Security is often relaxed when a level of trust exists between two (or more) parties. But what happens if the entity you trust is not who they say they are ? Social engineering is a psychological technique and attack vector used by cyber criminals to trick victims into providing sensitive data such as usernames, passwords, and other personally identifiable information. Whilst the methodology itself is not new, the use of social Engineering has risen dramatically to become one of the most deployed attacks in an ever expanding arsenal available to a cyber criminal.
How does Social Engineering work ?
The type of Social Engineering attack deployed varies dependant on what information the cyber criminal requires in order for their campaign to be a success. The most common method by far is to lure the user to a fake webpage, and have them enter their username and password. The user never actually logs into the particular site, and often sees either a blank page, or an error of varying description. What has actually happened here is that the cyber criminal has convinced or conned the target through Social Engineering to enter their username and password of their own free will – unwittingly providing it to the cyber criminal in the process. The attacker is then able to access a myriad of other services with the same username and password.
We as humans are creatures of routine and habit, and will often use the same credentials for multiple services. The most common of these services is email. Bearing in mind that Facebook for example requires you to login with an email address (although not mandatory – you can define a username), this is one of the most successful ways that an attacker can obtain access to multiple systems by reusing the same set of credentials.
Given that the typical user recycles credentials as a method of remembering passwords, the cyber criminal can then login to your email account, and gain access to other financial and transaction based information. Using this platform as a base, an attacker is then able to compromise other services such as PayPal, Amazon, and many more with little effort – all thanks to your email address and password – even if the criminal does not know the password for the account they want to compromise, they have access to your email and can use that to reset it. Social Engineering attacks are becoming more prevalent in today’s landscape – below are the most commonplace methods used as a way to entice users to provide information they normally wouldn’t.
Email from a friend or relative
The cyber criminal uses the same Social Engineering techniques to compromise a friend or relative’s Facebook account (as an example). Using the information obtained (traditionally through fake links, or by befriending someone the victim knows as a way of extracting information), the attacker is then able to target other users from friend lists, addresses from email accounts, and much more. The email looks like it was sent from someone the victim knows, and as a result, the recipient is more likely to interact with the attacker without too much suspicion. Once the attack gains trust and confidence, they then typically send emails containing links or attachments for the unsuspecting friend to click on or open. Once this activity takes place, a new recipient machine is then typically infected with Malware. Now the attacker not only has control over your machine, but also has access to your social media accounts, internet banking, email, and much more. Your machine can also then be used to infect others in much the same way as you were compromised.
Another widely used form of attack based on this method is to send an email purporting to be from someone the intended target knows, then leverage the pretence of being in trouble, having lost their passport, been mugged, and so on. Each one of these attacks all have the same end goal – to extract personally identifiable information that can be used to commit other types of financial fraud. Another scam that is gaining in popularity is the survey or donation to a charity – typically asking you to enter financial details to make a payment.
In this scenario, the attacker sends an email, instant message, text, or any other transport considered valid and popular under the guise of a trusted company, college, school, bank, and many more – even utility companies such as electric, gas, and cable / satellite TV are known to have been used. The Social Engineering used in these campaigns is typically much more convincing – for example, warning you that you are in arrears with your bank, have not paid your electricity or phone bill, or need to approve a trip for your child. All of these campaigns are particularly effective, as each requires you to enter a multitude of personally identifiable information. The campaign usually arrives in the form of a specially crafted email containing links that when clicked, will compromise the target’s PC, install Malware, and attempt to extract other vital information to commit other crimes – your machine could also then form part of a DDOS network of bots that can lie dormant for months before taking part in a sustained attack on someone else.
Other examples of Social Engineering in the form of phishing emails are tax rebates, lottery wins, tickets to concerts, the millionth person to visit a site, and a lot more. In fact, the potential is limitless when you consider the desired result – if you can convince someone to part with sensitive information of their own accord, then the possibilities of further compromise are much greater. If committed in smaller chunks, compromise can be difficult to detect unless you check bank statements frequently. Out of the majority of attacks, the most successful are those that appeal for donations to disasters that have occurred in another country, political movements and campaigns (very effective near or during an election), or whichever charity is trending on twitter and is gaining attention. A example of a phishing message is below
This type of Social Engineering campaign is similar to phishing, but typically targets a specific user or organisation with a view to extracting valuable information that can be used to provide the necessary fuel for propaganda, blackmail, or other criminal activity. This type of attack is not random, and is often very personal in nature. Spear phishing campaigns appear to come from legitimate resources such as banks, PayPal, eBay, and various others. Success in this form of Social Engineering usually gives rise to attacks of a similar nature on others, as it provides the perpetrator with the ability to masquerade as a legitimate source. As an example, an employee may be asked by a fake entity such as a HR department to login to a malicious website and provide sensitive information, or an IT Administrator is duped into providing credentials. Using this detail, the attacker is then able to extract information from other sources that usually result in financial fraud, or a data breach. An example of Spear Phishing is shown below
Corporate Whaling (CEO Fraud)
Whaling is another type of Social Engineering that is typically targeted at financial institutions. Similar to phishing in style, the attack usually targets someone with access to financial information and resources (typically from company website biographies of directors). Using a variety of other methods (such as LinkedIn, Facebook, Twitter and many more), the criminal is then able to choose another target that in this case will become the “transferee”. The cyber criminal sends an email to the transferee as a member of C level staff, asking for a wire transfer to be completed. Typically, they will cover their tracks by adding that they are in a meeting, and cannot talk at present. This prevents the transferee from picking up the phone and asking for verification – primitive, but incredibly effective.
This technique is also known as CEO fraud, and has been extremely successful of late. CEO fraud has had a massive financial impact for businesses all over the world. According to information supplied by the FBI, overall losses resulting from this newer Social Engineering attack have cost companies more than $2bn (£1.43bn / €1.81bn) within a two year period. Whaling messages look like the below
This type of Social Engineering is often used by a cyber criminal as an incentive based attack. Such examples of these are peer to peer (P2P) sites or torrent links offering downloads of the latest game or album, amazingly great deals on eCommerce sites (Amazon), auction sites (eBay) and several others. To avoid suspicion, the seller has an immaculate rating – in fact, lovingly created ahead of time by the cyber criminal as part of the campaign. In these cases, the seller doesn’t exist, and you will end up paying for something you’ll never actually receive. In the case of downloading from P2P websites or torrents, your machine is very likely to become infected with malware cunningly disguised as legitimate software, or injected as a result of a drive-by download.
Another form of baiting is for individuals to be targeted with SMS messages and phone calls from fake insurance companies asking you if you want to make a “claim for the accident you had“. This type of Social Engineering has been around for a while, and is still surprisingly effective – despite the target being fully aware that they never actually had an accident, they often unwittingly part with information that is useful to a cyber criminal looking to target an individual. If you become a target of such a campaign, the worst thing you can do is actually interact – don’t be tempted. Most of these SMS messages tell you to text the word “STOP” in order to not receive any more messages. In fact, doing so is likely to actually cost you. The most recent form of baiting via Social Engineering is the fake Microsoft caller who informs you that they have found an issue with your computer, and will then offer to fix it via a remote session. Instances of this type of fraud have led to bank accounts being emptied, Malware installed on target machines designed to collect personally identifiable information of interest, and blackmail.
The last form of baiting relies on human nature and curiosity rather than an actual Social Engineering technique. The cyber criminal leaves a USB stick containing Malware in a publicly accessible place, such as a car park, shopping mall, lift, or library. Someone will typically find this device, and be curious as to what is on it. Most Malware can execute simply by plugging the device into a machine, which in turn, infects that host and provides a mechanism for remote control. This in itself can turn the target machine into a bot without the owner’s knowledge, and can also become a fountain of information waiting to be extracted.
This type of Social Engineering attack has been around for a number of years, and attempts to trick the user into believing that their machine has been infected with Viruses and Malware. In fact, the message displayed on the screen is fake, and as soon as the user clicks it, their machine really does become infected. Users without sufficient knowledge are far more likely to follow the on screen instructions, as they have been “scared” into believing that they have inadvertently downloaded illegal content or material, or that their machine has been infected. The attacker in this case offers the victim a solution to resolve their issues – the rest is history. Scareware typically looks like the below
This form of Social Engineering involves one person or party lying to another in order to gain sensitive and privileged information. A good example of this would be the online dating scammer who needs personally identifiable information in order to commit identify fraud and financial theft. The methods used in such attacks vary dependant on the type of deception, but typically involve SMS, email, phone calls, and dating websites. The main element to this campaign is trust. Once the scammer obtains the trust of the target, a whole range of possibilities emerges. As a point of interest, dating scams have their very own category, known as “Catfishing”
Raising awareness of Social Engineering
Below is the result of a very recent phishing test I personally conducted
- 142 users did not open the message, and just deleted it.
- 101 users opened the message, decided it was fake, and either reported it to IT, or just deleted it.
- 20 users went as far as to click the links in the messages themselves.
This was in fact harmless in this case, but if it were a real attack, the consequences could have been much worse than a simple “you’ve been naughty” reminder
- Out of the 20 users who did actually click the links, only 4 reported this issue to IT. It’s important to remember that anyone can make a mistake, but if you do click a link in a suspicious email, you should inform IT or your local security officer immediately.
As you can see from the above, there are several campaign types and methods used by cyber criminals to extract information from a target. In order to avoid such instances, care needs to be taken when receiving emails, texts, instant messages, or even clicking links in websites. An attacker relies on the fact that as humans, we tend to respond quickly without considering the impact to our privacy, or personally identifiable information.
Can you prevent Social Engineering ?
In all honesty, no. Our nature can mean we are very trusting, and if someone we think we know asks us for help, money, personal information, and virtually anything else, we are likely to provide that information in the belief that we are helping a friend or relative. One of the best ways to stay safe is to exercise caution. If you are asked for information that appears out of the ordinary, call that person and ask if they actually requested it – it is very likely they didn’t. The same applies to emails containing links – they may look like they are from someone you know, but can be quickly dismissed as fake if you consider the manner in which the email is written. For example, there may be poor grammar, and the use of words that you know your friend or relative wouldn’t typically use. Another common type of phishing is the fake Facebook email. If you do not use a particular email address for social media, but suddenly receive a friend request message, are you likely to click the link ? Sadly, most people actually still do this.
My advice ?
Whilst this is becoming increasingly more difficult to spot, there are still some clear markers that make these messages stand out from those that are truly legitimate
- Watch for the general dialect being used. Would the person being “impersonated” really speak that way, or use grammar like that ?
- If you are using a PC, look at the sender name – if it is accompanied by the email address in brackets, then it has not originated from our Office 365 platform. Unfortunately, iPhones do not have this ability, making it even harder to spot fake messages – in this case, you should question anything that “doesn’t look right” and report this to your local IT or designated security officer immediately.