Catch Me if You Can: “Delaying” as a Social Engineering Technique in the Post-Attack Phase
This blog post summarizes the paper “Catch Me if You Can: “Delaying” as a Social Engineering Technique in the Post-Attack Phase” by Fatemeh Alizadeh, Gunnar Stevens, Timo Jakobi, and Jana Krüger. This paper will be presented at the 26th ACM Conference on Computer-Supported Cooperative Work and Social Computing (CSCW 2023). The paper can be read here.
“Amateurs tend to attack machines, whereas professionals target people.” Bruce Schneider
We all know the feeling of frustration that comes with delays, but sometimes, deep down, we’re secretly relieved by them — especially when they shield us from unpleasant realities or events we’d rather not face. It’s a quirky aspect of our psychology, a blend of wishful thinking, fault tolerance, and pro-sociality. But what happens when these very human traits are hijacked by online scammers to further their sinister schemes, even after the scam is already done? A time when compensation is still possible, yet somehow, we’re rendered powerless. Dive into a journey that explores how our psyche can be influenced by skilled deceivers and learn why we need to balance our focus on preventing online crimes with addressing the crucial moments that follow an attack.
As the digital world continues to expand, so does the sophistication of cybercrimes, leaving no security strategy entirely bulletproof. While there is a strong focus on preventing these attacks, there is surprisingly little understanding of what happens once a crime has taken place. This study seeks to explore this overlooked area, shedding light on the aftermath of cybercrimes and its crucial role in enhancing our digital resilience.
Some Key Terms:
Before we dive into our narrative, it’s essential to define two key terms you will encounter throughout this story: ‘social engineering (SE)’ and ‘victims’ vulnerability’:
○ What are Social Engineering techniques and why do they matter?
SE techniques are fundamentally rooted in the art of deception [1]. These techniques involve utilizing social skills, such as persuasion strategies, to build trust with a victim and then exploiting that trust to execute an attack [2]. As SE techniques continue to evolve, becoming more sophisticated and harder to identify and combat, it is crucial to continuously study them in order to build a robust digital resilience against cybercrime.○ What are Victims’ Vulnerabilities and why do they matter?
While anyone can become a victim, certain people are targeted more often because they exhibit specific traits that make them appear more vulnerable. These traits, known as victims’ vulnerabilities, include a predisposition to trust, gullibility [3], and an open, internet-active lifestyle [4]. Understanding these vulnerabilities, which vary from pre-attack to post-attack phases, is crucial for developing targeted support strategies and countermeasures to help individuals recover and build resilience after an attack.
Our Story:
To find out more about the post-attack phase, we took a closer look at 17 personal stories of online scams, focusing on what happened after the crime occurred. What we found was surprising:
Even though it’s really important for the victims to act immediately and take countermeasures against an attack, they often don’t. Instead, they get caught up in the delaying tactics used by attackers, which keeps them in a state of disbelief and ‘good faith,’ causing them to delay their response
We observed that the victims’ response delays varied, ranging from a few minutes to several months. A notable example is the case of Klaus, a 67-year-old university professor who lost €4,300 by investing in Bitcoin on a fake website. The scammers, in this case, engaged in a series of interactions with Klaus, exploiting operational problems and exceptional circumstances to delay his response and keep him invested in the scam.
We also found that attackers manipulate the cost-benefit evaluation of the victims, making the effort to investigate and respond seem unattractive compared to the perceived benefits (see our paper for more delaying strategies).
Moreover, we identified several victim vulnerabilities exploited in the post-attack phase, including busyness and lack of time, pro-sociality, indulgence and fault tolerance, and wishful thinking. These vulnerabilities often led to a delay in the victim’s response and contributed to the success of the attacker’s delaying strategy.
Key Takeaways:
Here are the key takeaways from our study:
1. Post-Attack Phase is Crucial: The SE process does not end with the attack phase; it includes a post-attack phase where attackers exploit various delaying techniques to reduce the likelihood of compensation for the victim, such as pretexting, reciprocal altruism, and establishing an adverse cost-benefit trade-off.
2. Integrative Approach to Victim Vulnerability: Understanding victim vulnerability requires an integrative approach considering both personal factors (e.g., interpersonal trust, prosocial behavior, and wishful thinking) and situational factors (e.g., lack of time). Both these factors influence the victim’s voluntary participation in the post-attack phase and their coping response.
3. Strengthening Digital Resilience: Raising awareness about delaying techniques contributes to strengthening digital resilience. This involves educating people on how attackers try to delay countermeasures, making users aware of how to recognize alerts, clarifying responsibilities and support from external actors, and promoting adaptive behaviors post-attack without victim-blaming.
Thanks for reading, and we hope to discuss this work with you at CSCW and beyond.
References:
[1] Mitnick, K.D. and Simon, W.L. 2003. The art of deception: Controlling the human element of security. John Wiley & Sons.
[2] Del Pozo, I. et al. 2018. Social engineering: Application of psychology to information security, 108–114.
[3] Clevenger, S. et al. 2018. Understanding Victimology : An Active-Learning Approach. Routledge.
[4] Ohanian, R. 1990. Construction and validation of a scale to measure celebrity endorsers’ perceived expertise, trustworthiness, and attractiveness. Journal of advertising. 19, 39–52.
