The Art of Social Engineering

Feature Article

How the malicious actors of the web use cunning and deceitful tricks to victimise essentially everyone online

It is a sort of wizardry or magic performed by anonymous and mischievously clever bods sitting behind computer screens. All of the features and characteristics of the internet work in their favour. It allows people to veil their identities to impersonate themselves as others, quite convincingly and conduct underhanded deeds which can go unnoticed for a long time. Whether it is an innocent youngster scrolling through their Facebook feed, or an ill-informed employee greedily obtaining a lost and, seemingly harmless, memory drive, the manipulation of social intelligence is now an omnipresent inevitability to be feared by all.

In the context of cybersecurity, social engineering refers to how bad actors online psychologically manipulate people into submitting their personal data, or committing to other actions, which then subjects them to a range of malicious means. It is to do with how hackers and other adversaries toy with human emotions and trust to get them to do whatever it is they instruct them to do.

There are various techniques which can be used by malicious actors to trap their prey. Phishing, pretexting, baiting and tailgating are just a few of them. Charming crooks use these techniques to exploit a broad range of people. Typically, the kinds of victims most rewarding are the ones who are oblivious to cyber threats. The ones who ignore irritating software updates, or resist instaling performance-draining antivirus software, or even leave their firewall off, are the most common targets. Businesses and corporations too are suffering from the trickery. At the top of the year, the FBI claimed that thousands of US companies had lost $740 million to targeted spear-phishing scams since late 2013.

The tricks and traps have moved on from the classic emails from a mysterious “Nigerian Prince” in desperate need of financial assistance. Many of the methods used now are far more sophisticated and are becoming increasingly effective. Parallel to its improving capability, social engineering is also on the rise. It is a lucrative business, and those in the security realm know it. Interpol, the international police agency, recognises social engineering fraud as one of the world’s emerging fraud trends. Thus, cyberspace becomes more treacherous, as the rise of the human hacker comes to fruition.

The Science of Human Hacking

The temptations dangled in front of naive internet users have an interesting scientific complication behind them. Social engineering focuses on cognitive biases; a systematic error in one’s thinking which can affect their decision-making. These biases are sometimes referred to as ‘bugs’ in a human beings ‘hardware’. This is what is exploited when malicious actors seek to fool users on the internet. They may try to build a certain level of trust and assurance with a user, or may encourage a sense of urgency or panic into the scenario. “This all releases certain chemicals in our brain that allow us to take an action we perhaps shouldn’t take,” explained ‘Human Hacker’ Chris Hadnagy.

From here, the bad actors online can manipulate the social intelligence of users to get them to do just about whatever they may ask. If they are able to build an apparently meaningful relationship, or capture the attention of the users they aim to trap, then it makes it straightforward to deploy attacks and enforce the submission of private or confidential information. In a sense, hackers are essentially hacking into the brain to make internet users do things that they may have otherwise thought twice before carrying them out.

Ultimately, this mischievous art focuses on exploiting the most vulnerable part of any network or computer system: the human being. Perfectly prone to making mistakes and misjudgements, social engineering is one of the more dangerous security threats to businesses, big or small, as well as governments and others who use the internet. In theory, it may seem fairly easy to see such an attack coming, but the array of different techniques which can be used make it all the more unsuspecting.

Phishing For Clicks

Despite its unique spelling, phishing is very much what one may expect it to be. Figuratively speaking it involves hackers throwing a baited fishing line, in the form of emails or messages, into a sea filled with millions of internet users, patiently waiting for them to take the malevolent allurement.

Hackers may initially seek to find and collect a range of email addresses to send out fraudulent messages. Equally, they have also sought to send messages via social media, often to greater affect, since its targets may consist more of gullible teenagers. Overall the main aim of the game is to export authentic-looking emails to users who would most likely open them, at the very least, or even click on the links provided. The layout of the emails or messages may resemble that of an actual company or government entity. It may contain recognisable logos or signatures, and more sophisticated scammers would use wording and lexical choices which would reflect that of a sophisticated banker or politician. In addition, the messages may be shaped around significant dates or events, or revolve around breaking news stories.

All this will hopefully appear quite compelling to the user. To ensure that the user actually engages with the fraudulent email or message by opening an attachment or going to a website, the content of the message will give them an apparently good reason to do so. For example, an email may falsely alert its recipient that they have apparently missed a court hearing and have been fined as a result, which must be paid by a specific date. The mention of money and an important event, as well as a time limit, can spark a sense of panic, encouraging the agitated user to hastily click on malicious links or infected attachments. From there they may be asked to enter payment details to pay for the apparent fine. At this point, a user may not once consider the irregularities of such a process (the issuing of such a fine would not be done so via email but rather in the court itself). Instead, they will proceed to give out information desperately and irrationally, which makes for a successful phishing campaign for the hackers patiently sitting on the other side of the line.

Cybercriminals send out millions of phishing emails in the hope of catching out just a few thousand. Email apps have become better at identifying spam, diverting them to a dedicated spam folder where they will receive the least amount of attention and therefore be less of a nuisance. Though some manage to slip through; the criteria used by spam filters sometimes cannot spot a fraudulent email when the sender has an unsuspecting address or the content may not be flagged as suspicious. Spear phishing email campaigns may often embody some of these characteristics, and are some of the more effective messages which often manage to bypass filters. Extensive research of individuals or companies is carried out before deploying them, to ensure that they look of interest to the eventual recipient. Social media sites and other sources of information provide criminals with the tools to more easily fool users. Emails relating to a users favourite sports team, for examples, are more likely to receive more attention and receive more engagement. Names of friends, schools attended, holidays taken and places visited are all researched and used to effect. The use of such information makes these targeted emails more convincing, and therefore more dangerous.

Out of the millions of emails sent out, millions still can get through spam filters and into inboxes. From there, millions still are opened. Links that are then accessed or attachments which are opened may be much less (more like in the thousands) though these numbers are still sufficient for online criminals to conduct their dirty work. Thousands of credit cards and back details, passwords and a host of other sensitive information is stolen. What cybercriminals do with all of it afterwards is unpredictable, but what is clear is the trickiness of phishing and its devastating effects. In 2015, Ponemon Institute, a think tank, revealed that average phishing costs were as high as £2.4 million. Businesses, big or small, are all subject to this highly disruptive trickery. Yet, it is not the only puissant form of social engineering which can cause havoc in cyberspace.

Digital Mouse Traps

In addition to phishing, baiting is also another way in which cybercriminals victimise the innocent on the internet. This branch of slyness is one, unlike most others, that utilises real-world environments to trap its prey. It involves leaving malware-infected floppy discs, USB flash drives or even CD-ROMS, in locations where they could be easily found. The hope is that someone will eventually stumble across one of these items and, out of curiosity, claim it theirs and plug it into their laptop, PC or any other device.

However, what may seem like just a lost piece of technology waiting to be claimed may contain lethal malicious software ready to pounce and infect computer systems. Cybercriminals may include the branding or logos of familiar companies to fool potential victims. Additionally, it may be labelled as something containing important or intriguing information, such as ‘Employee Salaries’ or even ‘Top Secret’. One might decide to claim and use the device for themselves, or hand it to the business or company they believe it belongs to. Upon first glance of the device, it is essentially impossible to tell whether it contains malicious software or not. There are no flashing warning lights. Due to this, cybercriminals are able to convince those who pass by that the devices’ contents are harmless yet intriguing, thus, further encouraging them to take action.

Once the device is plugged in, it stealthily deploys poisonous and damaging software. The malware may allow cybercriminals to access files on the device, or the ability to manipulate the OS. Overall, the victim can be unknowingly hacked. Furthermore, the unfortunate victim, be it an individual or a company, may not be aware of such malware swarming around on their systems for extended periods of time. The only times when they are detected, barring that anti-virus or anti-malware programs manage to identify such software, are either when the cloaked cybercriminals make a mistake or when victims accidentally find it or spot unusual behaviours occurring on their systems. The dire consequences of what may seem like such an insignificant act (finding a lost flash drive lying around aimlessly that it) are usually highly unexpected. That is what makes baiting another potent form of digital trickery.

Rise of the Manipulation Masters

According to ISACA’s Cybersecurity Snapshot, social engineering is set to be the biggest threat in 2016. Many other security experts and companies have also highlighted this as the top threat to deal with in the future. It is possible that the leaking of millions of documents from Mossack Fonseca, a Panamanian law firm, was due to a successful social engineering campaign, though as of yet, this has not been confirmed. But the prospect is plausible. All in all social engineering may quite possibly not only be one of the major threats for the remainder of the year, but for years to come. Unlike combatting malware or other cyber threats, social engineering cannot be defended against with anti-virus software or firewalls. Therefore, educating internet users of these prevalent threats provides as the only effective way to reduce exploits. In many cases, the thousands of users who fall for phishing emails or baiting could have avoided disaster had they been aware of the potential underlying dangers. This is taking place in the corporate setting, where cybersecurity firms advise companies on how to protect their data in the hostile digital environment. An equivalent system for individual or more casual users, of whom may conduct the more simple tasks online, such as sending emails or ordering products from Amazon, may be of great benefit. Without it, the dark arts of ignoble and ill-hearted crooks will continue to cast wicked spells on internet users around the world.