Social engineering – It’s not just about phishing

Kevin Townsend 14 Apr 2019

When deception is used to hack your mind

What does “social engineering” mean?

The term “social engineering” may sound arcane and intimidating, and in some ways, it is. But most of us have encountered some form of social engineering many times — on the internet, in our emails, and in newspapers and magazines. The email advance-fee scam, which most of us will remember as the Nigerian Prince email scams from years ago, is one form of social engineering — deceiving the victim into believing they have something to gain.

Phishing emails are also social engineering, posing as a trusted organization, a friend, or a colleague in order to manipulate us into surrendering information. However, it’s not as simple an equation as “social engineering equals scam.” Scams and confidence tricks must employ social engineering techniques to succeed, but social engineering is often much more complex. The ways in which attackers can trick, manipulate, and pressure people is shocking, and often sinister.

In his book How to Hack a Human: Cybersecurity for the Mind, security expert Raef Meeuwisse offers this definition: “...the act of constructing relationships, friendships or other human interactions for the purpose of enticing the recipient to perform an inadvisable action or reveal secret information.” In cybersecurity terms, this means preying on our emotional responses to make us voluntarily compromise our own security.

But social engineering exists everywhere in completely legal, even if somewhat morally dubious, ways. Marketing employs social engineering techniques to improve sales. You may have encountered a website offering a special, apparently significant discount, complete with the countdown: “Deal ends in 00:05:00”. In truth, there is no discount and the “deal” does not end; but this is an effective marketing strategy. The illusion of needing to make a quick decision and the appearance of a bargain pressure users into making a purchase they would not normally make.

And politicians and political lobbyists use social engineering techniques to get our support all the time.

Examples of internet-based social engineering

Hacked for journalism

A 2014 investigative article on social engineering still provides one of the best illustrations of how attackers can obtain extensive information on their victims and employ it in attacks. Telegraph journalist Sophie Curtis agreed to let ethical hacker John Yeo attempt to execute a social engineering attack against her. Using a mixture of social media sleuthing and subtle IT techniques, John Yeo’s team was able to trick Sophie into downloading and activating a remote access trojan to her computer.

This was achieved despite Sophie knowing that the team would be trying to hack her, and already being suspicious of the file containing the trojan. John Yeo’s team created a situation in which Sophie Curtis believed she could not ignore the possibility that the file might be of legitimate journalistic interest. This shows how social engineering attacks can still be effective even if we believe we’re on our guard against them.

The U.S. Department of Justice

One of the biggest examples of social engineering in the wild is the US Department of Justice’s 2016 data breach. 200GB of data was exposed from the DoJ’s records, thanks to a hacker successfully impersonating a member of the staff. A combination of a compromised internal email address and some basic trickery allowed the attacker to convince other staff to provide full access to internal files. This is an excellent example of how far-reaching and damaging even the most basic social engineering techniques can be.

Christchurch massacre

Most recently, the Christchurch massacre in New Zealand has shown the speed and unscrupulousness displayed by social engineers. Within a week of the incident, attackers started moving to take advantage of the grief and confusion of the victims’ friends and families. Phishing emails began circulating, asking for donations for support or relief efforts. These emails would instead direct users to fake banking pages or malicious forms for the attackers to receive personal data and funds.

The motives for online social engineering

Data theft

The biggest and most common motivator for online social engineering attacks is to gain access to the victim’s sensitive data. Personal data is one of the most valuable commodities on the internet, and is traded between businesses as well as on the black market. Personal information also enables attackers to perform more convincing and effective social engineering attacks. If an attacker wants your bank details, they might first try to obtain your address and phone number by posing as a charity. Once they have these, they can pose as your bank, using the information they already have to increase their chance of deceiving you.

Malware propagation

If an attacker can convince you that a link is safe, they can send you virtually anywhere and have you download virtually anything. A huge amount of ransomware is spread via phishing emails, with 93% of such emails now being used to infect a victim’s computer. Remote Access Trojans, keyloggers and cryptojacking botnets can all be spread in this way as well. Recently, emails posing as information on Brexit have been used to spread the Ursnif trojan, an aggressive data-harvesting malware.

Political purposes

Social engineering in a political context is often treated as a distinct concept from social engineering in cybersecurity, but there is significant overlap between the two spheres. The Cambridge Analytica scandal may be one of the best illustrations of this, where personal information of Facebook users was employed to influence public opinion ahead of the 2016 US elections.

The rise of “fake news” and the way facts can be twisted — often without outright lying — to suit a particular political agenda, is itself an example of social engineering. Spreading fake news through organized groups on Twitter and Facebook is another form of social engineering. In effect, the Russian Internet Research Agency (IRA) attempted to socially engineer the entire U.S. public in order to influence the 2016 presidential election.

In his summary of the Mueller report, the Attorney General comments that the IRA’s purpose was “to conduct disinformation and social media operations in the United States designed to sow discord, eventually with the aim of interfering with the election.” That’s social engineering on a grand scale.

Defending against social engineering

Combating social engineering is less obvious than other areas of cybersecurity. For traditional hacks, security is black and white; attackers take advantage of mistakes and vulnerabilities which can be mitigated and patched. With social engineering, the vulnerabilities are in our thought processes and emotional responses. We can’t download a patch for our own sense of fear, or greed, or compassion. However, there are some things we can do. Check Avast’s extensive advice on protecting yourself against phishing scams for some further information.

Limit what you share

Targeted social engineering is the biggest human-based security risk today. The more information about ourselves that we put on the internet, the more resources we give to scammers and social engineers. This extends beyond personal information like addresses and phone numbers; and includes our habits and routines, interests, medical issues, and preferred services which can all be weaponized against us in social engineering attacks.

It’s also important to remember that hackers can access a great deal of data on us even if we don’t provide it. Though we might think our personal information is on lockdown, a determined attacker can find creative and surprising ways to obtain data. John Yeo, when trying to hack Sophie Curtis, even went so far as to use a family history website to verify and extend the information he could use. Even if you are approached with information that you have only given to legitimate organizations, a scammer might still have found a way to retrieve it.

Never respond to any unsolicited requests for information, no matter how much the requester already knows.

Know the ways you can be manipulated

The amount of techniques and variations in social engineering are too numerous to provide an exhaustive list. However, we can focus on email-based social engineering. These are some of the most important things to watch for:

  • Time pressure: All social engineering attacks see more success if the target believes a rushed decision is necessary.
  • FOMO: The ‘Fear of Missing Out’ phenomenon drives the success of social media, but it also becomes a powerful manipulation tactic if we start to believe that inaction — such as refusing to disclose information — will lead to personal loss.
  • Misdirection: Not all social engineering techniques are purely psychological. An attacker may use vulnerabilities in websites to redirect you to a malicious page, in the hopes that you will input personal or financial information. Check the pages on XSS or browser hijacking for more detailed examples.
  • Fake reviews: This doesn’t just apply to companies paying for app store reviews to make their product more appealing; fake reviews can be used to make a website or service look more trustworthy, encouraging you to submit personal information.
  • False identity: This is the fundamental element of all phishing scams. Attackers present themselves as a trusted organization or individual to make you feel comfortable giving up sensitive information.
  • Partial information: To make their pretext more convincing, hackers will often use some public or easily-obtainable information to encourage you to give them even more. For example, scammers with your address, phone number and final four credit card digits could pose as an online merchant. They could then ask you to ‘update’ your payment information for the card ending in those four numbers.

Summary

One thing we have tried to highlight in this article is that social engineering is all around us. Everybody who tries to sell us something — whether that’s a brand of food, a political idea, a new car, or an internet scam — uses social engineering to one degree or another. We are in danger of being inured to it. We are so accustomed to it, we don’t even notice it, and that is a huge advantage to the criminal social engineer.

Awareness is our greatest defense. For an online social engineering attack to fail, all we need to do is refuse to participate. But this is easier said than done.

Apart from anything else, being perpetually suspicious, on-guard, and skeptical of everything we encounter is emotionally and mentally draining. Nobody should consider himself or herself to be immune to social engineering, but that itself is the most important thing to remember.


Kevin Townsend is a guest blogger on the Avast Blog where you can catch up on all the latest security news.  Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world with award-winning free antivirus and keeping their online activities private with VPN and other privacy products. Join in the conversation with Avast on Facebook and Twitter.

--> -->