Sergio Bertoni, The Leading Analyst at SearchInform
Social engineering techniques are as old as the hills, because human beings’ weaknesses are everlasting. The term social engineering is relatively new, it was adopted in the digital era. Even though the mass media regularly report about some new method of fraud being discovered, basically these methods are just new variations on old tricks. However, they don’t become less efficient as time goes by. In this article we will find out why
Let’s start with refreshing of some basics. Social engineering is the set of techniques and methods which make a person act in favor of a fraudster – expose information, follow links, transfer money etc. There are numerous variations existing, however, all of them are based on some specific methods, such as:
- Perceptual errors (phishing, Quid pro quo method).
- Curiosity (Trojan horse, road apple).
- Self-interest (reverse social engineering) and others.
You can easily obtain data on all of these methods, they’re precisely described in specialized publications, in scientific articles and in Wikipedia as well. I would like to discuss another question – why, despite the fact that social engineering techniques are precisely examined and well known, do people still fall victim to attackers so easily?
Glad to be deceived
The first reason why social engineering techniques’ are so successful is that there are always some people who easily fall victims to any kind of fraudster. Sometimes, when looking through a spam letter you may ask yourself, who can believe in what the authors write? Nevertheless, it works.
For instance, there is the popular Nigerian prince scam. Fraudsters deliberately target users who believe in most impossible things and don’t try to find out, whether some fact is true or not. Among millions of users there are always some people who believe in such scam and respond to the messages. Greed and curiosity makes people take the bait.
The right people in right place and at right time
Even if a person is skeptical, this does not mean that his/ her chances to fall intruders’ victim are significantly lower. For instance, due to lack of time a person may not recheck some data. What’s more, inattentiveness, lack of competencies in information security related issues, neglect of information, fear and, of course, combination of all these factors often lead to negative outcomes.
There was once a case that was quite illustrative: the experts from antivirus company Eset described an attack that focused on MasterCard users around the world. The fraudsters sent e-mails containing notifications about updates and warned that the new security system had been implemented and that there was a chance that accounts would be deactivated. The fraudsters suggested users to follow the link and fill out some forms, so users were forced to share their personal data, login, password and other important data. To trick the user, the attackers even imitated the verification process on a fake website. Even though the email address did not correspond to any official Mastercard email address, the browser considered the opened pages as safe because the attackers used the SSL certificate.
That’s how intruders managed to obtain required data, which enabled them to gain access to victims’ accounts and steal their money.
One of the most successful and dangerous type of social engineering attacks, targeting companies is the so-called BEC-attacks, compromise of corporate email. According to the Internet Crime Report 2021 by FBI, BEC/ AEC attacks resulted in $2,395,953,296 losses. Thus, BEC attacks turn out to be one of the most efficient malicious technique. And it should be also noticed, that there is a step change taking place in the amount of attacks. Even largest companies such as Facebook and Google become victims of cyber attacks. For instance, there was a case when they were billed by a fake counterparty. Accountants didn’t recognize the trait as the name of the fake counterparty remained the name of the real one.
It’s impossible not to be deceived
As it can be seen, even if a person is very skeptical, it’s very difficult for him/ her to recognize some types of attacks, as they are prepared extremely precise – sites are forged qualitatively, security certificate are used etc.
It’s crucial to remember about arising deep-fake related risks (deepfakes are convincing images, audios and videos generated by AI forgery of audio or video. Currently, there is plenty of cases of successful deepfakes usage reported globally. I’ll share details on a few of them.
For instance, such an incident happened with a Japanese woman who transferred about $30.000 to a fraudster. The victim of social engineering thought that she corresponded with an ‘astronaut.’ The intruder promised to come to Japan and marry the woman. The so-called astronaut told that he needed money to return to Earth. That’s why he asked the gullible lady to cover his expenses for returning home, including the rocket flight.
Another case happened when fraudster impersonated Mark Ruffalo, tricked a Japanese artist and managed to illicitly gain $500.000. A veteran manga artist Chikae Ide told that once a user, who impersonated the famous Hollywood actor, well-known for his role of Hulk, added her to friends on social networks. As a result, they had been in contact for a few years. During this time the artist even had videocalls with ‘Mark.’ However, it turned out that the fraudster used deepfake technologies to enhance the credibility. What’s more, the Japanese artist and fake Hollywood artist nearly got ‘unofficially married.’ Then, the intruder made the woman transfer large sums to him. The artist had to go into debt to financially help the impersonator. All in all, the woman transferred $500.000 to the intruder.
Sometimes, intruders complement social engineering techniques with deepfake technologies. There was a case when a Lloyds Bank customer managed to access his account using AI. The user was able to trick the voice ID to log into the account by generating his voice.
At the same time, technologies become a norm and some companies yet offer their clients to communicate with the help of their avatars. For instance, some Ersnt&Young partners decided to use deepfakes to communicate with clients in online mode.
The source codes for speech synthesis algorithms are freely available, and the number of incidents, involving usage of deepfake related technologies may increase dramatically in the nearest future. Nowadays some companies are working on development of technologies for the entertainment purposes and film industry, others develop tools for revealing deepfakes.
However, let’s now get back to the widely spread types of social engineering attacks. There are few technical ways to counter such threats. First of all, antiviruses and spam filters, operating on the level of email server protect organizations. Solutions, which have functionality of behavioral analytics or employee profiling can also help, because they reveal groups of employees, who are the most vulnerable ones in terms of manipulations. Finally, solutions, which ensure control of employees’ activities on corporate PC may be implemented.
Basically, that’s all, as the solutions can only help an employee not to fall an intruder’s victim because of lack of knowledge or competencies. Signs of a complicated deceive can only be recognized by a human.
Data leaks are the basic issue
As it was illustrated above, it’s becoming more and more difficult to detect forgeries, fakes, manipulations as intruders master their skills of entering into trust. This means that any measures, aimed at dealing with fraud ensure only partial users’ protection.
Below is the scheme of phishing attack, which is the most popular social engineering technique (however, in general, this scheme describes principle of any other method as well).
Aim defining – intelligence and gathering data on the victim – preparatory work – choosing of occasion and method of getting in touch with the victim (phone call, email, message in a messenger) – deceit containing call to action – authorization.
Fraudsters can fail at any stage, however, most often, they quite easily overcome the arising difficulties. It’s becoming more and more easy to obtain data, required for intruders to steal into victims’ confidence. As a result, malicious actors manage to obtain as much data on the victim as employees of a legitimate organization, who work with a client have.
This is exactly the problem of the most innocuous data leaks. It may seem, that it’s not a serious problem if the list of bank employees’ addresses is leaked. However, what can happen next?
It’s quite probable that the company’s accountant will receive a link to some document, sent by the person, who mentions the bank employee’s first and second name in the email sent. Use of Cc instead of Bcc when sending emails is believed to be carelessness, but not information security threat. However, as a result, the following or some similar situation may happen. Employee receives the letter with the attached conference program or other legitimate file. However, next, intruders send another email from a quite similar email address. They may tell, that they are very sorry, but the file in the previous email was wrong one. They also attach another file to the email, however, this one is malicious.
Almost all data leaks result into waves of social engineering attacks such as phishing letters, sms-messages, fake calls etc. Some users will be definitely deceived as social engineering techniques exploit typical human beings’ weaknesses. Technical means on the one hand can help to mitigate the risks, however, the core of the issue is the mess with personal data. While the mess isn’t eliminated completely, intruders, who implement social engineering techniques will succeed.
*Views expressed in the article are solely of the Author
