What is social engineering, and how did that come into existence?
Social engineering or “human attack” is a set of psychological and sociological techniques, approaches and methods that make it possible to obtain confidential information.
“Hi! I ended up in a difficult situation. Can you borrow 50 euros?” Have you received such messages on social networks from your “friends”? This means that you have already encountered social engineering. Cybercriminals are increasingly using such techniques to steal valuable data (including your finances) because the human factor is still a weak link in any security system.
Cybercriminals who use these techniques in practice are called social engineers. When trying to access a system or valuable data, they exploit the most vulnerable link: the person. The simplest example is a phone call. An attacker pretends to be someone else, trying to obtain confidential information from the caller, playing on the person’s feelings, tricking or blackmailing him. Unfortunately, many people continue to be hooked on such fishing lines and trustingly tell social hackers whatever they need. And the scammers have a lot of techniques and tricks in their toolbox. We will talk about them a little later.
Nowadays, social engineering has become strongly associated with cybercrime, but this concept appeared a long time ago and originally did not have a pronounced adverse meaning.
People have been using social engineering since ancient times. In ancient Rome and ancient Greece, for example, there was great respect for specially trained orators who were able to convince their interlocutors that they were “wrong.” These people participated in diplomatic negotiations and worked for the good of their state.
By the early 1970s, telephone hooligans began to appear many years later, disturbing the peace of citizens just for fun. But someone figured out that this was an easy enough way to get important information. And by the end of the 1970s, former telephone hooligans had become professional social engineers, capable of masterfully manipulating people, identifying their complexes and fears by mere intonation.
When computers came along, most engineers changed their profile, becoming social hackers, and the terms “social engineering” and “social hackers” became interchangeable.
Good examples of Social Engineering
Sometimes all you have to do is ask. One example is the $40 million theft from The Ubiquiti Networks in 2015. No one hacked into the operating systems or stole data – it was the employees themselves who broke security rules. Fraudsters sent an email in the name of the company’s top executive and asked backers to transfer a large sum of money to a specified bank account.
You may have seen “Catch Me If You Can,” based on the true story of legendary con man Frank William Abagnale, Jr. In five years of criminal activity, his counterfeit checks totaling $2.5 million ended up circulating in 26 countries around the world. While fleeing prosecution, Abagnale showed amazing skills in impersonating a pilot, a sociology professor, a doctor, and a lawyer.
And did you hear how Victor Lustig not only filled the U.S. with counterfeit bills and left Al Capone “fooled” but also sold the Eiffel Tower, the treasure of Paris? (Twice, by the way). All this was made possible by social engineering.
These real-life examples of social engineering show that it easily adapts to any conditions and any environment. By playing on a person’s personal qualities or lack of professional qualities (lack of knowledge, ignoring instructions, and so on), cybercriminals literally “hack” a person.
The most popular methods of Social Engineering
An attack on a person can be performed in many scenarios, but hackers use a few of the most common techniques.
The method of collecting user credentials for authorization is usually mass email spamming. In a classic scenario, the victim receives a fake email from some well-known organization asking him to click a link and log in. To gain credibility, the scammers make up some serious reasons for clicking on the link: for example, they ask the victim to renew the password or enter some information (name, phone number, bank card number, and even a CVV code).
And it seems like the person does everything as it says in the letter, but… he’s caught! The criminals have thought of his every move, which is why they can get people to do what they want.
The virus is named after the Trojan horse from the Greek myth for a reason. Only the bait here is an email message that promises quick profits, winnings, or other “mountains of gold” – but the result is a virus through which attackers steal the data. Why is this type of data theft called social engineering? Because the virus creators know how to disguise the malware, you will surely click on the right link, download and run the file.
Quid pro quo.
Using this technique, the attacker pretends to be a technical support employee and offers to fix problems in the system, although in reality, there are no problems with the software. The victim believes that the problems exist and, following the hacker’s instructions, personally grants him access to important information.
Another technique used by cybercriminals is called pretexting (a scripted action). To obtain information, the criminal pretends to be an associate of yours who supposedly needs your information to perform an important task.
Social engineers pretend to be bank employees, credit services, technical support, or your friend, relative – someone you trust by default. To appear more trustworthy, they give the potential victim some information about her: name, bank account number, the real problem she had previously contacted the service with.
Reverse Social Engineering
The technique aims to get the victim to come to the social engineer himself and give him the necessary information. This can be accomplished in several ways:
Attackers may advertise their services as computer wizards or other specialists. The victim contacts the hacker himself, and the criminal not only works technically but also extracts information through communication with his client.
Implementing special software
At first, the program or system is working properly, but then a failure occurs, which requires the intervention of a specialist. The situation is set up so that the specialist who will be approached for help is a social hacker. By fixing the software, the hacker performs the necessary manipulations for the hack. And when the hack is detected, the social engineer remains above suspicion, telling that he helped you.
How to protect yourself?
If you do not want to become another victim of social engineers, we recommend the following rules of protection:
- Don’t use the same password to access external and corporate (work) resources.
- Install antivirus – all major antivirus programs have built-in malware checks.
- Do not work with important information in front of other people. Scammers can use the so-called shoulder surfing – a type of social engineering when the theft of information takes place over the victim’s shoulder – by peeking.
- Remain skeptical and alert. Always pay attention to the sender of emails and the site’s address where you are going to enter some personal data. If it is a mail on the domain of a large organization, make sure the domain is the same, and there are no typos. If in doubt, contact the technical support or a representative of the organization through official channels.
- Don’t go to suspicious sites or download suspicious files because one of the best social engineering helpers is curiosity.
We hope that our post will help you protect yourself from scammers. We are always ready to share our useful experiences!