Beware of Social Engineering Attack
She’s pretty, single and her messages are as exciting as her name. And before the recipient of their friend request on Facebook knows it, they’re constantly texting each other short, seductive messages. Some days also long, very intimate e-mails. It’s really insane how much he and his casual online acquaintance have in common. He feels safe and genuinely understood for the first time in years. And this despite the fact that they have never met in person. Fate brings some people together – and others fall for a scammer. This is social engineering and in this article we will discuss about social engineering attack. Please beware of Social Engineering Attack.
Without even thinking about it, the victims give away confidential information from work or transfer money to someone they don’t know. Social engineering makes people want to do something they never really wanted to do.
Contrary to what you might assume, social engineering is not a motivational technique, but a particularly sophisticated form of fraud. We explain what social engineering is, whom it can affect and how you can protect yourself from it.
The idea of social engineering originally came from philosophy. Karl Popper created the term in 1945 and initially used it to describe sociological and psychological elements for improving social structures. Popper’s principle is essentially based on the fact that humans can be optimized like machines.
In the 1970s, Popper’s followers added some psychological sleight of hand to his theory. However, their goal was not to steal data – they wanted to get people to work together better and be more health-conscious. Strictly speaking, this is also manipulation – only the goal is different. In general usage, however, we now understand social engineering as the fraudulent form of subliminal influence.
While the method remains true to its philosophical roots, social engineers motives have changed significantly. If you understand how people trick, you can manipulate them with a little tactics and a little more criminal potential. The scammers often slip into the role of an acquaintance, a trustworthy tradesman or pretend to be from a bank or even the fire department. This is how the perpetrators gain trust and often sensitive data.
In short: social engineers try to exploit people for their purposes. One of the most famous social engineers is the hacker Kevin Mitnick. The sheer number of break-ins into other people’s computers soon made Mitnick one of the most wanted people in the United States.
He is said to have broken into some of the most secure networks in the US hundreds of times. He is also said to have spied on the Ministry of Defense and even the NSA. In his book The Art of Deception, Mitnick writes that social engineering leads to the desired information much more quickly than purely technical methods. Instead of developing spy software, Mitnick programs the will of his fellow human beings.
In the digital age, fraudsters also use this tactic on the Internet. It mostly starts with an email, sometimes with a message via a social network. The classic method is the phishing mail, which lures people to a perfectly fake website. If you enter your data there, you pass it on directly to the criminals. Sometimes the cyber criminals play on their victims’ curiosity and send emails with a link that supposedly leads to a greeting from an acquaintance. Instead of a nice message, a malware download awaits the user after the click.
Example: Robin Sage
A prominent example of social engineering via social networks is the case of Robin Sage: Sage was young, beautiful – and fictional. In 2010, US IT expert Thomas Ryan created a social media profile with the photo and interests of an attractive young woman. Ryan’s fictional character has ranks of military, industrialists and politicians entwined and elicited confidential and highly sensitive information from them. None of those affected had ever met Sage in person.
On social media alone, Ryan sent messages so believable and seductive that his victims didn’t suspect it — and chatted openly. But Ryan was less concerned with the captured data. He wanted to expose humans as a security gap, which he impressively succeeded in doing.
What does human hacking mean?
Since the social engineers have recognized that people can be influenced as a security gap, IT experts also speak of human hacking. Instead of a computer, a person’s psyche is hacked and information is elicited from him in way unnoticed that he actually did not want to reveal. In addition, the manipulations can also lead him to do things that he actually would not have done. To put it bluntly, people are a serious security risk during virus scanners and firewall scan protect the IT system very well, users can still be manipulated.
The Federal Criminal Police Office therefore also speaks of the “human weak point”. While a computer works purely rationally, humans are also guided by their emotions. Some researchers assume that almost 80 percent of our decisions are made based on feelings. Our mind therefore has little say in many cases and that is exactly what human hacking exploits.
That’s why social engineering occurs practically everywhere where people are the key to money or interesting information. In this way, state institutions and authorities can be manipulated and spied on just like corporations or private individuals. According to a study by the IT industry, digital industrial espionage, sabotage or data theft cause damage of millions of dollars every year. In addition to money, it is not uncommon for ideas or secret data to be stolen. And all without the issuer knowing anything about the scam.
Why do people fall for the scammers?
In view of the sometimes horrendous sums that the fraudsters swindle, one question arises: What makes a person let themselves be duped in this way?
First of all: You don’t have to be naïve to become a victim of social engineering. In 2015, a US student pretended to be an IT expert to some CIA employees and thus obtained important access data. For three days he had access to the CIA director’s email account. The ironic thing is that, unlike the National Security Agency (NSA), one of the CIA’s main focuses is gathering information from humans. Accordingly, CIA employees are very familiar with the principle of social engineering.
What psychological mechanisms are behind it?
What makes social engineering so successful is the relative predictability of human thought and behavior. In essence, social engineering exploits certain basic properties: In a study, psychologists Myles Jordan and Heather Goudey identified 12 factors on which the most successful cases of social engineering between 2001 and 2004 were based.
These include: inexperience, curiosity, greed or the desire for love. These are very basic emotions and personality traits that can sometimes even reinforce each other. So the perpetrators have an easy time. It is an important basis for social engineering that people are gripped by their emotions and that reason has no part in the decision.
Example: The Russian Bride scam
This becomes particularly clear with the example of the so-called Russian Bride scam: it specifically targets Western and Central European single men. In spam e-mails, young, mostly very attractive Russian women seduce men into forwarding goods or foreign money or meeting with them. In the hope of finding love or at least a quick love adventure, the men unwittingly take part in money laundering and smuggling. Many victims even lose their assets in this way.
With requests like “I can only visit you if I get the right papers, but everyone here is corrupt. Send me money for the documents and lawyers.” the perpetrators flatter themselves directly into the wallets of their victims. Later they also ask for money for the trip or new clothes. They use their victims’ assets until they become suspicious – or are destitute. But not only the intentions of the young women, but also their existence is often a deception: instead of a Russian woman willing to marry, men of all ages from different countries of origin are often the senders of the seductive messages.
What do the attackers know about the victims?
In order to turn someone into an ignorant accomplice, scammers use very different approaches. Knowledge of the future victim also varies. With classic spam, the scammers know nothing about their victims. This method is based on the sheer mass of emails working like a giant driftnet. Given the large number of addressees, there is a high probability that the perpetrators will net some victims.
Other methods, on the other hand, are more reminiscent of fishing for a very specific type of fish: targeted and with the knowledge of which bait the fish will bite at. Such specialized phishing campaigns are also called spear phishing, since the perpetrators choose their victim very specifically, just like spearfishing. If the fish is slightly larger, such as a senior executive at an international company, experts also speak of whaling – the hunt for a whale. The knowledge about the victims depends above all on the hoped-for prey.
A mixture of offline and online efforts is what is known as dumpster diving: the scammers search through the target person’s rubbish to find out as much as possible about their behavior, interests and life situation. Baby diapers, medicine boxes or boxes from the pizza delivery company?
Social engineers can derive important information from such supposed trifles. X-raying a person on social media platforms is much more convenient than rummaging through garbage cans. In public posts, likes or photos, thoughtless users present their personality to the perpetrators on a silver platter and make it easy for scammers to ingratiate themselves with fake similarities.
Suggested Reading:
- What is DDoS attack and How it works?
- 10 Command Prompt Hacking Tips
- Understanding VPN and How to use it?
- How to identify phishing emails?
- SSL/TLS Vulnerability Fix for Nessus Scanner
- Complete Solid State Drive (SSD) Guide
- Different Types of Processor Socket in Motherboard
- Social Media : The first and easiest step to becoming more secure is to think critically about who you choose to share private content with on social media.
- E-mail : If you are careful, you can at least protect yourself from very obvious manipulation. For example, if the sender of an e-mail is unknown and not sure how they got the address, you should be suspicious. Or contact the sender by phone and clarify what the suspicious message is all about.
- Telephone : The same applies to callers: You should not entrust sensitive data to anyone you do not know.
- Links : Do not open links that are intended to take you to a login page. It doesn’t matter what’s in the email. Ideally, you should save important pages such as the start page of your online banking portal or your favorite shopping pages as bookmarks and use them to log in. This way you can quickly determine whether it is a genuine email or an attempt at fraud.
- Prizes : And even if someone promises you a prize or a lot of money, common sense should kick in. After all, hardly anyone has anything to give away – especially not to a total stranger. Never respond to such text messages, emails or calls.
- Security software : With the prevention of spam and reliable phishing protection, the risk of falling for it can be significantly reduced.