Social engineering: breaking the human operating system

117

Social engineering, also known as the science and art of breaking people, has become widespread in recent years. This was due to the growing popularity of all forms of electronic communication. In the information security industry, the term is used to refer to a range of techniques used by cybercriminals to obtain confidential information or to persuade victims to take actions that will eventually infect computers.

We currently have many security products on the market, but regardless of what solution protects your computer, the user always has the last word. Whether we are talking about login data (login and password), payment and credit card numbers, the weakest link in the security chain is always not technology, but the human being. And when it comes to psychological manipulation techniques, it is very important to know the tricks used by cybercriminals.

Social engineering is not new. It has been in use for a very long time, and some of the best-known social engineers are Kevin Mitnick and Frank Abagnale, who are now recognized security consultants. Frank Abagnale is one of the most famous scammers of all time who made new identities, forged checks and tricked people into revealing the information he needed without batting an eye. If you’ve seen the movie „Catch Me If You Can” (original title: „Catch Me If You Can”), you have an idea of ​​what a capable and determined social engineer can achieve. It is worth knowing that the social engineer does not have to use any technology or computers to obtain information. Therefore, you should be alert to any suspicious behavior that we may encounter every day. E.g, your passwords can be extracted from you during a telephone conversation. Of course, everyone knows that it is very unwise to enter your password over the phone, but if the person on the other side claims to be a „support engineer” from your company and tells you on a Sunday morning that „you need to show up at the office and give your password, to make the necessary update „, you will likely give your login credentials to this” technician „to do it for you, and even thank him for helping you out. Perhaps you are careful enough not to fall for such a trick, but your coworkers may swallow the hook. but if the person on the other side claims to be a „support engineer” from your company and tells you on a Sunday morning that „you must show up at the office and provide your password to make the necessary update,” you are likely to enter your login credentials ago The „technician” to do it for you, and you will even thank him for helping you out. Perhaps you are careful enough not to fall for such a trick, but your coworkers may swallow the catch. but if the person on the other side claims to be a „support engineer” from your company and tells you on a Sunday morning that „you must show up at the office and provide your password to make the necessary update,” you are likely to enter your login credentials ago The „technician” to do it for you and even thank him for doing it for you. Perhaps you are careful enough not to fall for such a trick, but your coworkers may swallow the hook.

„A company can spend hundreds of thousands of dollars on firewalls, encryption, and other security technologies, but if an attacker finds at least one susceptible person inside the organization, and that person allows himself to be manipulated, all that money spent on security will be a wasted investment.” – Kevin Mitnick .

A statistical cybercriminal will not waste time preparing technologically advanced attacks when he knows that it is much easier to apply social engineering and human weaknesses. Moreover, there are pages where you can find out how to cheat people and why these tricks are so effective. One of these sites is SocialEngineer.org. You can find the whole theory of individual attacks and real-life examples.

Each of us uses spoken language every day to influence others – usually without being aware of this fact. However, language has some disadvantages from a social engineering point of view, as it is directly related to our subjective perception of the world. Therefore, social engineers often use NLP, or neurolinguistic programming, which was originally invented for therapeutic purposes. NLP helps scammers manipulate and extract information from their victims, as well as trick them into performing certain operations. This could be a password disclosure, secret documents, disabling some security or anything else that the fraudster needs to attack.

While the link between hacking and psychology seems a bit exaggerated, the shocking reality shows that online attacks are based on the same principles as their real-world counterparts. The human need to repay (if I do something for you, you will probably owe me and go to my hand), the influence of society (we believe in the opinion of the majority), or authority (we trust a policeman, doctor, technician, etc.) – all these factors help social engineers build close bonds with potential victims, based on ordinary human characteristics. The social engineer knows how to put pressure on the victim to get the answer they want – all by creating a context that makes an imaginary story credible. Avoiding our rational evaluation is not as difficult as it may seem,

So how is it with these methods in relation to cyber attacks? The basic principles are the same as in real-world crime, but since the internet is a huge medium for the distribution of information, a phishing email – for example – can be sent to millions of recipients. Even if a small percentage of them get the hook, the potential gains are still huge.

“What I did in my youth is now a hundred times easier. Technology breeds crime. ”- Frank William Abagnale.

One of the most popular methods of obtaining confidential information today is the aforementioned phishing, a type of computer scam that relies on social engineering. Cybercriminals most often use e-mail, instant messaging and SMS messages and trick victims into disclosing information either directly or by performing some operation (e.g. opening a fake website, clicking a link, etc.).

There are many malicious programs that use social engineering to attack the user. Among the most popular are fake updaters for Flash Player applications, executable files embedded in Word documents, and many others.

“The police cannot protect everyone. We need to be more aware and have a better understanding of identity theft. We have to be smarter and smarter. There is also nothing wrong with being skeptical. If we make something easy for us to steal, someone will steal it. ”- Frank William Abagnale.

Additionally, it is worth remembering that information that we post publicly online (Facebook, Twitter, etc.) can greatly assist criminals in connecting points to our true identity. Increasingly, we are dealing with targeted phishing, where cybercriminals use detailed information to reach specific audiences. Even a wish list in an online store can give a social engineer a tool to conduct an effective attack.

So how to protect yourself? Effective antivirus software is now a must for anyone who does anything online. In addition, it is worth being up to date with the latest trends in the cybercriminal world and knowing what tricks social engineers use. Easier to defeat an enemy you know. Also, remember that even the best security technologies will not help much if you open the door to criminals yourself.