique, the attacker targets a website that the target group trusts and regularly visits. The attacker researches the website to find its vulnerabilities. Over time, the target group’s system becomes infected with malware, and the attacker finds a way to penetrate the system.
Baiting:
Baiting is a technique in which the attacker presents something tempting to the user and, with the goal of taking advantage of their greed, tempts them into performing a malicious action. For example, the attacker hides their malware in a free download button for a hidden favorite song, causing the user to download the attacker’s designed malware and infect their system. Another example is leaving a USB drive infected with malware in a public place, leading the victim to believe they got lucky and found it, then connecting it to their system and enabling the hacker’s access.
Something for Something
A “Something for Something” attack (Quid Pro Quo) is a method in which the attacker requests the victim to share information in exchange for a promised benefit. For example, a hacker poses as an IT support staff member, contacts employees of the target organization, and tells them that installing a security patch that they have emailed is necessary to increase system security, unaware that the package contains malware, and once installed, grants the hacker access to the system.
Scareware
Scareware is a type of malicious software that convinces a user to take a particular action by frightening them. Typically, scareware appears as a pop-up warning message that tells the user their system’s antivirus program needs an update or that malicious content has been detected on their device and needs to be removed immediately. This fake warning message convinces the user to download and install malware on their system, allowing the hacker to gain access to their system by exploiting social engineering and taking advantage of the user’s fear.
Nigerian Scam
The Nigerian scam, also known as “419” or “Nigerian Prince” scam, is a type of social engineering attack that tricks victims into providing details of their bank account or transferring money to the attacker, who claims to need help with transferring a large sum of money out of the country. In reality, there is no such transfer, and the scammer gains access to the victim’s bank account or takes their money and disappears. The name of the scam comes from a similar incident that happened in Nigeria, and some scammers still use the claim of being a Nigerian prince to trick unsuspecting and gullible victims. The number 419 also refers to a section of the Nigerian criminal code that declares this practice illegal.
How social engineering works
The basis of social engineering campaigns is “exploiting emotions.” Many social engineers focus on the emotions of their victims, such as fear, curiosity, greed, and compassion, because these emotions are common among people all over the world, and our reactions to them are almost the same. Some social engineering attacks even take place without the physical presence of the attacker and only by arousing the victim’s curiosity. For example, in 2007, hackers placed Trojan-infected USB drives in a London parking lot, and people, out of curiosity and also the desire to obtain something for free, unknowingly connected these infected drives to their systems and allowed the malware to be installed and executed on their devices.
On the other hand, some attackers threaten or extort their victims by exploiting their fear. All ransomware, the most famous of them is “WannaCry,” encrypts the user’s important information and tells them that the only way to regain access to this information is to deposit money into the hacker’s account. In another famous scenario, a hacker randomly sends an email to a large group of users whose emails have been compromised in data breaches and tells them that their personal photos are in the hands of the hacker, and if they don’t deposit money into their account, the photos will be published on the internet.
Attackers who pretend to need help and sympathy can provoke users’ emotions. It can be said that most of the people who ask for money from passersby on the street through storytelling are to some extent, social engineers.
Tricks that social engineers use to take advantage of their victims’ emotions often appear in the following forms:
- Malicious links to adult content or free downloads of content such as music, movies, software, and games;
- Using a female name in the email sender box to gain trust;
- Fake emails apparently sent by banks, online transaction services, or well-known websites.
- These emails ask the user to click on a link to verify or update their information or steal their login or banking information;
- Threatening emails that talk about going to jail or court proceedings;
- Big events like sports competitions, predictions of natural disasters, or urgent news;
- Famous people’s names and exciting reports about their adventures or scandalous behavior;
- Forging the identity of familiar and trustworthy individuals such as family members, colleagues, and friends.
The list of these tricks is endless, and you have certainly encountered some of them on the internet. Wherever you notice that someone is taking advantage of your emotions, especially feelings of fear, curiosity, greed, and sympathy, to do something, you have probably been the target of social engineering attacks, and it is necessary to handle it with caution.
Here are a few examples of the most famous social engineering attacks
A good way to familiarize oneself with social engineering tricks is to examine past attacks. In this section, we will refer to three examples of the most famous social engineering attacks:
The offer cannot be refused; if you ask any scammer, they will tell you that the easiest way to scam someone is to appeal to their greed and desire. In fact, the basis of the infamous “Nigerian scam” (419 scams) is the same. In this scam, a person who introduced themselves as a Nigerian prince claimed in an email to their victims that they intended to transfer a large sum of money out of the country and anyone who helped them could keep 30% of the amount transferred. Then, the scammer would ask the victims for money under the pretext of transportation costs and disappear completely once the money was sent.
The emails of the “Nigerian Prince” were a subject of laughter for a long time because of how strange and ridiculous the story was, but this scam method is actually very effective and has succeeded in many cases. Even in Canada, Nigerian scams happened frequently and victims fell for them.
Pretending to be someone else to gain trust is one of the simplest and most surprising techniques of social engineering, and it has proven to be one of the most successful. Kevin Mitnick, in one of his early scams, called Digital Equipment Corporation, which was once one of the largest computer companies in the industry, and claimed to be one of the senior developers at the company, unable to log into his own account. With this simple lie, he succeeded in logging in and obtaining a new password, gaining access to the company’s servers. This happened in 1979, and you might think things have improved since then, but unfortunately, they have not. In 2016, a hacker gained access to one of the email addresses of the US Department of Justice and, by impersonating one of the employees and claiming to be in their first week of work, asked the IT department for access to the ministry’s internet. It was that easy!
Act like a boss; most of us were raised to respect and obey our superiors (or those who behave like superiors). If you behave as if you are the owner of the company and have access to information that you actually don’t, you can convince others to give you what you are looking for. For example, in 2015, the finance employees of the technology company Ubiquiti Networks deposited millions of dollars into the accounts of fraudsters who impersonated the company’s managers through fake emails. In the past, investigators working for English newspapers would call the telecommunications company and pretend to be one of the employees to gain access to the voicemails of celebrities.
Sometimes, scammers also forge emails from reputable websites and send you a link to verify the security of your account by clicking on it, unaware that the link is infected with malware and that you have trusted the email as if it was actually sent from a reputable company.
Ways to protect against social engineering attacks include:
Dealing with social engineering attacks can be more challenging than other cyber threats, as humans are involved in this equation. Social engineering techniques such as pyramid schemes, spam, phishing, or even simple scams all aim to deceive their victims by exploiting a “bug” that exists in human hardware and using complex psychological scenarios to persuade victims to reveal their personal information or perform actions that harm them. Every time you are tempted to download free music or software and end up downloading malware, you have fallen victim to a social engineering attack.
Although dealing with social engineering attacks is very difficult, there are tips and methods that can help us protect ourselves to some extent against this type of attack. Here are some of them:
Check the source
Before you respond to a request, think about exactly where this call is coming from. Don’t trust any call without checking the source. You find a USB drive on your desk and you don’t know where it came from. An unexpected call tells you that you have won millions? An email from a company manager asks you to provide sensitive information about other employees. All of these scenarios are suspicious and should be handled with caution.
Checking the source is not difficult. Always check the email address in full and make sure it is sent by the original sender. Instead of clicking, first, hover your mouse over the link to reveal its address. If the email you received from a well-known brand or company has spelling errors, it is most likely not sent from a secure source and is fake. Whenever you suspect the authenticity of an email or message, visit the official website or speak to one of the representatives by phone.
What does a source know?
Does a source of information not have the information you expect, such as your full name? If a bank or reputable brand contacts you, they should have all this information and always ask you security questions before allowing any changes to be made to your account. If this is not the case, it is likely a fraudulent call and you should handle it with caution.
Break the cycle
Social engineering typically creates a sense of urgency in its victims. Attackers know that if their target has enough time to think and investigate the matter, they may become aware of the scam. Therefore, they always implement a scenario that forces the target to make a decision at the moment. Whenever you encounter such a call, do not rush to respond. Instead of clicking on the link or providing the information the attacker asks for, call the company’s actual number or visit their website to verify the source’s credibility. If a friend or manager of the company asks you to quickly deposit money into their account via email, call them before doing so and make sure that the email was really sent by them.
Ask for their ID card
One of the easiest ways for a social engineering attack to gain unauthorized access is to have a large box or a lot of files so that the person cannot show their ID card when entering the building. If you are faced with such a situation, do not fall for this trick and always ask for identification from the person who intends to enter the building.
If the attack method is through a phone call, do the same and ask for all the necessary information from the person who called. If you do not know them and do not feel good about giving them information, say that you need to check with someone else and will call them back later.
Use a better spam filter
If the email service you’re using doesn’t filter out all spam, it’s best to use a better spam filter. These filters can identify suspicious IPs, check content, files, or suspicious links with the help of a blacklist and send them to your email’s spam folder.
How realistic is the story?
Some social engineering attacks put the person in an emergency situation where they cannot critically assess the situation. If you can investigate in these situations how realistic the situation is, you can avoid falling into social engineering traps. For example, if your friend is trapped in a foreign country and needs money, would they email you or call you? How likely is it that a distant relative you don’t know has named you in their will? Could a bank call you and ask for your account information?
In general, be cautious of any conversation that creates a strong sense of urgency. Say you need time to access information or that you need to ask your superiors. Don’t rush in these situations. Many social engineers will give up after seeing that you’re not willing to cooperate immediately.
Increase the security of your devices
If your smart devices are highly secure, even in situations where social engineering attacks are successful, the attacker’s access to information will be limited. To increase the security of your smartphone, home network, or even a large company system:
- Always update your antivirus software so that phishing emails cannot install malware on your system.
- Install security patches for your operating system and software as soon as possible.
- Do not root your phone or run your PC in administrator mode so that if an attacker gains access to your account, they cannot install malware on it.
- Avoid using the same password for different accounts so that if an attacker gains access to one of your accounts, other accounts remain secure.
- Use two-factor authentication for critical accounts.
Be careful of your digital footprint
If you have a habit of sharing personal information on social networks, you are a good target for social engineering. For example, one of the security questions for an account may be the name of your pet. If you have named your pet on social networks, you may be a victim of social engineering. It is recommended that you only share your posts on social networks with your friends and also think carefully about other aspects of your personal life that you have published on the Internet. For example, if you have an online resume, remove the address, phone number, and date of birth from it.
Social engineering is so dangerous that it uses very normal and seemingly harmless situations to achieve nefarious goals. However, familiarity with social engineering tricks and precautions can reduce the risk of falling into the traps of these attackers.
The last letter
Call it what you want: social engineering, confidence trickery, cognitive bias, or fraud. Exploiting people’s simplicity and trust is as common today as it has been throughout history. Ask any cybersecurity expert, and they will tell you that humans are the weakest and most vulnerable link in the security chain. We can develop the most advanced software to protect computer systems, apply the strictest security policies, and train users to the best of our ability; however, as long as we allow our curious and greedy impulses to make decisions without considering the consequences, we may face our own Trojan tragedy at any moment.
There is a famous saying that goes, “A secure computer is a turned-off computer.” It is a clever statement but incorrect. A social engineer can convince you to enter your office and turn on your computer. An attacker who is after your information can eventually obtain it through patience, persuasion, and a charismatic personality. This is known as the art of deception.
The reality is that no technology in the world can prevent social engineering attacks. The only way to defend against attackers who intend to manipulate individuals through deception and tricks is to ensure that all members of the organization are aware of their existence and trained on how to protect themselves from their tactics. As soon as you understand all the ways in which your emotions and thoughts can be manipulated in favor of the attacker’s interests, you will have a better understanding of being targeted by social engineering attacks. For this, you can use the SPY24 blog section. You can also read our other articles, such as How to Become a Hacker.
Source of Article: zoomit
