To fully understand how to protect oneself from Social Engineering attacks, it is important to understand which human traits Social Engineers exploit to gain passage to the desired target.
One of the greatest tool in the arsenal of a Social Engineer is the skill of manipulation. Combine this with deception and influence and a good Social Engineer would gain access to an account in minutes, which a brute force attack would take hours, days or more to crack.
Social Engineers employ a variety of tactics to trap their targets in to performing actions of their choice. It could be something as simple as gaining the trust of someone over the phone to get confidential information, to setting a bait for someone to access a compromised website via phishing methods.
Social Engineers are the modern equivalent of con artists, with the only difference that the latter uses non-technical methods to cheat people out of their hard earned money. The reason Social Engineering is so effective is because victims often give in to authority. A Social Engineer disguised as a health and safety office with a fake ID, citing ‘surprise visit’ as the reason for access can easily gain entry to a premises, provided they execute the job with commanding confidence and control.
According to Kevin Mitnick, Social Engineers primarily target these human attributes, to gain what they want [1]:
- Trust
- Desire to be helpful
- Sympathy
- Human Gullibility
Apart from the attributes specified above, people generally tend to avoid conflict and follow instructions. Social Engineers exploit these virtues and relies on lies and falsehood to further their cause.
Social Engineers are also good at manipulating the darker side of humans. There are reported instances in which Social Engineers have offered rewards and bribery to greedy employees, in order to gain access to specific information. The use of brainwashing, blackmail and playing with people’s fear is another successful strategy Social Engineers tend to employ, to achieve their objectives.
Kaspersky Lab is a known name in the market of security solutions. In a report published in 2015 [2], Kaspersky reports an increase of 163%, compared to 2014, in successful installation of ransomware on monitored computers, with a specific family of ‘Trojan-ransom.html.agent’ capturing the highest share of the market at 38%. The realisation of unbreakable ransomware, deployed by click-baiting, phishing, viruses or malware, is gaining such momentum that even the best in IT security are now advising members of the public to just pay up to get the files back.
Joseph Bonavolonta, from the FBI commented on the problem:
“The ransomware is that good, to be honest, we often advise people just to pay the ransom.” [3]
The success of ransomware can be loosely attributed to Social Engineering techniques hackers are increasing employing to get their victims to pay up. Instead of simply asking the victims to pay the ransom money to gain access to the files, hackers are now playing with the fear of people by displaying messages of threatening nature, to get more successful ransomware closures.
In the instance specified below (Figure 1), once successful encryption takes place, ransomware falsely claim to have detected child pornography on the victim’s PC and advise them to pay up or face up to five years in prison and inclusion on sex offenders register, for life.
Figure 1 – Ransomware Sample Message [4]
This nature of threatening message is enough to send chills down the spine of even the strongest among us. Common sense dictates the victims to just pay up a modest amount in their local currency, rather than going through the hassle of proving their innocence to the authorities.
The example listed above, shows that Social Engineers target every exploitable aspect of human attributes. Social Engineers are excellent at tapping into emotions, and they frequently use that skill to influence their victims into performing action, which are detrimental to their own good.
Fundamental human vulnerabilities, which are cruelly exploited by Social Engineers, are listed below.
1- The Key – Gaining Trust
Social Engineers usually target someone who is in a position of authority, or at minimum be in possession of privileged information, which is useful for Social Engineers. For an employee to reach that level, they naturally have to go through certain steps with in their company to prove their competence. Therefore, it is safe to assume here that majority of the people being exploited by the Social Engineers do have expertise and reasonable proficiency, in their line of work. Yet, we see from the evidence again and again how easily Social Engineers fool people in to handing over sensitive information.
In 2015, a twenty year old teen gained access to CIA Director John Brennan’s email account by using Social Engineering. In an interview published by the Wired magazine [5], the teen explains how easily he manipulated the staff of two separate companies to gain access to the account which, as one can imagine, contained email and documents of top secret nature.
Describing the attack, the teenager named by the magazine as ‘Phobia’, confessed that he was not alone when he caused the breach and was assisted by two other partners, who worked in coordination to execute the attack. ‘Phobia’ reveals that once they had set their eyes on the target, using public information avenues and online directory, they identified John Brennan’s phone number and then performed reverse lookup to discover that he is a customer of Verizon.
Impersonating as a Verizon employee, they contacted Verizon’s customer services and explained that they are on a call out but their company’s supplied PDA is broken. They gained the trust of customer service representative and tricked her in to disclosing John Brennan’s account number, last four digits of his bank card, verification pin, a backup mobile number and AOL email address.
Once in possession of this information, the attacker contacted AOL to reset security on email account. They were able to pass authentication as they had already been in possession of vital verification information, provided to them by Verizon.
Over the course of next few days CIA director John Brennan became aware of the breach and unsuccessfully tried regaining access to his account. Each time John Brennan resets the password to his personal AOL email account, the attackers would call AOL back and reverse the changes.
The teen explains in the interview that the attack was executed because of his political believes. Precisely, three days after they gained access to the account, the CIA director permanently closed down his email account. The attacker then rang John Brennan on his personal mobile number and when John enquired what is it that he wants, the attacker replied:
“We just want Palestine to be free and for you to stop killing innocent people.” [5]
This attack would not have been successful, had Verizon employee conducted some background checks on the impersonator, before handing over confidential information. However, the attacker was successful in gaining absolute trust of the customer service representative, with his charm and confidence.
This example illustrates how gullible some people can be. Even with the experience, plenty of cross-checking resources available at their disposal and all the knowledge, some people walk right in to the trap. Such people are ideal targets of Social Engineers.
2- Displaying Obedience to Authority
Humans are wired to respect authority. From a young age, we are taught by the elders to give respect and listen to people in authority. This implies obeying parents, teachers, law, and when one enters a professional life this extends to managers, bosses and superiors who demand that level of adherence.
Stanley Miligram explains in his book Obedience to authority: An experimental view, that:
“Facts of recent history and observation in daily life suggest that for many people obedience may be deeply ingrained behaviour tendency, indeed, a per-potent impulse overriding training in ethics, sympathy and moral conduct.” [6]
This idea given to us by the society that commanders deserve absolute respect and obedience, and those who disobey them are labelled insurgents and frowned upon by our culture, has instilled such unnecessary fear into the hearts of some that they have forgotten the virtues of challenging authority, even when there exists a reasonable suspicion about the motives of the person giving directions. This is precisely another psychological vulnerability in humans, which Social Engineers so eagerly exploit.
To prove this point, we examine a study conducted by researchers in three mid-western hospitals in US. Reporting on the study, Dr. Robert Cialdini writes in his book – Influence: The Psychology of Persuasion [7], that a group of researchers comprising of doctors and nurses became increasingly troubled about the high level of obedience displayed by the mid-level nurses to physicians.
A study was conducted by the concerned researchers on twenty-two separate nursing stations, involving various wards from the three pre-selected hospitals. A researcher makes an identical phone call to the nursing stations and falsely identifies himself as hospital physician. The impersonator then instructs the nurses to administer an unsubstantiated dose of a drug (Astrogen) to specific ward patients.
The author lists four reasons why that request should have been challenged by the Nurses.
- In direct violation of Hospital’s policy, drug prescription should not have been accepted over the phone.
- The drug itself was not cleared for use on the patients due to their symptoms/illnesses.
- The dosage requested on patients was dangerously excessive.
- The order came from someone Nurses had never met or talked with before on the phone.
Once the call was disconnected, in ninety-five percent of the instances, the nurses proceeded to the drugs cabinet and secured the requested drug for administration. It was only when the nurses started moving towards the patient’s room, they were stopped by secret observers and the nature of the study was disclosed to them.
This experiment and its outcome itself, speaks a thousand words. Along with the reasoning expressed by the author above, and combining it with the fact that the medicine was not suitable for the patient in question, nurses should have questioned the validity of the instruction.
Johnathan Rusch comments on this particular study in his paper – The Social Engineering of Internet fraud, that:
“People are highly likely, in the right situation, to be highly responsive to assertions of authority, even when the person who purports to be in a position of authority is not physically present.” [8]
We have heard and witnessed this attitude exhibited by subordinates on many occasions, which often leads to difficulties further down the line. Take for example the story of a drunken Latvian co-pilot, who was ready to take off from Oslo airport in August. The Guardian [9] reports that the Pilot was seven times over the legal alcohol limit when he entered the plane. Despite the strict no-tolerance policy on alcohol at the airport, the Pilot managed to get through a series of security checks before making it to the plane, but was never challenged either by airport security or by his colleagues, despite being visibly drunk. The authorities only intervened after a concerned passenger raised the alarm, just before take-off. It is safe to assume that potentially multiple casualties were prevented that day, after the arrest of the Pilot.
This example perfectly illustrates the harm that comes from not challenging a person of authority (when an obvious concern exists), as well as the benefit that comes from when a legitimate objection is raised, due to a suspicious and out of the ordinary behaviour. Hence, the evidenced from the data reviewed so far suggests that being respectful and courteous is another thing, but becoming exceptionally compliant when orders are issued from superiors, is an unhealthy attitude with detrimental consequences and is indeed a psychological flaw in some people, which is being actively exploited by Social Engineers.
3- Exploiting naivety
Social Engineers thrive on people’s naivety. Once we take into account the fact that some of us can be genuinely innocent, ignorant, lack Internet usage experience (new users) and couple this with natural gullibility, we realise that those members of our society are publicly holding an ‘open to exploitation’ placard in their hands.
This ignorance can only be overcome with education, awareness and practical experience. But, until that happens, this branch of our society is a ‘sitting duck’ for attackers. Quickly seizing on this opportunity, criminals and Social Engineers know that new and less experienced Internet users are more susceptible to falling for Phishing scams, which can earn them millions, if not billions in revenues.
Consumer Reports magazine [10] disclosed that the damage inflicted by Phishing scams in 2008 was $483 millions in the US alone. This is quite a modest amount if we take into account the combined losses which can be incurred by other types of Internet crimes, such as viruses, click-baiting, spywares, hacks etc. What’s more surprising is that despite losing vast amount of sums to Internet crime each year, it is US where majority (49%) of Phishing domains are hosted, as reported by McAfee in 2015 (Figure 2).
Figure 2 – Phishing statistics [11]
Although the responsibility to provide a safer and crime free Internet also falls on the shoulders of Crime prevention and enforcement agencies, we can assume from sheer lawlessness we witness on Internet, that the they have failed this task miserably. Due to the fact that Internet criminals can be very hard to trace, and phishing and crimes of such nature are classed as low level misdemeanours, this has resulted in continuous year on year growth of cybercrimes on Internet.
As we suffer from continuous after effects of recession, many crime prevention agencies had to sustain massive budget cuts. This appears to have diverted available policing resources being spent more on serious crimes such as murder, rape etc.
As discussed above, people’s nativity also plays an important factor in making a cybercrime successful. Just like a toddler, with no real life experience, finds the fire fascinating and will make attempts to feel it, unless forcibly stopped, people with less Internet experience generally give in to the curiosity and temptation of clicking, when they see enticing subject lines such as the one listed below in Figure 3.
Figure 3 – Typical HMRC Phishing email sample [12]
As immoral and unethical as they are, Social Engineers are smart people and are quick to act once they see a window of opportunity. Natural disasters and celebrity gossip news is also a popular way scammers attempt to grab attention of their potential victims and tempt them to click on shared links. Scammers understand public’s genuine interest in current trending events, which they happily exploit by creating links with attention grabbing headlines. These links are then shared and spread across the Internet, through compromised accounts.
The idea usually is to get people to click on the links, which leads them to a malicious website that infects their computers with malware or obtain their login credentials, while at the same time using the profile of newly acquired victim to further spread the scam. An example can be seen below in Figure 4.
Figure 4 – An example of malicious link on Facebook which leads the victim to a compromised website [13].
Currently, with the increasing accessible availability of private information online, due to inadequate personal privacy practices, Social Engineers are using social media for more precise targeted attacks, directed against the person they have already researched online. Attackers cleverly “chat up” the victims about topics of common interest, before befriending them for further contact. The objective is often to gain their trust, extract useful information and then utilize that information for financial gain. The same technique is also applied and used for other nefarious reasons, such as coercion, blackmail, extortion and similar other crimes.
Independent UK broke a story [14] in 2015 in which they reported that a middle aged divorcee sent almost one million pounds to someone called ‘Chris Oslen’ in South Africa, who she had never met in real life. The online newspaper reported that the couple got to know each other online in 2013 and shortly after began long distance relationship.
The scammer claimed to be an Italian businessman, on a trip to South Africa. As their relationship got stronger, the scammer made up a few stories about losing his passport and falsely being imprisoned for money laundering. He then asked the victim to send him some money for lawyer’s fee, bail money, food, hotel expenses and over a period of 18 months, successfully managed to extract £910,000 from the victim.
In an interview given to a US TV program called ‘Dr. Phil Show’, the victim made these concluding remarks:
“I am 95% certain that Chris (the scammer) is telling me the truth – that this is legit.” [14]
Even though in the same interview she had admitted noticing considerable change in the accent of the scammer, whist speaking to the him over the phone.
“He sounded Italian, now his accent’s kind of changed, I don’t know if he is adapted to where he’s at… in Benin.” [15]
This unfortunate case bears all the hallmarks of a typical online scam where a Social Engineer becomes an online social acquaintance of the victim through a dating websites or social media, gains the trust of their victim and then proceeds to manipulate the person, in order to get money, by telling fabricated stories.
However, unscathed trust of the victim towards the scammer, brings this famous proverb to mind:
“There is no patch for human stupidity.” – Unknown
Unfortunately, there is no quick fix available (yet) which can intervene and stop naive humans from trusting dangerous and cunning individuals. Preventative hardware and software solutions will only work to a certain extent and will fail once the command is assumed by an inexperienced person.
The disastrous trend in the enterprise to invest in the technology, but not the people, usually turns in to a huge regret once a breach occurs. A company can install ten different types of firewalls and instruction detection systems to protect data, but these measures are useless in stopping someone from handing over their credentials to an attacker, in a well organised Social Engineering attack.
References
[1] K. Mitnick (2012), Ghost in the Wires. My Adventures as the World’s Most Wanted Hacker. Little, Brown and Company.
[2] Kaspersky (2015) Kaspersky Security Bulletin 2015, Moscow, Russia: Kaspersky Lab.
[3] John Zorabedian (2015) Did the FBI really say “pay up” for ransomware? Here’s what to do…, Available at: https://nakedsecurity.sophos.com/2015/10/28/did-the-fbi-really-say-pay-up-for-ransomware-heres-what-to-do/ (Accessed: 23rd June 2016).
[4] Unknown (2015) Ransomeware Sample Message, Available at: http://blog.yoocare.com/wp-content/uploads/2012/06/Federal-Bureau-of-Investigation-International-Police-Association-Moneypak-Virus.jpg (Accessed: 23rd June 2016).
[5] KIM ZETTER (2015) Teen Who Hacked CIA Director’s Email Tells How He Did It,Available at: https://www.wired.com/2015/10/hacker-who-broke-into-cia-director-john-brennan-email-tells-how-he-did-it/ (Accessed: 24th June 2016).
[6] Stanley Milgram (2010) Obedience to authority: An experimental view, 1st edn., London, UK: Pinter & Martin Ltd.
[7] Robert B Cialdini (2007) Influence: The Psychology of Persuasion, 1st edn., US: Harper Business.
[8] Jonathan J. RUSCH (Unknown) ‘The “Social Engineering” of Internet Fraud’, [Online]. Available at:http://www.isoc.org/isoc/conferences/inet/99/proceedings/3g/3g_2.htm#r19 (Accessed: 27th June 2016).
[9] Jennifer Rankin (August 2015) Drunk airBaltic crew included co-pilot at seven times legal alcohol limit, Available at:https://www.theguardian.com/world/2015/aug/18/drunken-airbaltic-crew-included-co-pilot-at-seven-times-legal-alcohol-limit (Accessed: 29th June 2016).
[10] Consumer Reports (June 2009) State of the Net 2009, Available at:http://www.consumerreports.org/cro/magazine-archive/june-2009/electronics-computers/state-of-the-net/state-of-the-net-2009/state-of-the-net-2009.htm (Accessed: 9th July 2016).
[11] McAfee Labs (Feb 2015) Threats Report, California, US: Intel Security.
[12] Sandra Donnelly (2014) Warning: Phishing emails from HMRC, Available at:http://www.scott-moncrieff.com/news/news-updates/warning-phishing-emails-from-hmrc1 (Accessed: 9th July 2016).
[13] Jose Hernandez (2014) El “malware” reina en facebook, cuidate de los enlaces,Available at: http://piel-l.org/blog/37247 (Accessed: 12th July 2016).
[14] Lizzie Dearden (2015) US woman sends man in Africa she has never met almost £1 million because they are ‘in love’, Available at:http://www.independent.co.uk/news/world/americas/us-woman-sends-man-in-africa-she-has-never-met-almost-1-million-because-they-are-in-love-10080278.html (Accessed: 12th July 2016).
[15] The Dr. Phil Show (2015) Why A Woman Sent Online Lover She’s Never Met More Than $1.4 Million, Available at: https://youtu.be/FBwD_xLj_x8 (Accessed: 12th July 2016).