Social engineering plays an important part in a significant number of cyberattacks, however big, small or sophisticated the crime is. However, little is known about this tactic. This feature discusses some key aspects.
Social engineering plays an important part in a significant number of cyberattacks, however big, small or sophisticated the crime is. In fact, as ESET’s senior researcher David Harley has previously observed, it has “been a constant all through the life of internet security”.
But what is it exactly? In its broadest sense, social engineering is about psychological manipulation – getting people to do things you want them to do. For example, you could socially engineer a parking warden to avoid a parking fine, or play up your employer’s ego for a salary rise.
In the context of cybercrime, social engineering is widely described as being a non-technical tactic used by hackers to gather information, conduct fraud or gain illegitimate access to victim computers. Social engineering relies on human interaction and involves tricking people into breaking the security procedures that they would usually follow.
“Social engineering is about psychological manipulation.”
Common social engineering attacks include phishing emails, vishing (phone calls from people who falsely claim to be from a respected organization), and ‘baiting’, where legitimate looking USBs are loaded with malware, after which time the creator simply waits for the user to plug it into their machine.
Social engineering can also extend to business and friend requests on LinkedIn and Facebook respectively, with criminals using social networks to gain trust and secure data. More often than not, the end result is either extortion or theft.
This includes ‘diversion theft’ (stealing something to steal something bigger later) and tailgating (piggybacking people into secure areas that should ordinarily be off limit). One convicted fraudster even used social engineering to escape from prison in the UK recently. The fraudster used an illicit mobile phone to create a fake email account, posed as a senior court clerk and then sent his ‘bail instructions’ to prison staff. He was mistakenly released but later handed himself in.
Cybercriminals will use these kinds of attacks for a variety of reasons, as documented above. It’s certainly an effective weapon in their arsenal, allowing them to steal privileged credentials, infect people with malware or to get them to pay for useless and dangerous scareware. Most of the time, their ultimate aim is to steal money and data – or to assume the identity of the victim.
It’s easy and cheap to do – renowned security consultant Kevin Mitnick once said that it was easier to trick someone into giving a password for a system than to spend the effort to crack into the system.
With all this in mind, we look at five things you should know about social engineering.
- It’s physical and digital
Social engineering is an age-old con in all walks of life, so it would be wrong to think that this is either new or only seen in the online world.
In fact, social engineering has long since been used in the ‘real’ world. There have been numerous examples of criminals posing as fire marshals, technicians, exterminators and cleaners, with the sole purpose of entering company buildings and stealing company secrets or money.
It was only later, sometime in the 1990s, when vishing become popular, with email phishing sometime after that.
- The quality varies
The quality of social engineering scams varies wildly. For every sophisticated social engineer sending authentic-looking phishing emails or doing vishing calls, there will be countless others with poor English, conflicting stories and confusing information.
You’ve probably already come across a number of these yourself: from dubious emails from a ‘Nigerian bank’ to others promising that you’ve won the lottery in some other country, there are ample examples of pitiable attempts of fraud.
- Countries are doing this
At a very high-level, nation-states are actively engaging in social engineering campaigns, or at least using them as part of much more sophisticated advanced persistent threat (APT) attacks. This kind of online espionage plays an important role in the cyber efforts of countries like the US and China, as a Wired feature revealed.
“APTs are often reliant on old-fashioned social engineering in order to get an initial foothold on a system.”
“While the term APT suggests sophisticated malicious technology, APTs are often reliant on old-fashioned social engineering in order to get an initial foothold on a system,” Mr. Harley recently commented.
“Preferably a system that belongs to someone relatively highly-placed in the organization so that they have access to sensitive data, whether the intruder’s objective is fraud or espionage.”
- You probably won’t notice an attack
The worrying thing about attacks like this is there is no immediate warning, no clear sign that you are under attack or have been compromised. There is no pop-up asking for bitcoins (like with CryptoLocker and other ransomware), or a scareware ad asking you to download an application or call a service centre.
Most of the time, the criminals conduct their attack, steal your details and disappear. And if it’s data theft, you may never know of the compromise, let alone if your details are being sold illegally on the dark web.
- Social engineering is big in enterprise
Social engineering affects all of us, but it is increasingly being used by fraudsters to target enterprises and small-and-medium-sized businesses – 2014 has even been described as they year that cybercriminals “went corporate”.
One industry report from earlier this year revealed that social engineering is now being used to target middle managers and senior executives. Why so, because they are “goldmine”, explained Richard De Vere, a social engineering consultant and penetration tester at The AntiSocial Engineer Limited, at the time.
“If you’re putting together a phishing email, LinkedIn is a goldmine of middle managers and C-level executives,” he told SC Magazine. “Automated tools can quickly pull together a list of hundreds of email addresses – together with user data and VPN/OWA/Active Directory credentials.”