Table of contents
- Social engineering’s definition and its impact on the society
While an image of a person with high technical skills exploiting the system has been used many times to demonstrate a hacker, a new type of attack is changing that, it’s called the Social Engineering attack. This paper will go deeper into explaining what Social Engineering is and the principle behind it. Popular attacks based on Social Engineering will be mentioned and explained in detail how one attack is executed. The appearance of Social Engineering in our surrounded digital environment from home to work will also be discussed. The severity and the scale of these attacks are rising and are threatening the cyber world from individuals to corporations, to contribute a small tribute in making Social Engineering attacks less effective, this paper is hoped to raise the awareness of the readers and to give adversaries a hard time to attack.
Keywords: Social Engineering, phishing, vishing, cyber world, principal.
Social engineering’s definition and its impact on the society
Cyber-attacks have been a very hot topic in a world where technology is advancing briefly, everything is being automated. When cyber attacks are mentioned, many people imagine a talented hacker in front of his devices exploiting and breaching the system in no time. But what if a single phone call is enough to execute an attack, these types of attacks are called Social engineering attacks and it is on the rise. This paper will provide information about Social engineering attacks, its appearance, and their impacts on society. Social engineering can be confused with the term social engineering people who are not familiar with information technology which is used to show their negative views. For example, “the government engineering its people through social means” (Security through education, n.d.). To clear the confusion, this thesis will only focus on Social engineering in information technology.
Social engineering is a form of the technique employed by cybercriminals designed to lure unsuspecting users into sending them their confidential data, infecting their computers with malware, or opening links to infected sites (Kaspersky Lab, n.d.). For more than 90% of successful attacks, human is the “kill switch” (Frumento, 2018). This means that without human error the attack won’t start. As one data has stated above, human errors contribute almost in all Social engineering attacks. To understand and explain why this happens, more definitions need to be looked at. Manipulating people’s mind plays a key role in Social engineering attacks which can define success or failure and nearly all vectors are built around it. Without this, there is a high chance a hacker will fail to impersonate and expose themselves as if the target’s thinking cannot be predicted by the attackers, they would have a hard time extracting information from them. There are many tactics an attacker can execute. One way is to play around with the victim’s mind. For example, by applying reciprocity, the attackers can try to help the victims at solving something, for example, fixing technical problems in return of flavors which usually is telling them to do things that will trigger the attack. Another way is to make a fake threat, victims would usually try to cooperate to solve the problems and if attackers spot this, they would try to extract information on the way. With vectors building around this ideology, Social engineering attacks can be used in nearly every corner of the internet, from a person’s social networks to their bank account which makes it a threat even toward an experienced person. There are many Social engineering vectors and nearly all of them exploit the victim’s behavior. The most popular vectors are Phishing, Vishing, and so on. Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email or other communication channels. The attacker uses phishing emails to distribute malicious links or attachments that can perform a variety of functions, including the extraction of login credentials or account information from victims (Rouse, Phishing, 2017). Vishing (voice or VoIP phishing) is an electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities. Vishing works like phishing but does not always occur over the Internet and is carried out using voice technology. A vishing attack can be conducted by voice email, VoIP (voice over IP), or landline or cellular telephone (Rouse, vishing (voice or VoIP phishing), 2008). The two vectors above all use impersonating tactics to gain advantages from the victims. This tactic can be applied in nearly every field of the world making Social engineering one of the most used techniques. More reason that makes these attacks so widely known is that the technical skills needed to execute it are not as required as other attacks, moreover, these attacks have the ability to target an individual, attackers can now choose their victims based on the weaknesses they have spotted on them. For example, a non-technical person would obviously be a better target for a hacker than a person who works in the IT industry. These reasons significantly increase the success rate of social engineering attacks.
SE attacks are on an increase and has already been lurking around in daily life. Online services are the perfect environment for it as distant unphysical exchanges can create a middle man who in this situation can easily act like a legitimate side to gain trust from the opposite and make them give out the information a third party should not know. As more and more companies are shifting and offering their services online to reduce cost and for the sake of convenience, the attack surface is increasing at a proportional rate, which means criminals can knock on anyone’s cyber doors. The information the attackers usually aim at are very sensitive which can turn their life upside down if exposed. For example, bank account information, personal identity, confidentiality, and so on. The exposed information can then be used for personal gain, they can cash out money in the victim’s bank account, sell the identity online, and blackmail the victim to not publicize the confidentiality. In the early days of the internet boom, social engineering was not a very big problem, logics and tactics defined were usually by IT experts or specialized hackers whose major does not fit the concept of SE attacks. But time changed and so as this, a new force have joined the race, the people majored in a psychology-related field. In another word, the upgrades they brought to SE attacks make it extremely hard to spot. One of the best ways to avoid this is to not react in human nature reaction, this can be used to dodge set traps if an individual follows a mediocre path. For example, a normal person when being confronted with a fake problem related to their bank account from a self-claimed banker would try to seek help from the claimed banker, this would make them likely to fall into the trap the impersonator has set up for them to extract information to help solve the fake problem. A different and unusual but effective approach is instead of seeking help immediately, the reliability of the side should be checked first to confirm for its legit, in this situation, hang off the call and redial straight to the bank instead. This procedure can be applied and executed in nearly every online service making it an effective defense.
Who is to blame for the rise of these attacks? Technical flaws, a new exploiting technique? According to Kevin Mitnick(Mitnick, 2002), “The biggest threat to the security of a company is not a computer virus, an unpatched hole in a key program or a badly installed firewall. In fact, the biggest threat could be you “. Today, only about 3% of malware tries to exploit an exclusively technical flaw. The other 97% target instead users through Social Engineering (SE). (Frumento, 2018). The statistic above can be used to demonstrate which tactics hackers prefer. Individual targeting outnumbered finding security flaws. Understanding why one choice overwhelms the other should not be difficult, hackers can either find flaws and holes in the security shied of a company that has spent a fortune on to protect themselves by outthink the in-charged experienced security specialists or try to compromise one individual in thousand employees there to breach through. Yahoo! Security Breaches (Gonsalves, 2012) was one of the worst SE attacks that has happened to a company, the tactic used was to send baits in a form of emails with malware inside in this case. It then be sent to a selected group which was the privileged Yahoo employees. Although choosing a specific group sounds unnecessary and inefficient, this can keep the attack low-profile and avoid any effective solutions being used against it. The plan worked, someone caught the bait and exposed Yahoo’s inner network to malware. The hackers could then have access to Yahoo’s user database which at the time was a staggering number of 500 million users including their usernames, phone numbers, security questions and answers, password recovery emails, and cryptographic values associated with each account. This attack can be used to describe the situation companies are facing. There is no doubt that a big company like Yahoo must have some serious security defenses being set up, but it was not this that brought havoc, it was in fact from the company’s employees which the defense sphere cannot reach. In another word, security sectors in a company need to solve a non-technical problem related to employees which is beyond their field. The story also shows how one single weak mind in a big human chain is enough to bring a company to a crisis. Solutions are urgently needed since these attacks have proven to have both high success rates and are very devastating. Most published solutions try to solve the problems by aiming at employees’ mindsets in technology. Some which many companies have adapted to them can be mentioned are setting up procedures, creating security-awareness courses, and so on. Having procedures means to create restrictions to filter unwanted stuff. For example, always double-check an email for its validity before opening, do not use the internet for personal things rather than work-related usage as this can exposes the company’s inner systems to outside threats and so on. Security awareness courses on the other hand teach employees to spot potential threats and ways to deal with it. But both solutions have the same issue, they need to rely on human factors which means in other for these to work, rules need to be strictly followed and employees need to always be alert for threats, also many procedures and courses are very lacking impression that help reminding employees to remember what they learned. With the drawbacks these solutions are facing, many specialists are creating more solutions.
Social engineering has had making an impact on nearly all parts of our life. From one wrong click to trusting the wrong person, these can all get you in trouble in the cyber world. But if you are always on alert mode, attackers would have a hard time perpetrating. At work, a sense of danger on the internet will also be needed as you are now part of the security and one wrong move can be exploited as the bridge for an attack to breach into and make your company lose a fortune, this should never happen. Social engineering attacks will remain and expand its impact in the cyber world, being always alert would be a very great weapon against it as it can help you avoid making mistakes which is the main causes that lead to attacks successfully executed.
- Becker, K., & Pape, S. (2016). A Serious Game for Eliciting Social Engineering Security Requirements. 2016 IEEE 24th International Requirements Engineering Conference (RE) (pp. 16-25). Beijing: IEEE.
- Frumento, E. (2018, May 14). Estimates of the number of Social Engineering based cyber-attacks into private or government organizations . Retrieved from DOGANA Project: https://www.dogana-project.eu/index.php/social-engineering-blog/11-social-engineering/94-estimates-of-social-engineering-attacks
- Gonsalves, A. (2012, July 12). Yahoo security breach shocks experts. Retrieved from CSOOnline: https://www.csoonline.com/article/2131970/yahoo-security-breach-shocks-experts.html
- Kaspersky Lab. (n.d.). Social Engineering – Definition. Retrieved from AO Kaspersky Lab: https://usa.kaspersky.com/resource-center/definitions/social-engineering
- Mitnick, K. (2002, October 14). How to hack people. Retrieved from BBC News: http://news.bbc.co.uk/2/hi/technology/2320121.stm
- Rouse, M. (2008, February). vishing (voice or VoIP phishing). Retrieved from TechTarget: https://searchunifiedcommunications.techtarget.com/definition/vishing
- Rouse, M. (2017, October). Phishing. Retrieved from TechTarget: https://searchsecurity.techtarget.com/definition/phishing
- SECURITY THROUGH EDUCATION. (n.d.). Social Engineer, Inc. Retrieved from The Social Engineering Framework: https://www.social-engineer.org/framework/general-discussion/categories-social-engineers/governments/