CASES.LU

In depth articles

Social Engineering

How criminals take advantage of your kindness

It is two in the morning. The telephone rings: it is a member of your company’s IT department. He warns you that a computer virus has infected the computers in your office and has destroyed the documents of all employees. He urgently needs your username and password to save your documents to a safe place. You’re still half asleep when you look at the screen of your phone: the call is actually coming from your company’s number and the caller’s name seems familiar. He also mentions an important project you are working on, that only a few insiders are aware of. Do you provide your supposed colleague with the information? After all, it seems urgent and you certainly don’t want to be responsible for a huge data leak (see: protect your data). How would your colleagues react if they received the same call?

Social Engineering – The Facts

Social Engineering is actually manipulation by deception. We come across social engineering in our everyday lives, e.g. in advertisements, on dating sites or during job interviews. In these specific cases, the “canvasser” tries to behave or sell him or herself to achieve his or her objective.

Unfortunately, the art of manipulation, especially in relation to new media, is often used for unfair purposes. In these cases, human vulnerabilities are exploited. People naturally want to help others and to trust others. In a calculated way (for a prolonged period), scammers build relationships of trust with the target person. At a particular point, the credulity of the victim is exploited to obtain the desired profitable information. This may be money, business secrets, economic advantages or competitive sabotage (see: data classified as important or vital).

Who might be a victim?

In general, anyone can be a victim of social engineering. Wherever there are assets that might be of interest to someone there will be attacks. However, in the workplace people are particularly exposed. Especially if they are in contact with confidential data. It only needs the most insignificant piece of critical information to escape and go to the criminal and you will be the leak in your company’s security plan without even realising it. Even your family, friends and colleagues can attract the attention of spies. Scammers often successfully try to obtain critical information from third parties.

Data that must be protected at all costs

The following information is confidential and should never be disclosed: a company’s in-house secrets, web access logins and passwords, bank details (see also best practice: e-commerce, e-banking).

The following information is highly sensitive and should never be shared with people you have only recently met or do not yet fully trust: professional activity information and personal data such as date of birth, telephone number, email address, etc. Be very careful also with information about third parties, such as colleagues or managers. These people may be being targeted by criminals who are trying to extract information from you about these people.

You should teach your children about “personal data” and how they should handle it.

Remember: scammers get a lot of information in a completely legal way. Companies’ websites often have lists of employees, their position, telephone number, email address and sometimes even their photo. This “victim portrait” is then supplemented using social networks where there is more information about the character, family relations and leisure activities of the person. So always be cautious about publishing data on the Internet and only accept online “friends” who you also know in real life. Make sure your profile is not accessible to “friends of friends”.

Social engineering – even without software!

In general, anyone – private individuals or companies – can be victims of social engineering attacks. It often doesn’t even involve computers or the Internet. A classic example of social engineering is the “grandparent’s scam”: e.g. the scammer calls an elderly person on their landline and says the following: “Hi Grandma! Guess who it is!” The scammer’s best case scenario is that grandmother gives the name of a grandchild, the caller confirms it and then asks for money or other valuables, claiming that they are in an emergency. The scammer then goes in person to fetch the proceeds, pretending to be a friend of the grandchild.

New technologies offer scammers a host of options for achieving their goals through targeted manipulations and information. A particularly dangerous situation arises when the information of a single person is exploited to gain access to the computer system of an organisation. The attacker can easily pass for a system operator, an IT manager or a system engineer.

Often the attacker is not even in direct contact with the victim. Phishing and spam operate based on the principle of social engineering: the victim receives an email that looks like a message from a trustworthy source with content that matches his/her profile. If the scammer has previously discovered that the targeted person likes wellness treatments (e.g. by spying on the social network profiles of the victim), s/he sends an email with the title: “Special offer: 99 euros for a wellness weekend in a luxury hotel”. When the victim opens the email, s/he finds a professional-looking advertisement with a link (“Click here to view the offer”) – clicking the link immediately installs a Trojan on the victim’s computer.

CASES.LU

Even people who are very careful with sensitive information can fall into a social engineering trap.

When they have direct contact (interview) with attackers, people normally do not reveal the target information. But many people, when asked detailed questions that are completely innocuous, end up giving valuable clues without even realising it. This is basically a puzzle: by collecting as much information as possible, the social engineering expert can put together a comprehensive overview. In most cases, the attacker does not even need to spy. Often, those targeted knowingly hand their confidential data over to the scammer on a plate.

What makes us vulnerable?

On the one hand, our “technological negligence” makes us vulnerable to attack. People lose their overview of the different information about them that is moving around new media environments without them realising. Also, some people may treat their sensitive data carelessly, e.g. posting private information on the Web or not bothering “clean” up their online profiles regularly.

On the other hand, we are only human beings. We are always in search of recognition, flattery, compliments, friendships, etc., and we are generally open to interest shown in us as individuals. Human virtues such as helpfulness or weaknesses such as vanity are exploited by attackers to manipulate their victims. Most company employees think that the most important thing is to be a good team-worker and be supportive with colleagues. Often at the expense of security.

Chocolate for a password

In spring 2012, a group of psychology students from the University of Luxembourg pretended to be researchers working on a survey in which 1206 passers-by in Esch sur Alzette, Diekirch and Luxembourg were asked about their IT habits. At strategic moments, the participants were offered a box of chocolates. Following a few introductory questions, with the aim of presenting the subject – “computer” – to the study participants, the researchers quickly went on the attack, i.e. to fish for information about their passwords! The results were frightening: 30% of participants aged 12 to 74 did not hesitate to give their password to the researchers and some even entered it on the questionnaire. Many respondents would not reveal their password but they still mentioned elements contained in the password, thus making the hackers’ attacks easier.

This study shows how important it is, not only to implement technical protection measures (password, firewall, antivirus, etc.), but also to encourage caution and scepticism when being asked to disclose personal data.

Self-monitoring is essential!

The same type of information targeting as in this study, conducted in Luxembourg, is found on the Internet, with the same alarming success rates. Many victims have already fallen into the trap used in the test: “Check the strength of your password!” “Does your password contain your name or the name of a family member?” or “Does it contain a date that is important to you personally?” The primary purpose of these questions is to guess your password for dishonest actions rather than to make it safer. When it comes to sensitive information, we must ask ourselves a few questions! Think carefully: is it really necessary to share this information and what risks does sharing this information involve? (See also: Threats to human resources).

Recognising social engineering

Social engineering can take place indirectly in the form of phishing and spam emails. Phishing emails appear to be sent by a bank or authority and their purpose is to pressurise the recipient to act quickly (“Your account has been blocked”) so that they enter personal data, such as passwords or credit card numbers. Spam, meanwhile, operates based on the principle of advertising. Scammers try to tempt the target person with a product or advertising content and to incite them to open a link included in the email.

Direct attacks take place, for example, during a telephone conversation and do not need to be particularly complex. They may be nothing more than a plain and simple request for information. An attack may seek to obtain information to be used for an attack on a completely different target. Generally, any request for information made by an unknown person about professional activity, personal details and habits, is suspect.

How can we protect ourselves?

  • Any information, even seemingly insignificant, must be considered important and therefore protected.
  • You should also be vigilant regarding seemingly harmless Internet surveys and quizzes.
  • Alarm bells should ring if a person you don’t know becomes very curious. Even if the questions do not directly relate to confidential information.
  • Do not click on unsolicited or suspicious-looking links in emails or on social networks. If in doubt, contact the (supposed) sender to check if the email is legitimate (see also email – best practice, malware: best practice).
  • Never share your Internet or computer login details or password with anyone, even if the request seems very credible. Your company’s IT department does not need them and will never ask you for them. The same applies to banks, online shops or any other services that might ask you for information via email.
  • Never carry out orders for a stranger, whether by telephone, email or direct contact if these orders concern sensitive information.
  • If in doubt, check the identity of your phone or computer contact. On the telephone, you could, for example, ask your correspondent for their telephone number and call them back once you’ve verified it. This preventative measure is a good way to tell if your correspondent actually does have authorised access to the telephone line they’re calling you from.
  • If in doubt, do not make impulsive decisions. Take some time to reflect, so that you free yourself from the aggressor’s pressure. Don’t worry about asking an unknown correspondent to call you back the following day. Doing so will give you chance to consider the situation carefully and resolve the issue calmly.
  • Always log off web sites and other pages online using the button provided for this purpose. If you don’t log out manually, the session may remain open and make it easier for the attackers to gain access.
  • Never open an email attachment from an unknown or suspect sender. The same goes for suspicious files on websites. These attachments may contain Trojans that an attacker will use to access all the files and data saved on your computer (See also: email – best practice, malware: best practice).
  • Never leave paper documents containing sensitive information in plain view. Likewise for documents thrown in the bin. Make any documents you no longer need illegible.

Further information