By Reason Cybersecurity
on Thu May 14 2015
We’ve talked a lot here on this blog about viruses and malware and how weak spots in within private systems and networks are vulnerable to attacks. But did you know that some of the easiest and most lucrative methods used by hackers and people with mal-intent don’t even require firing up a PC? Welcome to Social Engineering, described by technnible.com as “The process of gaining information through human, interpersonal, behavioral, and psychological means.”
Or more simply put, it’s the art of being a tech-loving, con artist jerk.
The goal of social engineering is to retrieve passwords and encrypted data such as bank information without traditional hacking and code-breaking which is pretty difficult and can get messy. You have to reach a fairly high level of geekdom to break through SSL certificates and takedown firewalls. Social engineering requires nothing more than a good set of acting skills and no scruples at all. The idea behind any SE campaign is to get the mark to actually give the information away freely. By tugging at heartstrings or confounding people, SE’ers get away with everything traditional technical hackers can without ever having to go past your PC’s GUI.
In fact, social engineering as a preferred method of hacking is on the rise. A 2014 study sponsored by Check Point Software Technologies and Dimensional Research found that 48% of large businesses in North America, Europe and Australia were victims of SE efforts more than 25 times each, resulting in average losses between $25000 and $100000 per incident. And it’s more effective, too. Each July at DefCon, an ethical scammer’s playland, experts gather and test their new and improved methods against some of America’s biggest corporations to see what’s trending in this psychological manifestation of hacking. One competition sets IT hackers against SE hackers. Each one calls or taps into the IT of any one of many major corporations. Neutral judges time how long it takes to get certain pieces of information that could damage their security. Time and time again, SE wins out.
Some Common Social Engineering Tactics
Often times, for a particularly effective one-two punch, SE artists, shall we call them, employ traditional hacking methods as part of their campaigns as well. In fact, some of the most famous and pervasive means of extracting personal information are SE methods mixed with old school malware spreading techniques. Think of phishing emails. We all know to be on guard when getting an email from the Exchequer of the Bank of Africa, imploring us for partnership in return for 100 million dollars. A smart guy or gal like you would never fall for that. But what about the more subtle and emotionally tugging ones like the one a certain ex-boss received from a colleague he hadn’t heard from in a while? All it said was:
I’m writing to tell you I’m dying of cancer. We had a great run.
I’ve set up a fund for Ginny and the kids so they will be covered once I go. You can donate whatever you feel like at this link – http://www.lyingjerkreallyisntdying.com.
At first, the recipient was in shock that his good friend was in such a dire situation. Then he realized he had seen him at a medical conference just a few weeks before and he looked fine. He did some calling around and found that the good doctor wasn’t dying. His email address book had been hacked. The perpetrator, hoping to cash in on the kindliness of others, created a fake website that when clicked on would install malware in the form of trojan of a rootkit. All the impostors needed after he hacked the address book was the name of the victim’s wife to make it more plausible.
This is a classic example of a phishing email. Creating a compelling story and convincing you to act or reveal information are prime tools SE’ers use to lure victims. Heart-wrenching stories, natural disasters, and known plights are used to exploit compassionate people all the time. Then there are emails that construct a sense of urgency, claiming that something will happen to one of your accounts if you don’t act now. Any email you get from PayPal, your bank or even your system administrator needs to be scrutinized before you respond – unless you know with certainty that it’s legit. Avoid all emails that you are unsure of like the plague or they might contaminate your PC with some sort of plague themselves.
Another common form of social engineering, when a scammer gets information out of victims by posing as an authority figure or someone who has more knowledge in their niche than the victim to create obedience. For example, you receive a phone call from a “representative” of your bank saying they need your email address and password to validate your online account. If you think that there is a chance it might be legit, tell the caller that you will call them back. Then look on the back of your bank card or go to your banks’ website and get a phone number from there and call them. Chances are they will have no idea what you are talking about and then you can rest assured you just saved yourself from a hack.
The victim gets an automated call asking them to call their bank via a special toll-free number. If they fall for it and call, the number will prompt the caller to enter in all sorts of personal information and passwords. It’s all recorded and gets back to the person collecting the data. They just got the victims’ first pet’s name, mom’s eye color, and favorite ice cream flavor all on record. Strange enough, those are the answers to just about all of their security questions at their “secured” sites! What a coincidence!
A tactic using both social engineering and traditional malware spreading methods. This model thrives on piquing curiosity. The perpetrator specifically leaves USB drives around office parking lots with provocative titles like “Salary Increases 2016” or “Company Performance Review” in hopes that the lucky finder will pop it into his or her computer. If they do, they unwittingly infect their network with whatever malware is on the key. Curiosity killed the cat, and apparently the network, too.
Social Media-Social Engineering
Most people are completely oblivious to the huge amounts of personal information they post on social networks on a constant basis. Using Facebook, anyone can find out your kid’s names, favorite foods and even about that knitted pink sweater you bought for your dog, Muffy, last week. And with a simple LinkedIn profile, any SE’er can find out where you went to school, what degrees you hold and your entire professional history. Armed with this information, creating compelling malware-packed emails offering jobs or offers crafted for the specific user is easy.
Social media is a hotbed for impostors. It’s nearly impossible to be really sure who is who in this digital landscape so never blindly accept “friend” requests and like your mom said, “Don’t talk to strangers”.
The key to beating social engineering is staying vigilant. Think about each email, call and invite you to get and analyze if it’s legitimate. Tactics never stay exactly the same and that’s why smart people continue to fall for it time after time. Tell your family, friends, and co-workers to be constantly aware of the dangers. Then share this article with all those smart people so they can stay safe too.