When we use the term “hacker” in our day-to-day conversation, we tend to associate it with the type of attacker who uses their technical expertise to break into protected computer systems and compromise sensitive data. We hear about this breed of hacker in the news all the time, and we invest millions of rands in new technologies to improve our network defenses.
However, there is another type of attacker who use their tactics to bypass even the most expensive and effective cyber-security technology. They are the social engineers, hackers who exploit the one weakness that is found in each and every institution like a university: human psychology. They use a variety of media, including phone calls and social media, and trick people into offering them access to sensitive information.
So social engineering is a term that covers a broad spectrum of malicious activity. It is a means of attack that leans on human interaction and involves manipulating people. All the methods that I listed in my previous article use social engineering in one forma or another.
The object of a social engineer is to get people to bypass or suppress their natural reserve or suspicion in order to get access to technology systems or data. An example would be someone who calls the secretary of a department pretending to be from the IT Department. They may question the this person and get them to reveal sensitive information such as login names, e-mail addresses, WiFi passwords, etc. They are in essence con-artists!
Whether it is through a phone call or an e-mail, social engineering attacks are always very effective because they rely on the weakest link of security – human beings.
The best historical record of social engineering is the story of the Trojan War from Homer’s Illiad. After a ten-year siege on the Trojans, the Greeks pretended to accept their defeat. They left behind an enormous wooden horse as an offer of peace, and the Trojans opened their city gates to bring in the horse as a victory trophy, but Greeks soldiers were hiding inside the wooden horse, crept out at night, opened the city gates and allowed the Greek army to enter and destroy the city of Troy.
But there are some things you can do to protect yourself:
- First and foremost, be suspicious of anyone who contacts you (via Email or telephone) and appears to know a lot about you. They may be very friendly and attempt to gain your trust, but if you’ve never dealt this this person before, ask yourself how they might come to know so much about you and why they are contacting you.
- If you are contacted by telephone, don’t blindly provide information. If you’re suspicious (that little voice in the back of your mind that says “something is not right here”), hang up.
- Another effective tactic is to offer to call the person back. Ask them for a direct phone number. If they can’t provide one, discontinue the call.
- If they do provide a number, do some of your own research. Can you find a website for the company? Do a Google search on the phone number – does it come back linked to the company name you were given?
As a matter of habit, never give up personal or sensitive information over the phone. Your login name, your ID number, your password, your bank account number should never be provided to someone on a phone call (or in an e-mail for that matter). If the person you’re speaking with is persistent in trying to get this information from you, explain that you are concerned about security and do not wish to provide this information over the phone. If they don’t accept that explanation, they should not be trusted.
Take a long, hard look at your social media presence. How much do you reveal about yourself to the social media world? Do you provide information about your position with a company and does that make you a target for a social engineering attack? Do you share your habits – such as where you shop, or where you attend gym, or where you like to eat or socialize? Even the most mundane information you share about yourself online could be used as an angle in a social engineering attack.
Any social engineer is likely to have done their homework on you ahead of time. Not only are your inboxes and phone lines being targeted, your social media sites are too. Whether it’s selfies or cat videos, most us like to tweet, tag, link, comment, like, and post online. Platforms like Facebook and Instagram are full of information social engineers can use.
How many personal details are displayed on your department or Facebook page? I have seen department webpages with personal cellphone numbers displayed for anybody to call.
This past week, my mailbox has been inundated with people concerned about the growth of “extortion phishing” e-mails. Extortion phishing is the practice of obtaining money through force or threats via email. In this instance the victim receives an email suggesting they have been recorded through their webcam whilst watching adult websites. The criminals behind this demands a ransom in Bitcoin or some untraceable cryptocurrency and threatens to circulate the recording to their contacts unless payment is made. Often scammers state that they know your password, have installed malware on the computer, demand a payment.
What is really worrying about this new extortion phish threat is not that it plays on our own innate sense of guilt that we might have been caught doing something wrong, but that the passwords that they say they have are often correct or close to correct because they have been leaked out from data breaches. Many times these password are old and haven’t been used for months or years, but in some cases the passwords have remain unchanged or have only changed by a single letter or number changed. Your password and e-mail address is potentially out there for all to see!
How many times would I have to guess the correct password if the old password is “christopher” and the new password is “Christopher123″.
One way to check if your username and password has been leaked in a data breach is to make use of sites like the Firefox Monitor. You can enter in your e-mail address and the site will tell you if your information such as e-mail address and password has been compromised.
Social Engineering attacks range from unsophisticated attacks, by simply lying to get information, to very elaborate attacks (specifically designed websites to attack targets). The one thing they have in common is that they exploit the weakest link – human beings.
For this reason, these types of attacks will continue to increase so being aware and cautious is the best defense.
Next time I will focus a little more on the type of attacks the university has suffered over the past year or so, and how to spot them.
Keep safe out there,
David Wiles