Social engineering in cyber-crime

Whether you realised it or not, hacking by social engineering is something we’ve all probably done. It might have been ‘tail-gating’ into a lift because we forgot an access card, or the fake limp to get the last carpark at a shopping mall at Christmas time.

To recap on my previous article – Hacking and Social Engineering – social engineering is the art of psychological manipulation to gain access to buildings, data, or systems rather than by breaking in or using technical hacking techniques.

So, what are some social engineering techniques used in a cybercrime context? Unfortunately, there are hundreds of different social engineering hacking methods, so in this article we will only be going through some of the common techniques.

Pretexting

Pretexting is where attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information.

This might be as simple as trolling through social media account as finding that the CEO of a large company has a sister that has cancer. The hacker might make contact with the target CEO about a cancer research charity which the hacker invents. They then send the CEO a pdf brochure on the fake charity that is infected with malware.

Malware is short for malicious software, is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other intentionally harmful programs.

Another example might be that there is an internet outage in the office building. The hacker rings or turns up at the company purporting to be from the internet company. They use this to give the impression they are authorized to ask about the internet security and to gain further information the internet security.

They then use this information to access the company’s data or leave information gathering software on the network. Pretexting is also a common method used by investigators too.

Diversion

This is where the hacker intercepts information and moving it to a place they control. Like all social engineering it involves a ‘con’. Three far too common examples involve the hacker sending the company an email from a ‘supplier’ advising of a change in bank details or adding an email address as a ‘cc’ in an email chain.

The hacker may have seen on Facebook that your business partner is on holiday. They send an email to you from a fictitious personal email address from your business partner saying they are having problems accessing their work email and asking you to send through the latest financials or strategic plan.

Baiting

You’re sitting at the bus stop and a fellow traveller starts a conversion with you. Their bus arrives, and they hop on and as the bus pulls away you notice they have left a bag behind. You look in the bag and there is a USB stick. You’d really like to get the bag and its contents to the owner and you put the USB into your computer. Voilà! Your whole company’s network is infected with malware.

Baiting can even occur through engaging with a stranger at a footy match and you unsuspecting divulge some sensitive information.

Phishing or spear phishing

Probably the most common and probably the most exploited form of social engineering. Phishing (or also known as spoofing) is the sending of fake messages such as emails or text messages that look like they are authentic with the aim to induce individuals to reveal confidential information – usernames, passwords, etc.

Spear phishing is a form of phishing, but the message is targeted to an individual. Common types of phishing emails are ones purporting to be from utilities companies, banks, or government departments.

A recent real example I saw was an email I received purporting to be from a contact of mine on LinkedIn. A Nigerian scammer hacked a Canadian Engineering company’s website and email list and obtained my LinkedIn contact’s details. They scanned and attached his title and sent emails to all his LinkedIn contacts purporting to be the real LinkedIn contact.

Waterholing

Waterholing leverages the trust people have in websites they visit often and feel safe using, and safe clicking on links. The hacker prepares a trap at the prey’s favoured waterhole by inserting a link on the website. The link usually has some type of malware whereby the hacker can gain information to further attack the prey.

Quid pro quo

Quid pro quo means something for something. A quid pro quo attack occurs when the hacker offers a service or benefit in exchange for information or access and is a derivation of baiting.

The most common form of a quid pro quo attack occurs when a hacker impersonates an IT specialist for a large company. That hacker spam calls a number of direct employee numbers of a specific company office and, when said hacker gets an employee on the phone, then offers the employee target some kind of upgrade to their work machine.

They might tell the employee to disable their anti-virus software temporarily to install a bogus ‘fix’ or software update.  The employee, thinking they are following the commands of the bogus IT person, then allows the hacker access to their machine, upon which malware is then installed.

This type of attack is typically only found in large companies. In small to medium-sized businesses the smaller numbers of employees usually mean everyone knows the IT people by name.

In my next article I’ll discuss some actions to take when you discover that you’re a hacking victim.