The best way to defend yourself against the criminal mind is to try and get inside it. This is not without hazards of course, because you don’t want to end up becoming a criminal yourself! Social engineering is a particularly powerful way of modifying human behavior, and many of the worst IT security breaches that have occurred in large organizations have been the result of the actions of a single deceitful and manipulative individual. To help us understand some of the ways that cybercriminals can try to hack your mind to make you do things you shouldn’t via social engineering attacks, I asked Sergii Nesterenko to share some of his insights with us. Sergii is a cybersecurity consultant and penetration tester with rich experience in the information security field. He has consulted for international business companies, military staff, NGOs, politicians, members of Parliament, law enforcement, and other VIPs on security issues. His wide knowledge in information technologies and human psychology enables him to elaborate effective technologies to prevent and overcome even the most cunning cyberattacks. Sergii is also the author of the video course Cybersecurity Attacks (Red Team Activity) that was released by Packt Publishing in February. He is also well-known for his publications and lectures on cybersecurity, anti-fraud, and counter-cyberespionage issues. Sergii currently works as cybersecurity content and technical writer at Comodo. You can find more information about him and social engineering attacks on his website, from his LinkedIn profile, and on Facebook.
Codes to hack humans: How to stop social engineering attacks
What is the weakest link in the cybersecurity chain? Network perimeter? Not at all. Actually, it can be called the strongest one. A diversity of tools for network protection exists and they are constantly modified. Refined firewalls, IDS/IPS, SIEMS, and SOC keep networks protected.
Maybe the weakest link is a web application? Wrong again. Yes, it’s more vulnerable than a network perimeter, but there are many ways and tools to protect it. If you tune up them correctly, the web-application becomes an almost impenetrable fortress for most kinds of attacks.
Every day, cybersecurity vendors create more and more security tools for technical-based defenses. But there is a terrain they cannot protect: the human brain. Humans have many vulnerabilities that cybercriminals eagerly exploit using social engineering techniques. Today very few attacks rarely happen without social engineering tricks.
Why social engineering goes digital
Social engineering is a set of malicious hackers’ psychological techniques to manipulate the behavior of their targets. It’s a diversity of manipulative and deceptive tricks purposed to influence a victim so she unconsciously helps the perpetrators capture her own digital assets. How is it possible?
To understand it better, let’s consider a human brain as a powerful bio-computer and behavioral patterns as a software. Like a real computer, the brain has a variety of programs wired into it from birth or installed while growing up. These programs are emotional and behavioral responses to external events. Exactly as you run a computer program by clicking on a shortcut, a social engineer runs a program of a human brain with specifically tailored codes of human communication — words, phrases, gestures, emotions, images, etc. Using these techniques, a social engineer can make the victim give away secret information, run a malicious file — really, do almost anything.
Initially, social engineering was about dealing with direct people-to-people contact. It was used mostly for physical penetration of facilities or manipulating employees by phone. But nowadays the situation has changed. Direct contact has become hazardous, not least because of total video surveillance and phone calls recording that later can be used as irrefutable evidence in court. That’s why we can observe a new trend in social engineering: It has become digital.
Now perpetrators use social engineering techniques distantly, via email or social media. The reasons for the changes are obvious. These kinds of social engineering attacks significantly reduce chances of a hacker being caught. These techniques can be used in any type of attack for dissemination of malware of any kind. The scope of potential targets (and, correspondently, chances for a successful attack) grows fantastically. Additionally, all the cybercriminals need to do is to create social engineering, add a malware file or link, and send the message to as many users as possible.
The main method here is the email. It must be convincing enough to lure the victim and make him run the malware file or click on the poisoned link. Let’s see what manipulative techniques the perpetrators use for this purpose.
Some enigmatic paradox exists. Many people are sure they are rather clever or educated and will not take the crook’s bait. And it’s exactly these people who often fall prey when faced with such social engineering attacks. Why? Because the secret is not about intellect or education. It’s all about the emotional state.
Hacking a human mind: Tricks and reasons
The truth is that critical thinking and emotional arousal cannot exist simultaneously. You can’t make a clever decision when you are overwhelmed with anger or fear. And you can’t experience overwhelming joy or fear when you are doing some intellectual work. That means that even most intellectually gifted persons can’t think critically when they experience emotional arousal. So, what a cybercriminal needs to do is raise the emotional fire in the target person. The stronger the emotion, the higher the chances the victim clicks on the malicious file.
Cybercriminals achieve this goal by playing on the sensitive strings of the human psyche. The most popular of these strings are fear, trust, curiosity, greed, and sex. Every one of them triggers high emotional arousal and turns off critical thinking. Using these components, the perpetrators cook their poisoned emails. So, what are the typical indicators of such poisoned email?
If you get information from a person or entity you know well and trust completely, will you check this information carefully? Not likely. The cybercriminals use this feature of human behavior by imitating a solid, well-known entity with a good reputation as the sender of the malicious message. DHL, FedEx, various banks are often used by hackers to disguise their messages.
Most people are used to obeying government and other authorities because they know this: disobedience is often followed by punishment. To exploit this behavioral stereotype, the perpetrators choose an authoritative entity’s name like the IRS, a federal court, the Ministry of Justice, etc. as a sender.
The body of such messages may inform the receiver about some “debt” to IRS, imitate a court subpoena, or fine. It can imitate a message from Google or any other entity where you have an account and are asked to “confirm your data” on the website by the link in the email. Of course, the site is faked copy of the real one and was created specially to steal your login and password.
Another popular topic of these phishing emails is money. A human always has emotional arousal when it comes to money matters. That’s why a lot of phishing emails comes from “banks” and other financial institutions. Here greed is the king.
In this case, cybercriminals’ messages usually inform you about getting a money transfer or “fantastic” business offer. It also can be a “business letter from your colleagues.” Or an invoice. Or you are told you won a lottery. Anything related to money usually works well for attackers.
The next bait is sexual-related topics. In this case, the email typically imitates a message from a friend or sexual partner.
Usually, it tries to entice victims to open some racy pictures that are in the attached file or are available by the link in the message. It can be described as some nude photos of a celebrity, sexual partner, or even “your own sexy photos.” It the last case, curiosity and fear are added to enhance the emotional arousal, and this explosive brew usually is very effective. Particularly, this bait is notoriously known for spreading malware disguised as “Your video” among social network users to infect their accounts.
All these messages can differ widely in effectiveness depending on how experienced the perpetrators are. At the lowest level, an attacker’s email can amount to some illiterate strokes on broken English with a dozen of mistakes in every word. But at the top level, you can meet a message that differs from a real one only with a faked link in it, while everything else, including company’s logo, will be indistinguishable from the original. However, the psychological manipulation patterns remain the same.
Many of these messages are accompanied by playing on the scarcity string. It can come in a diversity of forms. For example, “you must pay tomorrow or the fine will grow,” “the link is valid for only two hours,” “we need the response immediately,” and so on.
The reason for involving scarcity is the same: to raise the emotional level and make victims act without thinking.
Firewall for a human brain
As you can see, we have a paradoxical situation in the cybersecurity field now. The methods of social engineering attacks become more and more sophisticated day by day and more and more employees fell prey on them. But most companies go on to harden only the technical items.
Networks are protected. Web-applications are protected. But employees’ minds aren’t. Can we prevent attacks of such kind? Can we set mental firewalls in human minds?
Yes, we can. How? By special training purposed for three goals:
For professionals in cybersecurity it may sound strange but in reality, a plethora of people around the world still remain unconscious of the fact the whole enterprise network can be infected by one-click on a poisoned email. Many people don’t even have a guess that any email address can be spoofed in a second. Of course, these people are easy and attractive targets for the cybercriminals and easy prey for social engineering attacks.
An employee must know what a phishing email is and what it looks like (you can use the description and typical indications I mentioned above). Also, they must know at least the simplest techniques of checking the email for authenticity.
Knowledge is useless until it becomes a skill. So the training to avoid social engineering attacks must be followed by test checks where a security department periodically imitates phishing attacks on employees’ emails. The employees who did not pass the test should be retrained.
So, the first step in preventing social engineering attacks is an awareness that defense on the technical level only is insufficient today. Nowadays cyberattacks are deployed not in cyberspace solely but in the terrain of human minds too. Correspondently, any good security protection system must cover not only technical assets but human minds as well.
Special offer for TechGenix readers
You can check out Sergii’s course Cybersecurity Attacks (Red Team Activity) [Video] on Packt. Use the code ORTGA09 at checkout to get a recommended video retail price for only $9 (valid until July 15, 2018).
Featured image: Shutterstock