Humans Are The Weakest Link In The Cyber Security Chain, And This Is The Basis Of The “Social Engineering” Attack. Follow This Article To Protect Against This Pervasive Attack.
Social Engineering, Naoki Hiroshima was a regular Twitter user like you and me; The only difference was that his Twitter account username was memorable and one-word (N @). Some were willing to pay up to $ 50,000 to buy it. But one day in 2014, Naoki was forced to give its $ 50,000 one-page username to a hacker who managed to get what he wanted with a simple trick.
The story was that the hacker called PayPal customer service to steal Naoki’s Twitter username and pretended to be an employee of another part of the company, taking the Information about the last four digits of the Naoki credit card from them.
He then contacted the domain registration and web hosting company GoDaddy, where the Naoki website was hosted. With four credit card numbers, the hacker asks GoDaddy to reset the password for the Naoki website.
Now the hacker had the power to delete all the Information on Naoki’s website, and this threat was enough for Naoki to agree to give his username to the hacker.
Fortunately, Naoki later recovered its username, but what happened to it was a kind of social engineering attack that has long plagued many Internet users and employees of organizations large and small.
Hackers have often taken control of users’ accounts or poured large sums of money into their bank accounts through role-playing, threats, and other tricks. For many people, the security of online accounts is just an illusion.
What is social engineering?
Although social engineering is a relatively modern term, it is a phenomenon that has existed for a long time since humans began interacting with each other. The philosophy of social engineering is this: You have what I want, and I want to convince you in any way you can give it to me or do what I want you to do, even if it hurts.
In social engineering, it is people’s minds that are hacked, not computers.
The term social engineering was coined by Kevin Mitnick, one of the most famous social engineers of our time (but he has now repented and now works as a cybersecurity expert). Social engineering in modern times and the field of cyber security is the art of deceiving, exploiting weaknesses, and influencing a person to do something to his detriment or access personal and sensitive data in computer systems.
A hacker or social engineer can get what they are looking for by phone, text message, email, infected USB drive, or face-to-face interaction with clever tricks, not by malware and cyberattacks, but only by asking the person who Information is accessible, acquired.
In social engineering, it is the minds of the people that are hacked, not the computer.
In a social engineering attack, the Information that the person did not intend to disclose, without realizing it, is given to the attacker or, under the influence of psychological manipulation, he is encouraged or forced to do something he will regret doing. Put, humans themselves are a security threat and, according to hackers, are the weakest and most vulnerable link in the cyber security chain.
We, humans, make almost 80% of our decisions based on emotion. Since logic plays a minimal role in these decisions, we can understand why social engineering attacks are successful.
History of Social Engineering
The roots of social engineering can be traced back to ancient myths, especially in Greek mythology, from the story of Prometheus, who tricked Zeus into setting fire to humans and the famous Trojan horse, which happened to be named after the most common type of malware.
The story of the Trojan horse is arguably one of the fascinating examples of social engineering. During the Trojan War, when the Greeks were behind the gates of the city of Trojan for ten years, a cunning Greek warrior named Odysseus, a skilled social engineer, devised a plan to allow his comrades to enter the town; Not by force and breaking the city walls, but by the Trojans themselves.
At the behest of Odysseus, Greek soldiers built a giant wooden horse and hid inside it. Later, some left the Trojan ship to make the townspeople think that the Greeks had accepted defeat and retreated.
However, a Greek soldier remained outside the city gate next to the giant horse.
The soldier, named Sinon, told the people of Trojan that the horse was a gift from the Greeks to the gods to save their lives on the way home; This horse was also built so large that the inhabitants of the city could not take it in and the Greeks aboard the ship face with misfortune.
The Trojans were deceived by Sinon’s professionalism and decided to bring the horse into the city to curse the Greek soldiers; Unaware that Greek soldiers were waiting to set fire to the town inside this horse. Due to the social engineering invasion of Odysseus, the Greeks won the war they had lost to the Trojans.
Kevin Mitnick was nicknamed the father of social engineering because he was the one who coined the term social engineering in the world of cybersecurity in the 1990s, after years of using tricks to gain access to Information and psychological manipulation.
Mitnick used Los Angeles buses for free with a social engineering trick when he was just 13 years old and later gained unauthorized access to Digital Equity and Pacific Bells networks. Mitnick’s adventures in the field of social engineering had become so entrenched that when he was finally imprisoned, he was said to be able to “start a nuclear war by whistling from behind the telephone line.”
Social engineering techniques
In “If You Can Catch Me” (2002), directed by Steven Spielberg, Leonardo DiCaprio plays the cunning swindler Frank Ebgenil, who became a millionaire before turning 19 as a pilot and doctor and lawyer. Pockets of dollars. Abigail later used his talent in social engineering to work as a security consultant.
Abigail’s story is very similar to that of Kevin Mitnick, the father of social engineering, because he also decided to use his talent as a cybersecurity consultant by scripting and role-playing to succeed in fraud and unauthorized access to corporate Information and after his arrest and imprisonment. Slowly, the story of social engineers is very similar because the methods they use for their attacks are almost the same. Here are 10 of the most popular social engineering techniques:
Role-Playing
In this standard method, which is the first step in most social engineering tricks, the attacker first investigates the victim to obtain accurate Information, such as date of birth or national code. He then uses this Information to design an imaginary scenario, contact the victim, gain their trust, and play a role (for example, a user who needs help or a manager who immediately asks their employee), asks them for important Information.
To provide. It often starts with a friendly greeting or the phrase “I can take some of your time” and ends with a substantial financial loss at the end of the call, the organization, and the person being targeted.
Deviant theft
Diversion theft occurs both traditionally and online. In the traditional model, the thief uses a social engineering trick to persuade the courier driver to take the cargo to another location and deliver it to someone other than the original recipient. Perpetual theft on the Internet is such that the thief asks one of the target company’s employees to send sensitive and essential data to the wrong person’s email by forging a corporate email.
Phishing
In phishing tricks (fishing in which bait is used to catch prey), the attacker replaces themselves with a trusted person or entity and tries to play sensitive data such as username, password, or related Information by playing a role—access credit cards. Emails claiming to have been sent from reputable websites, banks, auctions, or organizations’ IT departments asking the recipient for their personal Information are phishing social engineering.
Phishing tricks are divided into different types:
- Phishing hook (angler phishing) in which an attacker in social networks create a fake account customer service;
- Organizational email (BEC) in which an attacker replaces one of the organization’s top executives and in an email asks an employee to deposit money into his account or email him sensitive data;
- Pharming, in which an attacker redirects users to a fake and cloned website instead of the original website to steal information entered by the user;
- Spear phishing (spear phishing) is reminiscent of a fishing pole, and the attackers focus only on a particular person to go through the entire system he can penetrate.
- A tabnabbing in which an attacker replaces a user’s browser tabs that have been inactive for some time with malicious content, persuading them to enter their Information into the fake page to access the website.
- Whaling, instead of ordinary users, the attacker goes to senior executives or board members and uses a social engineering trick to steal vital organization information directly from them.
Irrigation pit attack
In the water-holding trick, the attacker goes to a website that the target group trusts and visits regularly. The attacker researches this website to find vulnerabilities. Over time, the target group’s system becomes infected with malware, and the attacker finds a way to infiltrate the system.
Bait
Baiting is a technique in which an attacker puts something seemingly tempting in front of the user’s eyes and tempts him to do something destructive to capture his sense of greed; For example, the malware hides as a link in the free song download button so that the user, thinking that he is going to download his favorite song, downloads the malware designed by the attacker and infects his system. Or, for example, a malware-infected USB drive is left in a public place so that the victim, thinking he has a chance, connects the drive to his system and allows hacker access.
Something else
A “Quid Pro Quo” attack is a method in which an attacker asks a victim to share Information in exchange for a promise of benefit. For example, a hacker puts himself in place of IT backup, calls the employees of the target organization, and says that for increasing the security of the system, it is necessary to install the security patch to which he emailed, unaware that this package contains malware and as soon as it is installed, Allows the hacker to access the system.
Fear software
Scareware is a type of malware that persuades a user to do something by scaring them. The app usually appears in the form of a pop-up alert message telling the user that their system antivirus program needs updating or that malicious content has been discovered on their device that should remove immediately. This fake alert message persuades the user to download the malware and install it on their system; In this way, the hacker succeeds in accessing the user’s system information through social engineering and exploiting the user’s fears.
Nigerian scams
This model of social engineering attack, also known as “419” and “Prince of Nigeria” scams, asks the victim to provide details of their bank account or money to a hacker to transfer large sums of money abroad to them. Help and get a share of this money transfer. Of course, in reality, there is no transfer, and in this way, the scammer accesses the victim’s bank account or takes money from him and then disappears.
The scam takes its name from a similar incident in Nigeria, and some scammers still defraud ignorant and gullible users by claiming to be the prince of Nigeria. The number 419 also refers to a part of Nigerian criminal law that has declared this method illegal.
How social engineering works
The basis of social engineering attacks is the “abuse of emotions.” Many social engineers focus on their victims’ sense of fear, curiosity, greed, and compassion because these feelings are shared by people worldwide, and our response to them is almost the same. Some social engineering attacks occur even without the attacker’s physical presence and only arouse the victim’s curiosity.
In 2007, for example, hackers placed Trojan-infected USB drives in a parking lot in London. Out of curiosity and greed for free means, people unknowingly connected the infected drives to their system and allowed malware on their devices. Install and run.
Social engineers target feelings of fear, curiosity, greed, and compassion
On the other hand, some attackers exploit the victims’ sense of dread, threatening them or extorting money. All malware is known as ransomware. The most popular of which is WannaCry encrypts essential user information and tells them that the only way to reaccess this Information is to deposit money into a hacker account.
In another popular scenario, a hacker randomly sends an email to a large group of users whose emails have been leaked in infringement attacks, telling them that their photos are in the hands of the hacker. If they do not deposit money into his account, the images will publish on the Internet…
Attackers who pretend to need help also arouse users’ sympathy. It can say that most of the people who ask for money from passers-by on the street by telling stories are, to some extent, social engineers.
The tricks that social engineers use to exploit the feelings of their victims often appear in the following ways:
- Malicious links to adult content or download free content, such as songs, movies, software, and games;
- Use female names in the email sender box to gain trust;
- Fake emails that appear to have been sent by banks, online transaction services, or reputable websites. These emails ask the user to click on a link to confirm or update the Information or to steal their login or bank account information;
- Threatening emails that talk about jail time or litigation;
- Significant events such as sporting events, natural disaster forecasts, or breaking news;
- Names of celebrities and exciting reports about their adventures or disgusting behaviors;
- Fake the identity of familiar and trusted people such as family, colleagues, and friends.
The list of these tricks is endless, and you will surely come across some of them on the Internet. Wherever you find that someone has targeted your emotions, especially fear, curiosity, greed, and compassion for doing something, you have probably been attacked by social engineering. It would help if you were treated with extreme caution.
Some examples of the most famous social engineering attacks
An excellent way to learn about social engineering tricks is to look at past episodes. In this section, we will mention three examples of the most famous social engineering attacks:
An offer that cannot reject;
Ask any scammer, and he will tell you the easiest way to scam is to target the victims’ greed. It is the basis of the 419 scams known as the “Nigerian scam.” In the fraud, a man who identified himself as the Prince of Nigeria claimed in an email to his victims that he intended to smuggle large sums of money out of the country and that anyone who helped him could receive 30 percent of the funds transferred.
Could you take it? The scammer then demanded money from the victims under the pretext of transportation costs, and as soon as he sent the money, he disappeared completely.
The “Prince of Nigeria” emails have been a laughing stock for a long time because of the weirdness and ridiculousness of the story, but this scam is effective and has been successful in many cases. Even in Iran, many Nigerian scams took place and took victims. For example, in 1993, more than 700 “Nigerian” fraud cases occurred in Iran, and more than 42 billion tomans were swindled from the people.
Pretend to believe;
One of the most straightforward and surprisingly successful social engineering techniques is putting yourself in the victim’s shoes. In one of his first scams, Kevin Mitnick contacted Digital Equipments, once one of the largest companies in the computer industry, and pretended to be one of the company’s top developers and could not log in to his account. With this simple lie, he managed to get new login and password and access the company’s servers.
It happened in 1979, and you might think things have gotten better since then, but unfortunately, that is not the case. In 2016, a hacker accessed a Justice Department email address and asked an employee of the company’s IT department to provide him with access to the department’s Internet by impersonating an employee and claiming that it was his first week. Simply!
Act like a boss;
Most of us have a laid-back attitude when it comes to painting a picture about ourselves. If you act as if you own a company and have access to Information you do not have, you can persuade others to give you what you are looking for in it. In 2015, for example, the financial staff of Ubiquity Technology Network deposited millions of dollars into the accounts of fraudsters who paid company executives via fake emails.
In the past, inspectors working for English newspapers would call the telecommunications company and pretend to be an employee of the company, allowing access to the voice messages of celebrities.
Sometimes scammers fake emails and reputable websites and send you a link to click to verify your account security for Unaware that this link is infected with malware. You believe that a reputable company sent this email.
Ways to protect against social engineering attacks
Dealing with social engineering may be more complicated than other cyber threats because it involves the human foot. Social engineering techniques, such as pyramid schemes, spam, phishing, or even simple scams, aim to deceive victims through the “bug” in human hardware and set up complex psychological scenarios to convince them of their Information.
Either expose others or do something to their detriment. Every time the temptation to download free music or software tricks you into downloading malware, you are, in fact, a victim of a social engineering attack.
Although it is challenging to deal with social engineering attacks, some tips and methods can protect us against this model of attack to some extent, some of which are as follows:
Check the source
Before answering a request, think about exactly where the call is coming from. Do not trust any contact without checking the source. You find a USB drive on your desk, and you do not know? An unexpected call tells you how many millions you have won? An email from the CEO asking you to provide sensitive information about other employees? All of these scenarios are suspicious and should be treated with caution.
Checking the source of the work is not difficult. Always check the email address thoroughly to make sure it was sent from the original sender. Instead of clicking, first, hold the mouse pointer over the link to display its address. If the text of an email you received from a brand or company is misspelled, it is most likely not sent from a secure location and is fake. Whenever you have doubts about the accuracy of an email or message, visit the official website or talk to a representative over the phone.
What does the source know?
Does it not have the source of the Information you expect it to have, such as your full name? If a reputable bank or brand has contacted you, they should have all of this Information and always ask you security questions before allowing you to make changes to your account. If not, the call is likely to be fake and should be handled with caution.
Break the cycle
Social engineering usually creates a sense of urgency in the victim. Attackers know that if their target has enough time to think and examine the subject, they may notice their deception; Therefore, they consistently implement the scenario so that the target is forced to decide at the moment. Whenever you encounter such a call, do not rush to respond.
Instead of clicking on the link or giving the Information the attacker wants from you, call the original company number or go to its website to check the source’s credibility. If a friend or company manager in an email asks you to deposit money to their account immediately, call them beforehand to make sure that he sent the email.
Ask him for an ID card.
One of the easiest ways to attack a social engineer for unauthorized entry is to have a large box or many files not show his ID card when entering the guard. If you encounter such a scene, do not be fooled by this trick and always ask the person who intends to enter the building for an ID card.
If the attack method was by phone call, do the same again and ask the caller for all the necessary information. Then if you do not know them and do not feel comfortable giving them Information, say you should check with someone else and contact them later.
Use a better spam filter.
If the email service does not filter all spam, it is best to get help from a better spam filter. These filters can blocklist suspicious IPs or check content, identify suspicious files or links, and send them to your email spam section.
How realistic is the story?
Some social engineering attacks put a person in an emergency where they cannot look at the story critically. If you can find out how realistic it is in this situation, you can avoid falling into the trap of social engineers. For example, if your friend is in trouble and needs money, will they email or call you? How likely is it that a distant relative you do not know mentioned you in their will? Can the bank contact you and ask for your account information?
In general, be cautious every time you notice a sense of urgency in a conversation. Say you need time to access Information, or you need to ask your superiors. Do not rush in this situation. Many social engineers give up after seeing that you are not willing to cooperate right away.
Increase the security of your devices
If your smart devices are highly secure, their access to Information will be limited, even if the social engineer has succeeded. To increase the security of your smartphone or home network or even your corporate system:
- Constantly update your antivirus software so that phishing emails can not install malware on your system.
- Install the security patches of your operating system and software as soon as possible.
- Do not run your phone while rooting or networking your PC in administrator mode so that if an attacker accesses your account, it will not be able to install malware on it.
- Avoid using the same password for different accounts so that other arrangements will be safe if an attacker has access to one of your accounts.
- Be sure to use two-factor authentication for critical accounts.
Watch out for your digital footprint.
If you are accustomed to sharing your Personal Information on social media, you are suitable prey for social engineers. For example, one of the security questions of the account may be the name of the pet. If you post your pet’s name on social media, you may be attacked by a social engineer.
It is recommended that you share your posts on social media only with friends and think carefully about other aspects of your personal life posted on the Internet. For example, if you have an online resume, delete the address, phone number, and date of birth.
Social engineering is so dangerous that it uses a standard and seemingly safe situation to achieve evil purposes. However, familiarity with social engineering tricks and caution can reduce the risk of being trapped in the plans of these attackers.
The last word
Name it whatever you want; Social engineering, trust, cognitive bias, or fraud. Abuses of simplicity and confidence are as common these days as they have been since the beginning of history. Ask any cybersecurity expert who will tell you that the weakest and most vulnerable link in the security chain is humans. We can develop the most advanced software to protect computer systems, enforce the strictest security policies, and educate users in the best way possible; However, as long as we allow our curiosity and greed to be decisive regardless of the consequences, we may face our trojan tragedy at any moment.
The phrase “a secure computer is a shutdown computer” is clever but incorrect.
There is a famous saying: “A secure computer is a shutdown computer.” The sentence is clever, but it is incorrect. A social engineer can persuade you to enter the office and turn on your computer. An attacker who seeks your Information can eventually achieve it with his patience, perseverance, and charismatic personality; This is called the art of deception.
The fact is that no technology in the world can prevent a social engineering attack. The only way is for everyone in the organization to be aware of attackers trying to manipulate them psychologically and be educated about what Information is and how to protect them.
Once you better understand how your feelings and thoughts may manipulate the attacker’s interests, you will better realize that you have been attacked by social engineering.