Social Engineering – Hacking Human Emotion
Criminals will always look for the path of least resistance. This is why social engineering – the act of ‘hacking’ people – is often the criminal’s chosen way into organisations. It is far easier to exploit the trust people have in others than it is to discover ways to break into buildings or hack highly secured, robust systems.
This article is about emotional skills social engineers use rather than their technical capabilities, because the emotional skills are far more powerful, harder to defend against and often leave little trace. It’s always fascinated me how easy and powerful this kind of attack is and over the years, I have studied many of the renowned protagonists, as well as many you may not consider.
Social engineering has been part of the fabric of human interaction since records began. The simplest and easiest way to explain this underrated skill is “the ability to convince a person or people that your requirements are correct or acceptable.” Social engineering is an art form and, like any other, you need to practice it on a daily basis to perfect it. Some of the greatest social engineers are known for their ability to not only convince people, but also their ability to adapt and adopt in an instant depending on the situation.
Another way to explain the skills involved in being a social engineer is to understand how the specialism is used in many forms and given many titles.
The Razorthorn Social
Engineering Testing Service
How susceptible are your employees to social engineering? As of 2020, in 95% of all tests, we have managed to obtain sensitive information employing social engineering techniques. How do you measure up?
Occupations that require social engineering skills:
- Intelligence officers
- Private investigators
- Police officers
- Sales people
- Professional gamblers
Although the above is not an exhaustive list and may surprise you, it gives you a good idea of how pervasive social engineering skills are. It’s only when you consider the many roles social engineering plays in everyday life that you begin to understand the power that comes with it.
The list of successful social engineering hacks is endless in scale and cost – from the Greeks’ use of the Trojan Horse to the release of FBI files in 2016 with the now famous statement:
“So, I called [the helpdesk] up, told them I was new and I didn’t understand how to get past [the portal],” the hacker told Motherboard. “They asked if I had a token code, I said no, they said that’s fine – just use our one. I clicked on it and I had full access to the computer.”
Social engineers use a number of techniques to manipulate their targets, but they all rely on using human weakness – our emotions – to succeed. Neuro-linguistic programming techniques are employed to create a personal connection and an atmosphere of likeability and trust. This is achieved by mirroring the target’s body language, breathing rate, voice and vocabulary, and will enable the hacker to subtly take control of conversations and manipulate people’s emotions.
Social engineers understand that people care most about themselves: by suspending their ego and engaging the target in conversations about themselves, they will give the target a sense of self-importance and, consequently, a desire to spend more time with the infiltrator. Another key weapon a social engineer could use is sexual attraction. The endorphins that are released during exchanges where there is attraction and flirtation will cause targets to be more vulnerable and subsequently give away sensitive information more freely. Sexual attraction is a powerful weapon, and when utilised effectively, the chances of successful manipulation of a target are massively increased.
However, social engineers do not always use a friendly or charming approach to get what they want; they can play on a number of human emotions in order to manipulate their targets.
From a young age we are conditioned into obeying those we perceive as being of a higher status and with greater authority than ourselves. Victims of social engineering techniques will rarely question a figure of authority for this reason. For example, a manager you have never met demanding urgent access to a room or information to ensure senior management can complete an important task. They may be wearing a seemingly correct ID, using the names of senior management you have heard of and subtly mention that your obstruction could cost you your job. You would be amazed at how successful this simple technique can be at convincing many people into handing over the information they desire. This simple technique also works for police, fire, ambulance, roadside recovery teams, hotel staff etc.
Fear can cause people to do things that they would not think of doing under the influence of any other emotion; people will act out of character to remove themselves from the situation that is causing them to feel fear. This can be seen in as simple a situation as receiving a phone call stating that: “Your bank account has been compromised and we need to transfer your account over to a safe area to ensure no more money is taken from your account.” The attacker uses fear and urgency to confuse and weaken their target and is successful in many cases.
Lust can take many forms: lust for power, for money, or for sex. It is a strong, intense and selfish desire, and social engineers can use this to their advantage.
For the majority of people, it is part of their nature to want to help others who they perceive to be in need. This desire to improve the lives of others in some small way can be seen in as simple a gesture as giving change to a homeless person on the street. However, this desire can be taken advantage of. Imagine, for instance, a woman rushes into the atrium of the building you work in, she looks stressed and upset and is rummaging desperately through her handbag: “I forgot my badge and I am so late for my meeting! Would you mind please letting me through?” Would you do it? Most people probably would.
People will tend to go out of their way in order to avoid confrontation. If you are quite clearly angry, the average joe is unlikely to stop and question you. People just want to get out of the presence of an angry person. Acting as an angry top-level employee who can’t access his specific files will generally get you what you want if portrayed in the right manner to the right person.
Another social engineering technique is the based on the human trait of curiosity. Its main characteristic is the promise of something interesting or advantageous that hackers use to deceive the victims.
There are many types of phishing attacks (for example, whaling and spear phishing), but they are all a form of online fraud in which the attacker tries to gain information, such as login credentials or account information, by masquerading as a trustworthy entity or person via email.
Phishing attacks are the most commonly exploited attack vector and account for 90% – 95% of all successful cyber attacks (IRONSCALES, 2017). Only around 3% of the malware run from phishing emails tries to exploit a technical flaw, whilst the other 97% is trying to manipulate the user through some type of social engineering (Sjouwerman and Mitnick, 2017). According to a statement released by the Department of Justice, two of the biggest tech giants fell victim to an email scam that cost them roughly $100 million (Statt, 2017).
Successful phishing attacks often follow the following format: “Your bank account has been breached! Click here to login and verify your account.” Or, “You have not paid for the item you recently bought on Amazon. Please click here to pay.”
These types of emails create a sense of urgency and fear that causes the victim to act quickly and click on the link without further consideration. The phishing email will usually direct victims to a spoofed website to get them to give away the sensitive information the hackers require.
Other Forms of Attack
Quid pro quo
Quid pro quo attacks promise the victim a benefit in exchange for information. This type of attack often involves people posing as technical support. They will make random calls to employees within a company stating that they are contacting them regarding an urgent issue (“your laptop has been breached; install the new software now to prevent further damage”) or, if they have physically manipulated their way into the organisation itself, they may go and speak to the target in person and simply say, “I need your password so I can help protect your PC against security breaches.”
Social engineering bots
Malicious bots are often responsible for highly sophisticated and destructive social engineering attacks. These bots can infect web browsers with malicious extensions that hijack web surfing sessions, and use social network credentials that have been saved in the browser to send infected messages to friends. They could be on your social networks, such as Facebook, posing as friends, but instead be siphoning off your data or influencing your decisions with convincing points of view.
Off guard hack
This type of attack happens on mutual ground, such as in a bar, coffee shop or on a train. The attacker has done their research and finds out where the mark will usually be when they are not at the office. In the pub or at a bar are one of the most efficient places to interact with the target as they will be more relaxed and their inhibitions will be lowered due to consumption of alcohol. When you bring sexual attraction into the mix, the social engineer can manipulate the target in to sharing information with them that they would never contemplate divulging in the work environment.
Baiting is the cyber world’s Trojan Horse: it uses physical devices and relies on human curiosity. For example, if you leave a USB drive lying around an office, chances are somebody is going to pick it up and insert it into their computer. Once this piece of hardware has been inserted into a computer, which is more than likely connected to a larger network, the malicious payload is activated and will spread like wildfire through the network. The data that is held on that network and any connecting network is now in the hands of the attacker.
Tailgating (or ‘piggybacking’) is when someone who lacks the proper authentication gains access to a restricted area. They will gain access by exploiting the willingness of people to help others, such as holding a door open for a stranger or allowing a distressed individual to borrow your phone. Social engineers will often find outdoor social locations, such as a smoking area, and strike up conversations with targets before following them back into the building.
In order for a social engineer to be successful, they will always begin with information gathering before engaging with their target. The internet holds a wealth of information on organisations and individuals – a quick Google search will show you the key personnel worth targeting. Social media websites such as Facebook, Instagram and LinkedIn will hold personal details about the target’s opinions, hobbies, friends and family, and favourite places to eat and drink. Often the hacker will begin with the target’s friends or family and thereby manipulate his or her way into the targets trusted inner circle. ‘Dumpster diving’ is another way for a hacker to glean information. Although going through rubbish isn’t the most glamourous way of doing this, the items that people throw away can be gold dust to a social engineer.
So, how do you secure your organisation against social engineering attacks?
Human error is the weakest link in any organisation. A company can have all of the alert systems and anti-virus software on the market, but if an employee willingly gives away information, your defence technology will be rendered useless. This is why the strongest defence against any social engineering scheme is education and training: social engineering attacks are not just aimed at your directors or management teams, they are aimed at the receptionist, the maintenance staff, the guard at the gate. Employees at every level of any organisation should be educated in the tactics commonly used and what to do if they think they have fallen victim.
Razorthorn provides a range of online security awareness training which educates employees on the dangers of social engineering and the different techniques that attackers use. Our market leading anti-phishing behaviour management service provides companies with the ability to run their own simulated phishing attack assessments. This subjects employees to phishing emails in a safe environment, and will teach them how to spot phishing attacks and resist any real future phishing attempts. Undergoing this training will eliminate, as far as possible, the weak link that is human error, and turn your staff into a integral part of a strong cyber defence strategy. As well as providing training for its staff, organisations must make sure that they have a strong cyber security posture; they need to be using technologies such as anti-virus, vulnerability and patch management solutions, network segmentation, database and file integrity monitoring, email security, multifactor authentication, and post-attack forensics.
Contact us to find out more or arrange cyber awareness training for your staff.