Social Engineering
Common techniques of Human Hacking (Social Engineering)
- 23 June 2022
- TrI-C
There are several methods of clandestine approaching people with malicious intent. Sometimes only via an email exchange with misleading texts and a simple click through option ('activate via this button' (Phishing)). But sometimes also in combination with other forms such as; Spoofing, Laptop distraction, Baiting, Shoulder surfing, Baiting, Dumpster diving, Simswap, Smishing, CEO fraud, etc.. All techniques that can be used in combination with each other or in combination with telephone or physical contacts. They can also be used in or in conjunction with video conference meetings. Deep fakes are also making more appearances, a technique in which people say something on the screen that they would not normally say. A manipulated footage that is almost indistinguishable from the real thing.
Social engineers are taking advantage of the reliance on mobile devices.
The techniques are renewed, more developed, refined and deployed in the spirit of the times in which they are profitable. For example, the Simswap technique was interesting to use for a while. The most notable hack was that of Jack Dorsey, former CEO of Twitter, who saw his phone hacked (Aug. 2019) causing damage1. Today, "Smishing attacks continue to increase as more companies move to a remote/hybrid workforce". This can be deduced from a study by the Pew Research Center2. According to this data, 59% of US workers work from home all or most of the time. As a result, employees are using more mobile devices such as a phone or tablet to access company information and accounts.
Social engineers are taking advantage of the reliance on mobile devices. They use popular mobile messaging apps and digital channels that support productivity. Apps such as Facebook, Messenger, WhatsApp, LinkedIn, Zoom, Microsoft Teams, Google are ideal for this. This makes Smishing a significant threat to companies and organizations.
The word SMiShing comes from the combination SMS (Short Message Service), the original technology that started mobile texting, and Phishing. In both cases, the goal of the human hacker is to steal company, personal or financial information/resources. But more innocent and harder to resist is a request for help. In addition, a request for help is a social interpretation of everyday matters and therefore more difficult to distinguish from a malpractice action.
In another case, a victim responds to such a request, here is his example: "The victim is, as he self says, "an Amazon addict", i.e. he orders most of his purchases from the Amazon web store. When at some point an email from Amazon appeared in his mailbox about an overdue payment for the purchase of a book, he, an adequate payer as he is, clicked on the attached button. He immediately realized that he was acting prematurely. Normally he checks the origin of the mail and the URL, but not this time. So the fact that he trusts Amazon because of his experience with their service turned out to be a trap, he became subject to a Phishing attack."
Abuse of the goodness of the other is obvious here.
That trust is one of the most important goals of a social engineer. Does the human hacker want people ic. victim to perform, he/she must have the trust of the other. If there is no relationship of trust, the hack will be more difficult to achieve or the hack will not succeed. Knowing this is frustrating to say the least, because then you have to distrust everyone until the contrary is proven and you can still assume the obvious? It is logical (and more or less culturally determined) to offer service, to answer the phone, to keep the door open, to guide someone, to trust the boss, etc. It fits not only in our Dutch culture, but in most cultures. The social skills, the capacity for empathy, the helpfulness, etc., are human factors (Human Factor), but they are also basically the starting points for the actions of the human hacker. Abuse of the goodness of the other is obvious here.
When the employees joined the Teams meeting, they thought they were dealing with the CEO live on screen.
Another example: An advanced 'Teams' attack. As reported by VentureBeat3, a human hacker posing as a CEO of a large company known to be on a business trip to China sent a WhatsApp message to several employees of the company. His request concerns the convening of a Teams meeting. When the employees joined the Teams meeting, they thought they were dealing with the CEO live on screen. However, it was really a scraped video feed4 from the CEO from a previous TV interview. To make the fraud more convincing, the human hacker added a fake background to make it appear that the CEO was really in China. The difficulty was that no audio feed for the Teams meeting was available. The 'CEO' babbled that he was having issues with the audio feed and told the employees that; "since I can't get this to work, you guys have to send me the information on this SharePoint link." The result is that the 'CEO' can access data that he normally does not have access to. Seeing and recognizing their 'CEO' created trust and in this way created helpfulness. One of the social virtues of wanting to help people and in this case the boss.
How do organizations deal with human hack attacks, how do you recognize a social engineer. How do you recognize a human hack and more specifically how do you recognize an Smishing attack. If those questions are justified, then the adage also applies; what to do about it.
Is there knowledge on board who knows how a hacking attack works? But knowledge alone is not enough, converting the knowledge into action may require behavioral adjustments. Do the employees know what to do (report and counteract) and can behavior be controlled so that everyone offers good protection to the safety of colleagues and the organization. Cyber security does not stop at installing firewalls and virus scanners. There is increasing awareness that employees must be adequately guided in (safe) behavior with regard to, among other things, the use of IT equipment, but also in interpersonal relationships/relationships. In social interaction lurks the danger of persuasion. That is, the other person can communicate persuasively and rationally (sometimes emotionally) in order to make the interlocutor change their mind. This allows a relationship of trust to grow quickly, maybe not quite in the direction the organization would like to see.
You simply cannot be alert for 24/7 or show awarenes
In addition to securing the digital highway, organizations will also have to increase the attention for employees. It doesn't stop with training alone. And assume that the competency 'integrity' is fine, is possible devastating. Ultimately, the employee will have to be able to independently implement the knowledge provided in the behavior and operational actions as part of a standard action. Attention will therefore have to be paid to directing people's behaviour. You simply cannot be alert for 24/7 or show awareness, there are moments of slackening attention. By directing behaviour and pointing employees to their place in the organization, showing them the importance of the position they hold, this gives responsibility that you can appeal to as an organization.
Triple I communication provides training courses and workshops for gatekeepers, (middle) management, but especially for the workplace to allow staff to become more familiar with the phenomenon of social engineering. That does not mean that they themselves are trained as social engineers. But topics such as which 5 phases underlie an attack (engagement model). What does a social engineer focus on (behavioural styles). To be able to implement the information into one's own behavior and organization and to make recommendations in the field of personnel policy, compartmentalisation, handling of company data, etc. For more information: www.tri-c.nl.
1 In a SIM swap, a hacker convinces or buys a provider employee to transfer the number associated with a SIM card to another device, after which they can intercept two-factor authentication codes sent by text message. (It's hard to stop a determined SIM swapper, but switch from SMS two-factor to an authenticator app).
2 Pew Research Center is an independent fact tank that educates the public about the issues, attitudes, and trends shaping the world.
3 VentureBeat is an American technology website headquartered in San Francisco, California. It publishes news, analysis, long features, interviews, and videos. VentureBeat, founded in 2006, is the leading source for.
4 A scraped video feed is content copied from other sites/videos, with the aim of monetizing/manipulating the copied content.