Social engineering: When people are the weakest link in the chain
Sep 20, 2021
It would certainly be possible to write a text about social engineering and social hacking that does not include the wisdom "Where people work, mistakes are made!
On the other hand, the phrase simply describes the underlying problem too accurately. Stress, convenience, fear of superiors and confusing responsibilities can be factors that encourage such attacks on companies.
Hackers are increasingly failing to use technical protection measures in the IT sector. Classic malware is increasingly detected by virus scanners or cannot be executed on a computer in the first place. As a result, cyber criminals often shift their activities to getting authorized persons to undermine or disable security mechanisms. In addition to hardening their own IT infrastructures, managers should also raise awareness among their own employees in order to make social hacking more difficult.
Social engineering vs. social hacking
The terms "social engineering" and "social hacking" are often used interchangeably. In terms of content, they are closely related. What both forms have in common is that they rely on manipulating people. To do this, criminals build up a threatening backdrop, often with a great deal of effort. This is intended to put those affected under pressure and thus induce them to act rashly. If security mechanisms of the IT network are bypassed during an attack and access is gained in this way, this is explicitly referred to as social hacking. There may be people who are actually immune to such "social" attacks. However, it is more realistic to assume that almost anyone could be caught "on the wrong foot" in a corresponding situation.
When it comes to social engineering, criminals simply rely on mass. The entry point is often freely available information from the Internet or even the telephone directory. Away from cybercrime, for example, the so-called grandson trick has been working for years. Perpetrators call elderly people and pretend to be their grandchildren. If they manage to gain the trust of the person they are calling, they usually ask them for money, which they urgently need because of an alleged emergency. Despite appropriate awareness campaigns, this method still works. If one assumes that nowadays not every person of retirement age is recognizable by his unfashionable first name, one can imagine how many calls are necessary to find suitable victims.
This insight can be applied to cybercrime and social hacking. By systematically searching the Internet, criminals can easily identify countless companies from specific industries. There is also sufficient freely available information on many of them. Helpful facts include the names of department heads and managing directors. It is also valuable to know who is responsible for the administration of the company network.
After that, it is a busy job for the perpetrators to contact enough companies and hope that employees will follow their made-up scenario and, for example, hand over access data to the supposed employee of an IT service provider.
How does a social hacking attack work?
Social engineering attacks rely on familiar human reactions. Fear, curiosity or even mere pity for a person supposedly in distress can be a basis. Certain scenarios have an effect on people from any social class and regardless of their level of education. In the past, victims of investment fraudsters who promised profits that were not usual in the market were often doctors, lawyers and even psychologists. The prospect of high financial profits, combined with an elaborately constructed facade, ensured in many known cases that highly intelligent people fell for fraudsters. Therefore, dismissing the operation of a social engineering attack as the failure of individuals does not do justice to the problem.
Criminals have developed some scenarios that regularly lead to a successful social hacking:
-
CEO fraud: In this variant, fraudsters pretend to be high-ranking executives from the company. They inform the employee, for example, that an important transaction is pending and that a transfer must be made immediately. For this reason, the normally intended communication channel cannot be adhered to. If contact is made by telephone, the criminals also use call ID spoofing to simulate the actual telephone number of the supposed caller. It has been shown in the past that employees in such a situation often do not have the courage to question the transaction they have been instructed to carry out. In addition, perpetrators often have the opportunity to scout out actual cooperation partners in advance. The use of real names and project designations from the business partners' environment increases credibility enormously.
-
Phishing: This phenomenon is dedicated to obtaining access data to important accounts. It is already known from the field of online banking fraud. However, a comparable scam is also used in the corporate environment. Contact is made by e-mail or telephone. Fraudsters often use a combination. For example, they first send a falsified e-mail announcing urgent IT maintenance work. Names and telephone numbers of supposedly authorized employees may also be listed there. This is followed by a call from a supposed IT employee. This person then demands, for example, that access data be disclosed in order to be able to carry out remote maintenance work.
-
Ransomware: Attacks of this kind are now often very planned and take place over a long period of time. This can be explained, among other things, by the high profits that criminals have been able to make in this way in the past. The initial goal is to get an employee to execute the attachment of an e-mail. In this context, macro viruses within Office documents have also regained importance. Since their execution is usually disabled by default in corporate networks, the attackers need, for example, an authorized person to allow this manually. Scenarios from the area of CEO fraud are suitable for this, in which security requirements are to be disregarded at short notice out of supposed urgency. The same applies to simple helpfulness, for example when a customer politely asks an employee to view an attachment for important reasons. Execution of the malware results in encryption of company data. The criminals' overriding goal is to offer decryption in exchange for payment of a large ransom.
-
The "Cheap Opportunity": Of course, new scams are invented regularly. Accordingly, caution is advised with unnatural odds and supposedly once-in-a-lifetime opportunities. In most people there is probably a bargain hunter who finds it hard to pass up good offers. Especially in the area of social hacking, it is not necessary to directly access the assets of the attacked person. The infiltration of malware into a corporate network can be the initial step for numerous criminal acts. These include computer sabotage, data theft and blackmail. The trigger for this is often the hasty opening of an e-mail attachment.
Eliminate favorable factors for social hacking
Healthy distrust and employee thoughtfulness are important building blocks for making social engineering attacks go nowhere. Some prerequisites for this are:
- Regular training and sensitization of employees
- Requirements such as the dual control principle and two-factor authentication for important transactions
- Encouraging questions from superiors
- Positive highlighting of critical inquiries
- Technical prevention of critical actions via group policy
- Use of SPF (Sender Policy Framework) or encryption of e-mails to prevent falsification of senders
Sensitization as a permanent task
The industry association bitkom estimated that the damage caused to the economy by cybercrime will already exceed 100 billion euros in 2019. This includes around 10 billion euros in suspected ransoms obtained from extortion. With such high profit prospects, it cannot be assumed that the phenomenon of cybercrime will become less relevant in the coming years.
At the same time, improved technical protection measures mean that employees are increasingly becoming the focus of criminals. This has been proven by numerous successful social hacking attacks on companies and organizations. The inclusion of employees in the holistic IT protection concept should therefore become a matter of course.