tags
·
Phishing
Social engineering plays an important part in a significant
number of cyberattacks, however big, small or sophisticated the crime is. In
fact, as ESET’s senior researcher David Harley has previously observed, it has “been a constant all through the
life of internet security”.
But what is it exactly? In its broadest sense,
social engineering is about psychological manipulation – getting people to do
things you want them to do. For example, you could socially engineer a parking
warden to avoid a parking fine, or play up your employer’s ego for a salary
rise.
In the context of cybercrime, social engineering is
widely described as being a non-technical tactic used by hackers to gather
information, conduct fraud or gain illegitimate access to victim computers.
Social engineering relies on human interaction and involves tricking people
into breaking the security procedures that they would usually follow.
“Social engineering is
about psychological manipulation.”
Common social engineering attacks include phishing
emails, vishing (phone calls from people who falsely claim to be from a
respected organization), and ‘baiting’, where legitimate looking USBs are
loaded with malware, after which time the creator simply waits for the user to
plug it into their machine.
Social engineering can also extend to business and
friend requests on LinkedIn and Facebook respectively, with criminals using social networks to gain trust and secure data. More often than
not, the end result is either extortion or theft.
This includes ‘diversion theft’ (stealing something
to steal something bigger later) and tailgating (piggybacking people into
secure areas that should ordinarily be off limit). One convicted fraudster even
used social engineering to escape from prison
in the UK recently. The fraudster used an illicit mobile phone to create a fake
email account, posed as a senior court clerk and then sent his ‘bail
instructions’ to prison staff. He was mistakenly released but later handed
himself in.
Cybercriminals will use these kinds of attacks for
a variety of reasons, as documented above. It’s certainly an effective weapon
in their arsenal, allowing them to steal privileged credentials, infect people
with malware
or to get them to pay for useless and dangerous scareware. Most of the time,
their ultimate aim is to steal money and data – or to assume the identity of
the victim.
It’s easy and cheap to do – renowned security
consultant Kevin Mitnick once said that it was easier to trick someone into
giving a password for a system than to spend the effort to crack into the
system.
With all this in mind, we look at five things you
should know about social engineering.
1.
It’s physical
and digital
Social engineering is an age-old con in all walks
of life, so it would be wrong to think that this is either new or only seen in
the online world.
In fact, social engineering has long since been
used in the ‘real’ world. There have been numerous examples of criminals posing
as fire marshals, technicians, exterminators and cleaners, with the sole
purpose of entering company buildings and stealing company secrets or money.
It was only later, sometime in the 1990s, when vishing become popular, with email phishing sometime after that.
2.
The quality
varies
The quality of social engineering scams varies
wildly. For every sophisticated
social engineer sending authentic-looking phishing emails or doing
vishing calls, there will be countless others with poor English, conflicting
stories and confusing information.
You’ve probably already come across a number of
these yourself: from dubious emails from a ‘Nigerian bank’ to others promising
that you’ve won the lottery in some other country, there are ample examples of
pitiable attempts of fraud.
3.
Countries are
doing this
At a very high-level, nation-states are actively
engaging in social engineering campaigns, or at least using them as part of
much more sophisticated advanced persistent threat (APT) attacks. This kind of
online espionage plays an important role in the cyber efforts of countries like
the US and China, as a Wired feature revealed.
“APTs are often reliant on
old-fashioned social engineering in order to get an initial foothold on a
system.”
“While the term APT suggests sophisticated
malicious technology, APTs are often reliant on old-fashioned social
engineering in order to get an initial foothold on a
system,” Mr. Harley recently commented.
“Preferably a system that belongs to someone relatively
highly-placed in the organization so that they have access to sensitive data,
whether the intruder’s objective is fraud or espionage.”
4.
You probably
won’t notice an attack
The worrying thing about attacks like this is there
is no immediate warning, no clear sign that you are under attack or have been
compromised. There is no pop-up asking for bitcoins (like with CryptoLocker
and other ransomware), or a scareware ad asking you to download an application
or call a service centre.
Most of the time, the criminals conduct their
attack, steal your details and disappear. And if it’s data theft, you may never
know of the compromise, let alone if your details are being sold illegally on the
dark web.
5.
Social
engineering is big in enterprise
Social engineering affects all of us, but it is
increasingly being used by fraudsters to target enterprises and
small-and-medium-sized businesses – 2014 has even been described as they year
that cybercriminals “went corporate”.
One industry report from earlier this year revealed
that social engineering is now being used to target middle managers and senior
executives. Why so, because they are “goldmine”, explained Richard De Vere, a
social engineering consultant and penetration tester at The AntiSocial Engineer
Limited, at the time.
“If you’re putting together a phishing email,
LinkedIn is a goldmine of middle managers and C-level executives,” he told SC Magazine. “Automated tools can quickly pull together a
list of hundreds of email addresses – together with user data and
VPN/OWA/Active Directory credentials.”