Social Engineering - CyberEye

Dan Gavin 29, Mar, 2024

Blog

The Anatomy of a Social Engineering Attack

John Podesta, a key staffer for the Hillary Clinton presidential election campaign received an email, appearing to be from Google, warning him that someone had attempted to access his account and prompted him to change his password. John clicked on the link and entered his current username and password. Unfortunately for John, this was a phishing email and the link that he used to change his password was set up by the hackers to steal his credentials. The hacker used his credentials to download all his emails. These emails were later released to the public by WikiLeaks causing a bit of a stir.

Why are we so susceptible to falling for these attacks? There are six (6) principles that social engineers use to deceive us. The first is reciprocity. Reciprocity suggests that people feel obligated to reciprocate favors received by others. If you do something for me, I will be happy to do something for you. Many scams use a free gift or a prize to entice the victims to click their link or provide information.

Another method that social engineers use is social proof. This concept suggests that people are more likely to conform to the actions if they see others doing it. This works especially well in ambiguous or unfamiliar situations. A familiar tactic would be the website that says 57 people in your area have recently purchased this item.

Authority is a huge tactic that social engineers use, and the one employed above to get John to click on that link. Scammers often pretend to be people from the government or your IT department or one of your trusted vendors. Since they are in authority, you usually trust them and do what they suggest.

Commitment and consistency suggest that once individuals make a public commitment or take a small initial action, they are more likely to remain consistent with that commitment or action in the future. Some phishing scams ask recipients to confirm their email addresses for security purposes. Once they click the link, the victim feels commitment to engage in the sender. The scammer subsequently asks for more personal information or login credentials.

Social engineers use “likability and empathy” to build rapport and trust with their targets by establishing a sense of familiarity and likability. They may mirror the victim’s behaviors, interests, or communications styles.

The final principle to discuss is scarcity. The emotion being pushed here is the fear of missing out. This may look like those familiar statements “for a limited time only” or “while supplies last.” This encourages the target to act quickly out of emotion, rather than slowly, logically, and methodically considering what is being offered.

Let us look at some of the scams out there to see what they are using. The tax collector scam impersonates an IRS agent usually contacting by text or a prerecorded voicemail. They may send you a form to pay and may ask for gift cards or bitcoin in payment. The scammer uses “Authority” to intimidate people to do what they ask, sometimes threatening arrest or revocation of driver’s license. They also use commitment and consistency. Once they pull the victim into the trap, they are committed to continue the discussion. Some issues to note on this scam are the IRS will not ask for payment in Bitcoin or gift cards. They will not send forms via email – forms pulled from the website. The IRS cannot revoke your driver’s license.

The “pig butchering” scam uses “likability and empathy” to capture the victim’s trust and “commitment and consistency” once the victim is engaged. This scam usually starts with a wrong number text or a dating app. Once the scammer builds trust, they mention their success in Bitcoin and connection to an insider. This is the concept of “scarcity.” They share their fake website for trading with the victim.

When the victim uses the site, they watch their money grow and invest more money hence the name of the scam. They are fattening the victim up until they cut contact and take their money. Do not use any digital wallet that you have not thoroughly researched.

So, if you are approached via email, text, or phone slow down, take the emotion out, and determine if it is legitimate. If the proposal sounds too good to be true, identify what social engineering principles are being employed and why.

Original article can be found here.

Dan Gavin 16, Mar, 2021

Blog

Minor Mistakes, Costly Consequences

The Launch: It was 6:45PM on December 11, 1998. After years of engineering effort and toil, the Mars Climate Orbiter was being launched. This space vehicle was designed to study Mars from orbit and serve as a communications relay for space probes. The goal was to determine the distribution of water on Mars and monitor the Red Planet’s daily weather and atmospheric conditions. The team celebrated as the Mars Climate Orbiter started its first step in the over nine month journey to Mars.

The End: Fast forward 286 days to September 23, 1999. The orbiter had successfully navigated 140 million miles (225 million kilometers) to Mars with only some minor corrections required on the way. This was the day the Mars Climate Orbiter would enter into the orbit of Mars. The key to success was to keep the spacecraft higher than 80 km above the surface. Go any lower and the fragile spacecraft would shatter into Mars’ atmosphere. The first sign of trouble occurred during the insertion burn into orbit. The engineers were expecting a communication loss, however, the loss of signal occurred 49 seconds earlier than expected. Instead of regaining signal twenty minutes later, it never returned.

What Happened: The celebration was replaced with an investigation. What happened? It turns out that the orbiter went past the 80km safety zone and was within just 60km smashing into the atmosphere. After traversing space for over 225 million kilometers, how were they 40 km farther than they thought?

The Answer: American standard versus metric. Yes, one part of the software in the orbiter’s thruster calculated pounds of force and the second piece of code that read the data assumed the metric unit – Newtons per square meter. Although this resulted in a factor of four times, it was a relatively small difference in fuel. Several engineers commented during the route when they had to make minor corrections, but no one made the connection along the way.

Costly: This was a $327 million mistake – $193 million on spacecraft development, $92 million on the launch, and $42 million for mission operations. Wow!

Employee Mistakes: Hopefully, mistakes at your workplace don’t cost your company that much, but statistics show that many of the cybersecurity breaches are caused by employees making mistakes. These are instances where the breach could have been avoided if not for the employee making a mistake.

No Public WiFis: One of the biggest mistakes that people make is to trust public wifi hotspots. That’s right, do not trust any public hotspot. Public hotspots are hotbeds of cybercrime.

Proper Use Required: Another mistake of employees is “inappropriate use of IT resources.” Examples of this are: non-work related web surfing, peer-to-peer file sharing, unlicensed software, pirated music or videos, and non-approved remote access programs. Remember, on the internet, if something is free, then you are the product. These sites and applications are riddled with malware and allow hackers a foothold into your organization.

Social Engineering: Another employee mistake in the cyber arena is falling for social engineering. Hackers use human emotions to manipulate people into downloading their malware or buying gift cards or wiring money. Either out of fear or a sense of helping someone, we get tricked into doing something that harms us.

It’s Avoidable: Just like metric conversion in the Mars Climate Orbiter, these mistakes can be avoided. Education and training are key. Your staff should be able to identify a phishing attempt or know enough to avoid public wifis. Cybersecurity training should not be a once a year requirement. Employees should get periodic cyber training and phishing scenarios. Breaches are costly and as the old saying goes, “An ounce of prevention is worth a pound of cure.”

Avoid the Pain, Train: Whether you are orbiting Mars or providing services to valuable clients, it is always prudent to check your math and your cybersecurity. Train to avoid the pain.