The wikipedia defines social engineering as, “the practice of obtaining confidential information through the manipulation of legitimate users. It is a technique that certain people can use to obtain information, access or privileges in information systems. It allows them to perform an act that harms the person or organization committed to abuse.
That is to say, social engineering is the discipline that uses manipulation to hack people. It exploits the fact that, in any system, the human factor is the weakest link.
By creating the right context you can manipulate a person to access important and personal information. For example:
¨Good morning, we are calling you from your bank office, we have detected a problem when trying to process a payment of your credit card. Would you be kind enough to confirm your information to try again?¨
The cybercriminals that employ social engineering techniques rely on these basic principles defined by Pablo Iglesias, in his post “The 6 basic principles of social engineering“:
- Reciprocity
- Urgency
- Consistency or custom
- Trust
- Authority as a route for identity theft
- Social validation or need for collective approval
These principles start from the basis that human behavior is easily predictable. It assumes that if the user is approached in the appropriate way, the necessary information is obtained.
The main incentive for scammers who use these techniques is its simplicity and its low cost. Security consultant Kevin Mitnick said, “It’s easier to trick someone into giving your login password to a system than to make the effort to hack it.”
Types of attacks by Social Engineering:
- Phishing:
One of the simplest and most known attack modalities, but also very successful. It consists in tricking the user into believing that a system administrator is asking for his password with a legitimate reason.
- Vishing:
Consists of the making of fraudulent telephone calls, which simulate surveys with the objective of obtaining private information without the victim suspecting.
- Baiting:
In this type of attack, the hacker uses a removable storage device (CD, DVD, USB) previously infected with malware. Then the they place it in a public place where it can be easily found. The person who finds it, might fall into the trap and enter it into their computer, which will install malicious software and the hacker will be able to access all the personal data of the user.
- Smishing:
Consists of theft of personal data by SMS. It is a new type of social engineering crime that uses text messages focused on mobile devices.
- Social Networks:
The growth of social networks and the information we share through them, attracts a large number of cyber criminals. They usually present their frauds in the form of offers and bargains to direct users to fraudulent websites where they ask for their data or authorization to access their social profiles. Another lure they employ are games or contests in which only scammers win.
Strategies for the success of a Social Engineering attack:
- Familiarity:
The hacker takes advantage of the trust that people have with their closest environment (family and friends) and supplant the identity of some of them.
- Hostility:
They benefit from the human tendency to move away from those who seem to be mad or angry. How? Creating a hostile environment, which causes enough stress to respond to questions without resistance.
- Infiltration:
A strategy widely used by cyber attackers is to sneak into a process of personal section of the company they are targeting. This is a good way to be close to the victim and get all the information firsthand. Since the PYMES do not usually review the in depth background of the candidates.
- Non-verbal language:
The mastery of non-verbal language can help scammers to establish a greater connection with their victims. The details may be important: the rhythm of breathing, the smile, detecting if the person seems nervous and comforting her. Then she will be more receptive to giving personal information.
- Sexuality:
Playing with what is related to sexual desire is an almost infallible technique of manipulation, since the person lowers his defenses and his perception is distorted.
Recognized characters linked to Social Engineering:
- Kevin Mitnick:
The most famous computer hacker in history, nickname was Cóndor. He also called himself the ghost of the cables. After spending a good season behind bars, he reformed and moved to the security consulting sector.
- Christopher Hadnagy:
Author of the first theoretical framework of the principles of social engineering. American security consultant focused on the study of this branch, has published three related books: Social Engineering: The Art of Human Piracy, Unmasking the Social Engineer and Phishing Dark Waters.
- Mike Ridpath:
Security consultant, author and recognized speaker. Propeller of social engineering techniques such as “cold calling”. He made himself known in talks where he showed recordings of calls and showed live what techniques to use in order to obtain passwords or sensitive information from users.
- David Pacios:
Developed the concept of applied social engineering that allows separating the cases of digital fraud and the study of social hacking. He published a book entitled Applied Social Engineering First Line of Defense. He is also known for his lectures on human hacking and commerce on the deep web.
- Badir Brothers:
Ramy, Muzher, and Shadde Badir, a trio of brothers blind from birth who managed to establish a scheme of telephone and computer frauds in Israel during the 1990s through social engineering, imitation of the voice and computers with Braille display.
Social Engineering and risk for the business sector:
Although social engineering can affect people and companies, attacks are focusing on business objectives, both large corporations and SMEs.
The objectives of these attacks can be classified as:
Fraud: obtain money from the victim, without using violence.
Infection: get to infect the same device with malicious software.
Theft of credentials: through deception the victim is denied his access codes to certain digital services.
In an industry report published in 2015, it was revealed that social engineering attacks are affecting middle management and senior executives more intensely. Why? because they are much more lucrative, as, explained at the time Richard De Vere, a social engineering consultant and pentester at The AntiSocial Engineer Limited.
Another comment from Richard De Vere to SC Magazine, in an ironic tone, clearly shows the problem we are talking about, “If you are preparing a phishing email, LinkedIn is a gold mine where you can get the data from the middle managers and senior executives. Automated tools can quickly make a list of hundreds of email addresses, with user data and their VPN / OWA / Active Directory credentials. “
Therefore, it is necessary for companies to become aware of the problem. Design strategies can help to reduce the risks of this type of attack.
How to prevent your company from being the victim of an attack by Social Engineering?
- Design and implement a security protocol to mitigate the risks
- Perform simulations of attacks that allow you to test your prevention systems
- Send an immediate alert that you have been the victim of an attack on employees; Emotional shock helps awareness
- Permanent reinforcement campaigns of established security protocols
- Encourage the culture of discretion, educate staff on the importance of not disclosing sensitive information with strangers or in public places
- Train staff to detect possible frauds and try to identify the suspect and try to reverse the situation to obtain as much information as possible from the attacker
- Perform audits and pentest using Social Engineering to detect security holes and remedy them
Since the main asset of any company is the human factor, in certain cases, the people poise a larger risk of being hacked than the computer system going down. That’s why the important thing is to provide them with the training and the right tools to correctly apply the company’s cybersecurity policies.
Being aware of the statistics on this subject it is worthwhile and these threats should be taken seriously. If your company does not have the required technical staff, Syneidis can help you develop an audit of your systems and design your risk prevention protocols.