Social Engineering: Definition
Social engineering is a malicious practice that aims to manipulate an individual or a society. The goal is to have them take actions without realizing the consequences. Being persuasive and building trust in the exchange is crucial in reducing the victim's vigilance.
Hackers frequently use this practice, which can occur through various channels such as SMS, emails, or phone calls to make it more credible.
Once again, humans are at the heart of the attack: if they are not manipulable, the attack cannot take place. Moreover, if the target is properly trained, they can raise the alarm and mitigate the attack.
Types of Social Engineering Attacks
There are different types of social engineering attacks, some of which have existed since ancient times. Here, we will discuss the techniques commonly used in cyber attacks.
Some attacks can occur with direct contact with the victim. The victim is usually more vulnerable and trusting during a face-to-face exchange.
This type of attack can be combined with exchanges through other channels (such as email, SMS, or phone) to make the identity of the individual more credible.
A malicious individual can infiltrate your premises by pretending to be a job applicant or by impersonating a new recruit.
Postal mail can also be a means of using social engineering. The hacker sends fake letters by impersonating a person or a company to compromise you. The letter you receive may display the address and logo of the impersonated company.
Imagine receiving a letter from your bank accompanied by its logo and all the information related to the branch. You would certainly trust this letter more.
Phishing is a fraudulent practice that involves extracting personal information such as identity documents, banking data, or passwords. The attacker impersonates a company whose services you use (e.g., Google, Slack, Trello, or a provider). Phishing usually occurs through an email that asks you to open an attachment or click on a link.
Smishing, or SMS phishing, is a variant of phishing where the attacker carries out the attack through SMS instead of email. Instant messaging services are also associated with smishing.
Vishing, or voice phishing, is also a variant of phishing. It involves collecting sensitive information or persuading the victim to take compromising actions through a phone call or a voice message.
Having more human contact than a simple text message (as in phishing and smishing) can instill more trust in the victim.
Principles of Social Engineering
Social engineering uses human psychological triggers to encourage you to take the necessary actions for the attack, such as opening an email or a link.
The hacker uses their interpersonal skills to bypass the victim's rational side. We provide attack scenarios to identify the various psychological triggers used.
- Altruism or the desire to help: Imagine a person struggling with a heavy and cumbersome box waiting outside the door of your company. They ask you for help to swipe their badge and open the door because they cannot do it while carrying such a heavy load. This technique allows the person to access normally secure areas by exploiting your willingness to help.
- Curiosity: You receive an email titled "Annual Raises." The mention of raises that you were not aware of piques your curiosity, subconsciously encouraging you to click on the malicious links in the email.
- Sense of responsibility: Imagine receiving an email informing you of an important update for critical software that you use. The email emphasizes the importance of deploying this update for the well-being and integrity of your company, as each person is responsible for the security of their workstation. Because you feel responsible, you will be more likely to open the attachment and install the update.
- Urgency: You receive an SMS indicating that your password is about to expire. It states that without a change, you will lose access. Like many people, if you lose access to your emails, you risk wasting a considerable amount of time on your already busy workday. Some people act without thinking in the face of urgency, forgetting to apply security procedures.
- Hierarchical pressure: Imagine receiving a call from your angry superior who asks you to make an exceptional transfer to an external account because they have problems. Your interlocutor emphasizes the urgency of the situation and explains that if they cannot catch their flight, an important sale with a client may not happen. Faced with the pressure from your superior and the exceptional situation, you are likely to overlook the protocols.
- Pride: Imagine receiving an email from the HR department praising your outstanding performance for the month. The email states that they need some information about your sales process and asks if you can answer a few questions to explain your techniques to your colleagues. Responding to the various questions risks exposing your sales process information.
- Trust in the interlocutor: Appearance, body language, and surroundings are factors that engender trust or mistrust. A person wearing a suit, blending in with a group of bankers returning from their coffee break, can pass through a bank's security gate by blending in.
- Fear: You receive an email asking you to change your password following recent cyberattacks because a connection from Ukraine has been identified. Such attacks are indeed frequent in many domains, and you have read various articles describing the serious consequences they can have. The fear of being attacked might prompt you to hastily change your password without verifying the authenticity of the email.
The success of an attack is more likely when the victim is isolated, such as during remote work. It is more difficult for an isolated person to seek verification or confirmation from a colleague without using a potentially compromised communication channel.
During a targeted attack, the hacker gathers information about their target and their schedule, and can choose a moment when they will be more vulnerable by being isolated.
Examples of Social Engineering Attacks
There are numerous and varied social engineering attacks, with multiple possible scenarios.
Delivery of Infected CDs
In Japan, hackers used a delivery service to send infected CDs to individuals. They first stole a database from a Japanese bank to collect customer addresses. Then, the hackers delivered the CDs, which contained a Trojan horse aimed at obtaining the individuals' banking information.
Exceptional Attack on an American Journalist
In 2012, an American journalist named Mat Honan was hacked across multiple channels. The hacker first called Amazon's customer service to add a credit card to their Amazon account. Since this operation did not pose a great risk, Amazon added the card without much suspicion.
From there, the hacker called the company again, claiming to have lost access to their account. As proof of identity, Amazon asked them a few questions, including the last 4 digits of a credit card associated with the account. The hacker simply provided the last digits of the card they had just added.
Once they had full access to the Amazon account, the hacker was able to retrieve other information such as the numbers of other credit cards, secondary emails, etc., to continue their attack.
They then reset the account credentials for iCloud using the information collected from Amazon. The hacker used the email, the last 4 digits of the credit card, and the billing address of the account.
With access to the iCloud account, the hacker gained access to the journalist's Google and Twitter accounts and published racist and homophobic statements. They then erased the data from Mat Honan's iPad, iPhone, and Macbook.
From a seemingly innocuous action, the hacker hacked accounts of increasing criticality, resulting in disastrous consequences.
Associated Press and the Dow Jones Stock Market Drop
In 2013, a group of hackers attacked Associated Press through social engineering. The attack caused the US stock market to drop by 136 billion dollars.
The attack was a phishing email: a staff member clicked on a link in a fraudulent email.
The hackers gained access to Associated Press's Twitter account. They then posted a fake article about an explosion at the White House, causing a 150-point drop in the Dow Jones Index.
A Syrian group called the "Syrian Electronic Army" subsequently claimed responsibility for the attack without providing evidence.
Tips for Protecting Against Social Engineering
It is important to remember that humans are the first line of defense against any type of social engineering attack. Several practices can be implemented to protect your employees and your company:
- Have strict security protocols in place for various actions that pose potential risks, such as software installation, emergency contacts, security operations, and sharing confidential information.
- Verify the source of different contacts: are the domain names and the location of the email sender consistent with the received message?
- Train and raise awareness among employees through social engineering simulations, such as phishing or smishing tests. It is important for them to learn to identify malicious contacts and report them to the company's security department. Conducting tests under conditions identical to a real attack helps create reflexes and apply security protocols even in cases of strong emotional response.