Hot Mamas In My Area? Thanks, But No Thanks
Here’s how not to fall for cheap social engineering tricks in the online world.
I bet you have that one friend who would happily click such a link without thinking twice. We all consider ourselves smart and witty folks, so falling for this is not our thing, right? Kind of wrong. Plenty of people each day get fooled by this social engineering method (also known as sociotechnology) and this will be the topic for our article.
Wait, but what is that? You can find a precise, if not somewhat of a yawn-inducing definition in places such as Wikipedia, but I want to focus on the practical side of things here. To me, social engineering is a form of craftsmanship and art, allowing us to hack the human mind. It is an interdisciplinary field, as it encompasses social sciences, such as psychology, pedagogy and sociology. Most importantly, it works well as a tool to support purely technical, IT-oriented hacking activities.
The aura of a dark, mysterious art
Social engineering is considered manipulation by some. Others might perceive it as the art of persuasion or influencing. Lots of people, specialists included, view this as something evil and destructive. This bad rap grants social engineering the status of something mysterious and exclusive, encouraging some to study its intricacies. Many others get discouraged, rendering them more susceptible to these techniques, since they don’t really know what they should defend themselves against.
I think social engineering shouldn’t be demonized. Just like everything else, it has its rules, and if you understand them, you can protect yourself from it.
The whole concept is based on deep understanding of the ways human mind operates and what its weaknesses are. Social and cognitive psychology are particularly useful here.
Psychology is something I find fascinating. Not only did it help us get closer to understanding how our minds work, but it also analyzed our behaviors and what drives them, and the inner workings of our emotions as well. And those emotions are key to success here.
Irrational gaze
The stronger and more primal an emotion — let’s say lust, fear and greed — the better the chances for successful manipulation. Emotions are crucial in our lives, and good social engineers know how to use them to their advantage. They can make us act on in the spur of the moment and do something we would never do if we were able to think twice.
Remember: your emotions can be used against you. But there is another important component, and it’s called the cognitive bias.
Simply speaking, it’s an irrational perception of reality. There are many examples, very common ones, too. What makes them so dangerous is the fact that we tend to think we’re not affected by them. This is a type of a cognitive bias called the blind spot effect. It’s so easy to fall into the trap of thinking that this does not concern us, because we’re too smart for that, even though research shows otherwise.
People who think they’re immune to social engineering may not believe that beauties anxious to meet them abound in their neighborhoods. But they might also be unable to resist the urge to check out the flash drive they just found lying on the floor and see what’s on it.
I believe that in order to truly learn from the cognitive bias research, you need a decent amount of humility. Otherwise, it’s hard to realize what mistakes we make and why, how to avoid them and defend ourselves against manipulators.
Cognitive bias types — a rundown
How many are there? The answer may surprise you, but there’s quite a lot of these, many of which are yet to be defined by scientists.
Here’s just a couple to give you a general idea:
- The self-fulfilling prophecy — kind of like perpetuum mobile. Our thoughts influence our behavior, which in turn confirms our way of thinking and further affects our actions. This bias can have two forms: positive (called the Galatea effect) or negative (the Golem effect). The former is when you believe your professional work matters, for example, so you put more effort into it, improve your skills, help others and receive praise in return. But if you believe the opposite, that what you do is pointless, then you stop trying and gradually get worse, at one point becoming unable to help others.
- The planning fallacy — a typical human trait is to fail terribly at estimating the time and resources required to achieve a certain goal. Usually we take only perfect conditions into account, forgetting that a lot can go wrong. I, for one, thought I’ll finish this article much sooner than I anticipated… (Editor’s note: I also thought I’ll edit it much sooner…)
- The confirmation bias — this is when you search for information and then interpret it in a way that it confirms your current beliefs. You may also ignore or forget about the stuff that contradicts your expectations.
Soft skills in hard tech
Now that we know the basics and the whole concept of social engineering is somewhat less magical, a question arises: how is it all related to hacking and IT in general?
After all, it’s a “soft science,” as opposed to “hard” computer science. The way I see it, they both complement each other nicely. There’s hardly a more dangerous hacker than a skilled IT specialist with excellent soft skills, especially persuasion and rhetoric. As IBM found out, the human factor is responsible for a whopping 95% of successful cybersecurity breaches. In other words, if we were to completely eliminate that factor, 19 out of 20 breaches would’ve never taken place!
Here’s a couple of examples of what social engineers might do to succeed:
- Planting USB flash drives infected with malicious software in various places — curiosity of the employees will surely kill the cat;
- Impersonating IT service employees and using it to gain trust;
- Sending phishing e-mails to get employees’ login details, or luring them into opening malicious attachments or downloading infected files — sadly, people do not pay enough attention to analyzing the messages they receive;
- Gathering intel on the weaknesses of target employees, and using it to manipulate them — we all have our soft spots that can be used against us;
- Using distractions, such as drawing an employee’s attention to other topics, so that they miss the real threat.
The key takeaway here is that all it takes for a criminal to succeed is just one mistake on our part, so we need to be vigilant at all times.
How can you defend yourself against socio-tricks? Here’s some advice:
- If someone learned the ways of social engineering, so can you. You are not defenseless; you can gain the same knowledge and skills.
- Be aware of the threats that lurk out there, as well as your own weaknesses. This will help you greatly.
- Try not to act on strong emotions.
- If in doubt, verify. Do not hesitate to contact a security specialist if needed.
So, next time you see a link to hot mamas in your area, a letter from a prince of an exotic country who wants you to inherit his fortune, or an amazing job offer (“Employers hate him! He earns thousands of dollars a week without even trying!”), inhale. Exhale. Rinse and repeat. Next, do something better instead.
