Social engineering is a staple term used in the email security world. Stories around John Podesta and his emails, Operation Wire Wire and great Defcon videos all have the expression “Social Engineering” stamped all over them. It’s a key term in cyber security, and in an industry overrun with buzzwords, social engineering stands out in meaning, importance and scope. Social engineering techniques continue to wreak havoc on unsuspecting victims, and it’s a trend that needs to be addressed.
What is Social Engineering?
“Social engineering” applies to the intentional and manufactured manipulation of people for the purposes of committing fraud. This fraud can be purely digital, or a combination of online and offline actions taken to deceive or compromise an individual or group. In the cyber security context, we focus on fraud that involves manipulating the relationship between digital technology and human behavior.
This can be done on a targeted basis or through a “spray and pray” approach. The ends vary as well, ranging from planting trojans or backdoor exploits to committing invoice fraud to simply stealing a password.
This form of manipulation uses tactics that have little difference from a high pressure sales scenario or aggressive marketing techniques, but in these cases are turned towards explicitly fraudulent or malicious ends. These tactics could include social proof, urgency/scarcity, reciprocity, authority, familiarity, consistency, and any combination thereof.
What Isn’t Social Engineering?
That’s a tricky question. In practice, likely the vast majority cyber security today involves some form of social engineering. Most of today’s attacks involve a “social engineer” coming up with a campaign to gain access to a target and their data. A non-socially engineered attack would mean no human or social manipulation was involved.
Examples that would not involve social engineering could include hacking, downloading code on non-secure websites (Drive-by Downloads), Bluetooth attacks, and plenty of others. But for many of the biggest attacks you hear about, they will almost without fail involve the intentional manipulation of a victim by a criminal through social engineering tactics, either with the victim making an error in judgement, or with some kind of deception that mixes in non-social engineering elements to achieve its goal.
Breaking down the techniques used in Social Engineering Attacks
Social engineering techniques make use of multiple strategies to get the end user to fall for their attacks. They will often overlap to improve the likelihood of success. Some of the techniques are more precise and targeted, focussing on the victim. Others will focus on conversion optimization – hoping to get any response to “pre-qualify the victim”, and then work from there to extract funds from the victim.
Here are a few of the most common social engineering techniques used:
The broadest and most generic of the social engineering techniques, mass or bulk phishing covers a very wide range of socially engineered threats towards 3 ends.
- Automated Money Extraction: Includes attacks such as Ransomware, often with the criminal having to only engineer the first click to be successful.
- Cyber Assisted Fraud: Requires engineering of the first action, followed by a grooming campaign to enable the fraud.
- Gaining Access to Data: This can be anything from credential phishing (victim filling out form on a malicious website) to installing exploits for large scale data extraction.
The social engineering elements in a phishing attack range across the whole gamut of tactics. From creating urgency with (often faked) blackmail, social proof through sending emails out through a hacked email account, authority by spoofing a recognized brand, consistency by winding a long and persistent tale in a Nigerian Prince or Romance Scam and so on.
An increasingly common means of social engineered attacks, targeted phishing can yield very high returns for con-artists. Generally, targeted phishing will involve a criminal researching a target at great lengths to be able to find details to exploit. The primary difference between bulk and targeted phishing is how personalized the content of the email campaign is. There are two areas of targeted phishing we see a lot of lately:
This term applies to a fraud that starts as a phishing attack to gain trust, access, or data, and then continues to an offline fraud. A common form of this is Business Email Compromise or CEO Fraud, where executives are impersonated or targeted to transfer money believing that the
These (targeted or not) can trick a recipient into believing there’s an outstanding invoice, and immediate payment is required.
A tactic commonly used in these attacks is gaining access to a potential victim’s email address. The criminal can forward all emails to his own account waiting until an important deal or transaction is supposed to go through. At that point, he or she will send across an email with instructions to modify payment details (for examples) or even call to limit the trail. This happens often in real estate or legal industries where large transactions are common.
Baiting (mostly Trojan)
This is possibly the oldest form of social engineering (if the Iliad is our guide). It is named after the technique of hiding something in plain site so that an unsuspecting victim welcomes a hidden virus in. A criminal can target messaging to the recipient to maximize the possibility of getting the download or link click. Under this, we would include Quid Pro Quo – where the target is offered something for free, say an eCard or game download in exchange for a piece of confidential information (often a password or even a contact list).
Malicious Email Attachment Attacks
Similar to baiting, the attachment you download that you think is a presentation or holiday pictures, can download viruses, malware, and trojans to all kinds of malicious ends. Again, these are often engineered to optimize the probability of conversion and to minimize the resistance that the end user might put up.
Vishing, or voice phishing, involves the use of the telephone to gain access to confidential information, usually credit cards or passwords. This form of social engineering plays off a trust we have in our phones and in voices that we don’t have for emails. Similar tactics or used in Smishing or SMS Phishing. A common example of this would be an automated call aiming to get you to enter your credit card or password details, from a company that you possibly have an account in.
Social Media Attacks
While they are a form of phishing attacks, they deserve a special mention because of their unique methodology in engineering the social proof elements. For those who are vulnerable, getting an unsolicited friend request from a (usually) good looking member of the opposite gender can lead down a rocky path. This is especially true when the con-artist is using a well groomed persona with a strong accompanying cover (read:sob) story. An evolution of the 419ers or Romance scams, these are more effective then their predecessors as they include more of the elements of a social engineered attack.
Fake news/Market Manipulation/Political Sabotage
Increasing with the spread of fake news, the manipulation of people’s perceptions illegally through various technological means big payoffs, political or financial. Examples of this include spam campaigns for stock market manipulation (“Pump and dump”) which could spread a lie rapidly while the criminal holds a position. Fake crowdsourcing campaigns, fake news stories, fake Video and much more will will lead to all kinds of engineered attacks.
Social Engineering Isn’t Going Anywhere
With the increasing impact of everything integrated, always on, and connected, the stakes are high. At the same time cyber security is advancing rapidly requiring criminals to be constantly seeking out new ways to earn a “living”. The most reliable and time proven method of successful fraud has been social engineering and conning people out of their money. Of the socially engineering threats that involve technology, many can be mitigated. Anti-virus and malware protection, email security, attachment protection, URL defense are a few examples. Machine learning, AI and even blockchain technology, will make it harder for human error to be as costly. However, for the inattentive employee, CEO or political campaign manager, there will always be fraud.
Have a laugh at this comedian’s work while you are at it.