What is Social Engineering?And how does it affect you ?
Introduction
You might have heard the term social engineering at least once in your life if you were in security engineering field or even interested about cybersecurity in general. Have you ever looked deeper into it? Well if it’s not the case, this article will clarify it for you.
Social Engineering
Let’s start by the definition. Social Engineering is the act and art of deceiving people in order to steal their personal information, hackers and cybercriminals no longer require a high level of understanding of programming or hacking techniques to achieve their malicious acts.
Motives differ from revenge and reputation damaging to selling critical information for big amounts of money when it comes to famous enterprises and companies. The reasons could also be religious or political.
How is it performed?
In simple words if I want to hack someone and steal their data, I can just artistically use psychology to play with their minds, but how do I do that?
Social engineering is mainly done by using phishing techniques , the latter comes from the term fishing which is the activity used to attract and catch fish by throwing bait into the water which could be insects, worms or even smaller fish, the person then uses a net to catch fish. In our case, phishing is the criminal activity that tends to steal data from people or companies by tricking them into providing you that information; in other words you just have to be a good artist to achieve your goal as they say “Fake It Until You Make It”.
This operation can be done in multiple ways in which we state the following attack techniques:
1/ Phishing:
Cybercriminals send malicious emails to their targets, the email asks for login credentials or information about your credit card number and personal information that would benefit the attacker. These emails are customized to be identical to legitimate emails that you would normally receive from your bank or even a close friend of yours.
To lure you into trusting their authenticity, cybercriminals usually use a similar fake email address and even the name of the bank’s director and so on after gathering enough information about your bank. For example: the attacker sends you a mail, that requires you to access the bank’s website to validate your information due to an update in the system, the email will ask you to click on a link to direct you to the bank’s website, when you do that , you will be directed into a similar website created by the attacker, you enter your login credentials , then the page shows you an error (“try again “) , the attacker already got your login information, so when u refresh the website you will be directed to the bank’s real website, this way you wouldn’t suspect a thing.
Malicious emails usually give you things that you want such as: “you won a contest click the link to claim your reward” to trick you easily especially when the cybercriminal collects much information about their target and their interests, the technique is called spearphishing in this case.
2/ Vishing or Voice phishing
This technique relies on impersonating trusted people in a phone call to trick the other person into providing you with their information.
A cybercriminal can be disguised into an IT supervisor and call the employee of the company asking for information, the employee obviously wouldn’t think of it as an attack since he’s just answering his supervisor’s orders, with full trust, he would give the attacker all the data he needs and even sensitive information.
Cybercriminals can also pretend to be your co-worker who s absent due to an inconvenience such as sickness and asks you for example to send the file of the project they were working on with you.
3/ Smishing or SMS Phishing
This attack is similar to mail phishing , the only difference between them is using social media messaging instead of mails to send the malicious link or message to the target, again the more information the cybercriminal have on you the easier the fraud will get you.
4/Social media mining
This one is not actually a type of social engineering attacks but more like the core of all the attacks and the joker you may say that boosts the effectiveness and success of the attack.
Mining, as the pure term indicates is the search and the extraction of valuable minerals in the earth like: Diamond. Used in engineering, the term has almost the same meaning. The difference is the extracted valuable minerals for a cybercriminal or a hacker are information about people or enterprises. Since social media are mostly exposed to public, cybercriminals can easily learn about the target from their profile, their favorite sports or hobbies, their engagements with other people and their family and friends. The collection of these data simplifies the social engineering attack, by getting this, the cybercriminal can impersonate you and call your company to deceive them into supplying him with your personal information, the same thing happens with your friends and family. The attacker can use the stolen data into reinforcing their phishing attacks that we mentioned above.
5/ Man in the middle attack (MitM)
This is more of a cybercrime than a social engineering attack, it involves a cybercriminal listening and intercepting, also known as hijaking the communication or the connection between two legitimate parties: a person and a website. Cybercriminals disguise themselves into the legitimate company or bank for example and communicates with the target instead of the actual party without the target knowing it.
A good example to explain it, would be someone sending a package to their friend, the package is retrieved by the worker at the post office who opens it and changes what’s inside and send it back to that person (the friend).
6/ Tailgating
Phishing attacks use internet thus there is no need for the cybercriminal to be physically present in the attack environment. Another type of social engineering, is “Tailgating” which relies on establishing human trust to trick them into giving you access to the company’s building or their houses. This matter is seriously dangerous because physical attacks affect the device immediately by inserting a USB flash drive that could install a malware or a virus to infect your device.
Physical access doesn’t require the cybercriminal to touch the device, he can just look at your computer’s screen and read to know whatever you’re working on , it could be an important secret project that shouldn’t be revealed or a password that you wrote or even an application that you use, all these information and more are important to cybercriminals.
Cybercriminals can also be people that you don’t pay attention to such as friends or visitors in a company or even competitors who are ready to sniff and steal your business secrets when they get the chance.
As an example, if the cybercriminal was a delivery agent, he could easily infiltrate the company, by sweet talking to employees “ could you hold the door for me ?”, he could make them leave their desk and check the computer to take all the data he desire.
A cybercriminal can also simply starts a conversation with an employee and trick them into divulging information about the company or even about themselves, after all attacking the employee is also attacking the company.
7/ Ransomwares
Note that there is absolutely no guarantee that the cybercriminal will give you the key to decrypt your data after the paying the ransom, therefore, you should not pay anything or fall for their tricks. The best practice is to remove your hard disk and report the issue to the security department, your data can be retrieved if they find the key for it, and sometimes the cybercriminal gives it away too.
Impact and examples
Social engineering attacks cause high damage to people and companies, not only it causes huge losses in money to companies and individuals, it also has a reputational risk , companies image will be damaged after these security breaches especially if the company was responsible for security.
The CIA attack that was conducted by the 15 years old Kane Gamble is one the famous social engineering attacks. Gamble used phishing to access the email accounts of CIA Director John Brennan an James Clapper , director of National Intelligence then used Vishing ( voice phishing (over the phone)) to get information about Brennan and impersonated him which gave him access to highly sensitive military documents and intelligence operations in Iraq and Afghanistan. Gamble had all his computers seized and was sentenced to 2 years detention in 2018.
Another attack that had a huge impact was the yahoo security breaches, the first one occurred in 2013 , followed by another in 2014 that compromised over 1 billon user accounts, the statistics rose into 3 billion accounts by the year of 2017,
The attack was a simple spearphishing attack that targeted privileged engineers who work for Yahoo, the stolen data included: email addresses, names, date of birth and other details.
Hackers also used the breach to falsify login data to be able to grant access to these accounts without the use of passwords. The compromised data was then sold on the dark web.
Yahoo has been shamed and criticized publically until they resolved the issue. Their sales also decreased from $4.8 billion to$350 million which is huge.
These two examples demonstrate the need of the prevention of these attacks from spreading more and affecting security, but how do we do that?
Prevention
It may seem complicated to stop and eradicate social engineering attacks but there are several ways to fight it. To create an efficient strategy to fight a problem we should always analyze it and gather data first. In social engineering the main focus is human psychology, in other words humans are the critical factors for these attacks to occur, therefore, we should mainly focus on spreading awareness about social engineering; this could be done in many ways such as the followings:
Passwords
Each individual should have a strong password and a double authentication method at least to access their data. A password can never be shared with anyone at all or written in any document whether it was physical or electronic else it would not stay a password.
Another good practice is the use of different passwords for the different websites and applications; in this case if a hacker gets one of them u can easily protect your other data.
Emails
Emails should be verified entirely, look for grammar mistakes, check if the email address is correct, if the domain is truly the one that u r waiting for this message from. If there’s a link u can use the mouse to hover over it and check if it’s not fake without clicking on it of course.
Emails from unknown sources are best to be discarded and not opened. If everything seems right and you still have doubts about the authenticity of the email, check with the person that sent the email by calling them and confirming.
It is also good to use different emails for different purposes, for example a professional email is not the same as the email you use for your online games.
Even if this practice is not 100% safe and guaranteed, it could prevent some breaching cases and alert the user.
Internet
Internet is a big threat nowadays, if you cannot protect yourself the least minimum you can fall for hacker’s scamming and fraud, therefore, you should always think of a way to protect your data. Think of updating your applications, install an effective antivirus and do not access any suspicious websites without verifying the address. Note that security applications will not protect you 100% but it will reduce the damage.
Defense against Social Engineering in companies
In addition to what we mentioned above, companies should define security charts that must be respected by each employee; these charts should specify all the best practices to prevent security breaches and attacks.
Companies must also limit the access to their private data and even areas where these sensitive data are stored to allowed employees and users only.
Employees inside a company should not leave their desks without shutting down their user applications and accounts or sessions, they should also not share their Pc’s with anyone, in case it’s necessary they can always add a user or an invite account with limited access.
On another hand and since everything is digitalized, computers and IT devices have become essential in our lives, companies use what’s called BYOD which stands for: “Bring Your Own Device” to incite employees to use their personal computers and other IT devices in the company. Consequently, accessing the company’s files and data with your own device makes it more vulnerable to security threat because those devices are not secure. They may not have any installed software to achieve minimum security while devices provided by the company are managed by IT security professionals, they are all updated and highly secure for employees to use them , any security breaches or problems could be reported to Security department and managed by them quite effectively.
Moreover, it is necessary to form the employees to be aware of social engineering and its impacts, through open days and free courses offered by the company.
Conclusion
Humans are like the doors for cybercriminals to access prohibited data and perform malicious acts, therefore, whether you were in a company or at home or outside, one should always be alerted and stay resilient because security is the matter of everyone.
Written by: Meriem OUADAH
