Cybercriminals using social engineering methods during recent years have reaped the benefits of more advanced methods that enable greater certainty in gaining access to the information they require, harnessing contemporary psychology of corporate workers in particular and mankind in general. The first step to withstanding such tricks calls for our understanding the tactics used by the malefactors. Let's review several widely used social engineering approaches.
In 90s, it was Kevin Mitnick, a top cybersecurity luminary, and a hacker in the past, who coined the term Social Engineering. However, the malefactors had benefited from such methods since long before the concept itself surfaced. Experts believe the tactics of modern cybercriminals is all about two kernel activities: password stealing and malware installation. The malefactors try to make use of social engineering with the help of the phone, email, and WWW. Below you will find the key methods applied by the criminals to procure the confidential data they hunt for.
Tactic 1. Six degrees of separation
The key goal for a malefactor using his phone for social engineering is to convince his victim in one of the following: a corporate employee is calling; an authority representative (law enforcement officer or an auditor) is calling. Where a criminal is about to collect data on a particular employee, he may first contact his colleagues trying every possible way to phish the data he is hunting for. Could you recall the somewhat old-fashioned theory of the Six Degrees of Separation? That is to say, there are only six degrees of separation between a cybercriminal and his victim. Experts assume that contemporary conditions call for sticking to a bit of paranoid behaviour, as long as it is not quite clear what a particular employee may want from you.
Malefactors typically contact a secretary (or a person of similar occupation) in order to collect data on people holding higher positions in the corporate hierarchy. Experts believe that a friendly tone helps crooks a lot. Slowly but steadily, criminals are picking up the right key to you so that it is a matter of time when you share the information that otherwise you would never ever disclose.
Tactic 2. Learning corporate language
Each industry has its own specific terms. A malefactor trying to get the information he needs will to learn language peculiarities so he can be more sophisticated in using social engineering techniques. It's all about learning the corporate language and its terms. Where a cybercriminal is going to speak the language that the target audience is used to and perceives, he is more likely to gain trust and get the data he hunts for.
Tactic 3. Borrowing music for call waiting
A successful attack requires the crooks to have three components in place, namely: time, persistence and patience. Typically, cyberattacks involving social engineering run slowly and data is collected routinely about future victims and social signals around them. The aim is winning the trust of and hoodwinking the target. For example, the a malefactors may convince workers they communicate with that they are their colleagues. One of the key tricks the approach resorts to are music records used by the company for call waiting. A culprit is first waiting to hear the music and then proceeds with recordings using them for his own benefits afterwards. For example, during the conversation with the victim, malefactor may suddenly interrupt the person like: ‘Wait a minute, incoming call at the second line'. Then the victim hears familiar music leaving no room for any doubts that the caller represents the company in question. In fact, it is just a competent use of psychological techniques.
Tactic 4. Caller ID spoofing
Criminals often resort to spoofing phone numbers setting a misleading Caller ID. For instance, a malefactor may stay in his own house and dial a target person. The number belonging to the target company will be displayed on the victim’s side, which will create the illusion that the fraudster is calling using the corporate number. It's understood that when the phone displays their corporate number, the unsuspecting staff in most cases would transfer the confidential details, including passwords, to the call originator. Such an approach also helps the culprits to avoid tracking as any call back to the displayed number will redirect you to the internal corporate network.
Tactic 5. Breaking news watching you
Regardless of the current headlines, the malefactors always try to use that data as a lure for users in spam, phishing, and other fraudulent schemes. To that end, the observers have lately reported an increase in the number of spam emails featuring a presidential campaign or an economic crisis. Such messages often include links to infected websites containing malware disguised as useful programs.
A phishing attack on any bank is a typical scheme to outline. This starts with an email reading roughly as follows: “The other Bank [name indicated] is acquiring your Bank [name indicated]. Please click this link in order to make sure your data remains up-to-date.” Needless to say, this is an attempt to get information that might enable the crooks to sign in to your account, steal your money or sell your data to a third party.
Tactic 6. Abusing your trust in social networks
Everyone knows that Facebook and LinkedIn are extremely popular social networks. Studies reveal that people tend to trust those platforms. The spear phishing case aimed at LinkedIn users supports this assumption. In addition, many users would trust an email that claims it originates from Facebook. A common trick revolves around a fake announcement that the social network maintenance is in progress and invites you to click the link provided to update the information. That is exactly why the technicians concerned suggest the corporate staff members are to enter the website URL manually in order to avoid a phishing link. It is also good to note the websites very seldom send users requests to update their accounts.
Tactic 7. Typosquatting
This malicious technique has gained its ill fame due to the malefactors resorting to human errors spawning typos when entering URLs into the browser address bar. A person mistyping a single symbol might get redirected to a website created by the malefactors. Cybercriminals thoroughly prepare the ground for typosquatting. Consequently, their website and the legitimate one that you are actually intending to visit are like two peas in a pod. That is, a single mistake in typing a web address brings you to the fake copy of a legitimate website dedicated either to selling something or stealing your data or again malware distribution.
Tactic 8. FUD
FUD (fear, uncertainty, and doubt) refers to psychological manipulations widely used in marketing. This includes delivering evidence on something (such as a product or an organization) in such a way that the audience would experience fear and uncertainty in its characteristics, thus causing fear of it. Recent studies suggest that safety and vulnerability of products might affect the stock market. For example, the researchers explored the impacts of such events as Patch Tuesday on Microsoft shares, revealing a significant swing each month following the release of information on vulnerabilities. In that regard, it is also worth recalling the story of malefactors distributing in 2008 fake news on Steve Jobs' health that spawned a sharp drop of Apple stock prices. This is the most striking example of using FUD for malicious purposes. Besides, beware of spam messages used to implement the pump-and-dump technique, constituting a scheme for manipulating prices in the stock market or the currently popular cryptocurrency market. In such a case, the malefactors may distribute emails highlighting the allegedly awesome potential of the shares\coins they have bought beforehand. Thereby, many would try to buy such shares as soon as possible, so their prices are going to rise. Later crooks sell their shares, the prices goes down and most people lose money.
Cybercriminals are typically very smart in their use of social engineering. After reviewing their methods, we can conclude that various psychological tricks help attackers to achieve their goals. Based on this, it is worth paying attention to any little thing that may help expose the crook. Check and recheck information about people contacting you, especially if confidential information is involved.
About the author:
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.