All About Social Engineering
Technology and its concepts are not only comprised of computers and software but also of people who operate and control those components. Although they are part of this set of systems and technologies in an “external” layer, the human factor is not treated the way it should.
That is why one of the oldest methods of cyberattack continues to make many victims, even in such modern times. In this context, social engineering refers to techniques that exploit human weaknesses and manipulate them to break some security procedure. Everyone is subject to being a victim of a malicious agent using social engineering, as these people do not depend on technology or malicious codes, just a good knowledge about human feelings and the profile of their victim.
It is a mistake to believes that, because they are stored in computerized systems, sensitive data and information are free from being captured by this type of attack. However, hackers and attackers generally only need small user actions to authorize their access to a system. To achieve this goal, these malicious agents use links or infected files to attract their targets.
In fact, humans are easier to hack than machines, as everyone is subject to having their emotions exploited by those who use social engineering techniques. In order to perform such an attack, the malicious agent decreases the victim’s level of judgment, raising his or her feelings at the moment of approach and making the victim feel anxious or extremely happy, for example, and thus failing to realize the agent’s real intent.
This result can be achieved through a supposed electronic message requesting the urgent sending of information from the last project, or a call informing the draw of a trip. However, the user is supposed to confirm their payment details in order to receive the prize. In both cases, the aroused feeling inhibits the sense of judgment, which could, for example, prevent one from checking the email domain of the sender or thinking about the call of a credit card company that does not have any of their data.
Years ago, social engineering attacks were practiced in person or through phone calls, which is still common in some cases. The attacker would approach the victim with sympathy and politeness, and with the right questions, they could get the information they needed from the victim to complete their attack. This is still happening today, but in the digital environment. In this case, not even firewalls, two-factor authentication, biometrics, tokens, or any other protective measures can prevent data leakages or approach of malicious agents.
According to Verizon’s “2019 Data Breach Investigations Report”, it was found that, between 2013 and 2018, 33% of data leaks were caused by social engineering, and 32% were still performed through phishing techniques. So, even with all the advances in technology to ensure data security, the number of leaks has not declined over the years. In this case, the problem is not in the technology itself, but in human behavior.
Unfortunately, the weakest link in a system is exactly the one that controls and manages the system, and that can be manipulated with some instigation to their feelings. There are some means the agents who use social engineering employ to perform attacks. The most popular ones are: direct approach, vishing, dumpster diving, phishing, spearphishing, whaling phishing, baiting, and ROSE.
In the direct approach, the attacker approaches the victim personally, becoming friends or revealing common interests so that a bond of trust is created and the victim delivers the information they desire. Vishing is phishing attacks made through a phone call, using names of financial institutions, billing companies, and others. By using this attack technique, malicious agents often already know the victim’s name and use a call protocol very similar to the one from the company they are said to belong to: the scenario is well planned, with background sound, and the use of URA systems, making the whole call into something very real for the victim, who believes and delivers the information they have been asked for.
In these types of attacks, malicious agents can compromise not only individuals but entire organizations. It is also possible to mention cases of false calls to employees of companies, supposedly claiming that the Technical Support department needs the victim’s access credentials to perform some updating, or even the false technician going in person to perform the attack.
Dumpster diving (literally) is a form of social engineering in which people literally dive into the garbage in search of documents or devices that have been discarded in the trash. This material may contain confidential information, and the appropriate security measures may not have been taken. Many sensitive data can be found in corporate dumpsters, providing a simple way to data leaks.
Phishing and spearphishing are possibly the best-known methods of social engineering. Phishing is the method that uses an email or fake web page to catch the victim. This attack has limited power because no previous research is done on the victim and the web pages are not exactly the same as the originals. Still, anyone can be the target of this type of action. Spearphishing, on the other hand, has more specific approaches: attackers choose the most attractive victim and focus their efforts on producing emails or websites that leave as little doubt as possible about their truthfulness. Whaling phishing is exactly like spearphishing, but its attack is even more directed only to CEOs, CFOs, and other members of an organization’s top management.
At other times, the malicious agent can use the baiting method – in which they can use media (eg CD, flash drives) infected with malware in strategic locations where they can arouse employees’ curiosity to open infected files on the workstations which the attacker wishes to compromise.
The last type of technique used for social engineering attacks may be the most unknown to many, but it is already quite popular among relationship applications. This technique is called ROSE (Remote Online Social Engineering) and is based on the development of a virtual relationship between the attacker and their target to get the desired information.
Attackers using the ROSE technique create fake profiles of highly skilled professionals who, when approaching other real professionals on social networks such as Facebook and LinkedIn, create professional bonds and friendships, as well as exchange real-life experiences. Often, the victim believes that he or she is in contact with prospective clients and business associates, and thus is subject to reveal more than they should. The success of ROSE attacks is made by the malicious agent’s commitment to creating a real character, who has friends, family, professional profile and a background that can pass through a real scenario.
All of these methods can be successful if the victims are not aware of the dangers of believing in everything. In another study entitled “Best Practices for Implementing Security Awareness Training” and performed by Osterman Research, in many cases, it was noticed that the deployment of training to users has as much effect on the security of an organization as on the device and security infrastructure.
Some ways to train users of an organization on the Social Engineering subject are:
- Talks or chat with employees about the dangers of social engineering, and how to avoid it;
- Educational videos on the subject;
- Tests for pre-selected employees;
- Tests for all employees.
It is worth mentioning that the training should be performed with a certain frequency, in order to ensure that users do not forget the subject, because surely the malicious agents will never forget them as victims.
In relation to these training sessions, the following can be considered as good practices in the development of training:
- The security must be at all levels: from the top management to the operational level;
- Ensure the training covers all necessary aspects of the subject;
- Ensure the training sessions will be frequent;
- Perform tests;
- Be adaptable to change;
- Do not punish mistakes.
It is important to emphasize that technologies can help and avoid many vulnerabilities, but not those involving the human being. Thus, one cannot prevent an employee from disclosing sensitive information on their social network or clicking a malicious link in the body of an email.
It is clear that no matter how technology advances, social engineering will continue to be an item requiring attention from everyone who wants to protect their systems. Phishing, vishing and even ROSE are real dangers and a mistake made in the face of one of these attacks can cause unimaginable damage. Even with the use of advanced technologies and solutions in Information Security, training own employees, third parties and suppliers to deal with such situations is more than necessary, it is imperative to ensure business continuity in any company.