Anti-Social Engineering – The Audacious Con
By Simon Giddins – In recent weeks the Yahoo data breach has caused media outlets from across the globe to focus upon the issue of cyber-attacks. Described within a Tech Times article as “one of the biggest cyber security breaches that include sensitive personal information of users”, this 2014 Yahoo data breach is believed to have affected over 500 million Yahoo account holders. Although Yahoo stated that the stolen information did not include unprotected passwords, banking information or card payment data, they did admit that the names, email addresses, telephone numbers, dates of birth, passwords and security questions of account holders had been accessed by ‘state-sponsored’ hackers. However, although the world’s attention may currently be focused upon cyber-attacks, more often than not it can actually be traditional methods of social engineering which prove to be the most effective method of obtaining confidential information from unsuspecting victims.
Social engineering sounds like a new phenomenon, doesn’t it? On the contrary. This practice of subtle emotional manipulation via human interaction has been prevalent within our communities for hundreds of years. Slowly but surely social engineering techniques have expanded and evolved into a series of targeted attacks that can pose a very real and present danger for all manner of small-to-medium sized businesses, multinational corporations and even families.
One of the earliest examples of a social engineering attack can be traced back to Greek Mythology; the case of the “Trojan Horse”. After 10 long years, the Greek army seemingly appeared to cease fighting the armies of Troy and attempted to make amends by presenting the people of Troy with a large wooden horse. The Trojan people accepted this gift as a sign of peace, brought it within their city walls and watched as the Greeks seemingly sent their armies sailing off into the distance. However, this large wooden horse was actually an innovative social engineering attack because within its wooden structure hid a large portion of the Greek army. Whilst the villagers of Troy celebrated a famous victory, Greek soldiers crept out from within the wooden horse and seized the village from the people of Troy. This story serves as a cautionary tale of a skilled social engineering attack and is the root from which the term ‘Trojan malware’ comes.
So what is social engineering exactly? In basic terms, social engineering is a “con” wherein criminals, hackers and gangs appeal to certain emotions, such as sympathy, vanity or naivety, in which to trick families and businesses out of their hard-earned financial resources. Even though you may already be aware of the “phishing” attempts and crude scamming techniques used by criminals to target unsuspecting individuals, the evolution of modern technologies means that social engineering attacks have become more sophisticated and difficult to detect in recent years. Nowadays, criminals seek to abuse a person’s trust in order to gain access to desired information rather than apply technical terms to “hack” a business’ infrastructure. In fact, in today’s modern climate one in ten people fall victim to fraud or online offences and you are 20 times more likely to become a victim of fraud than a robbery. These social engineering attacks can manifest in many different forms, many of which have been illustrated in the case studies provided below;
In focus
Case study 1. – Industry: financial services
In 2007, a mystery attacker managed to raid all the safety deposit boxes at an ABN Amro bank in Belgium. In the process he stole a large quantity of gems, including diamonds, worth $28million. Despite securing over 120,000 carats in diamonds and gems, this confidence artist used no heavy tools to penetrate the bank’s iron-clad vaults, nor did he break into the bank in the dead of night in order to carry out his monumental theft.
Instead, the confidence artist appealed to the sensibilities of the bank’s personnel; buying them chocolates, maintaining a polite persona, and forging friendships with the bank’s core staff. In this manner, the confidence artist was able to use his natural charm and amicable demeanour in which to find out where the diamonds and gems were housed, secure the keys to these vaults and make copies. The confidence artist was able to carry out the entire theft undetected within business hours and still remains at large today. As Philip Claes, the spokesperson for the Diamond High Council, stated at the time of the attack;
“You can have all the safety and security you want…but if someone uses their charm to mislead people it won’t help”.
Case study 2. – Industry: Social media
When the Associated Press news service speaks, people generally tend to listen. On 23 April 2013, the Associated Press’s Twitter service reported: “Breaking: Two Explosions in the White House and Barack Obama is injured.” Although this Tweet was quickly identified as false news and was amended accordingly, it serves as a prime example of an innovative and highly effective social engineering attack. This is due to the fact that the Associated Press news service only released this fake Tweet because they had been hijacked by the Syrian Electronic Army.
The tweet was sent at 1:07 p.m EST. By 1.10pm, the Dow Jones industry average had dropped by 150 (1%). Although the Associated Press had declared the Tweet as bogus by this time, the damage had already been done. Their Twitter account was suspended for 24 hours and the stock market had been substantially impacted. All for less than 140 characters.
Case study 3. – Industry: Retail
In 2013 the US retail chain Target became the victim of a social engineering attack when 40 million of its customers’ credit & debit card details were stolen by hackers.
After a rigorous investigation, it was concluded that the hackers had obtained this confidential client data through a well-placed phishing email. All it took was a single email sent to one of their approved air conditioning sub-contractors in order to gain access to Target’s private network and obtain millions of customers’ personal banking information.
Case study 4. – Industry: Domestic Household
In 2014, 66 year old Susan Sinclair became the victim of a social engineering practice known as ‘vishing’. After being contacted by criminals posing as representatives from Nationwide bank’s ‘Visa fraud investigation department’, Susan was informed that her card had been used fraudulently at an Argos retail store. Susan was advised to hang up, call the number on the back of her card and transfer her money into secure bank accounts. However, after Susan hung up, the confidence artist stayed on the line and pretended to be a Nationwide customer services representative. In this manner, Susan authorised two bank transfers amounting to £17,500 to be paid into the criminal’s accounts. Unfortunately, due to the fact that Susan had authorised these payments herself she was not entitled to full compensation and was only refunded £4,898 of the money transferred. As Susan stated within a Telegraph article reporting on these types of social engineering attacks;
“They put me at ease, and told me the card had been frozen…They asked me to read out the number on the back of my bank card and said I had to call the number straight away…I became increasingly suspicious, but I kept telling myself I had dialled Nationwide’s number”.
Case study 5. – CEO Fraud
In 2015, Barbie manufacturer Mattel sent more than £2.3m to a fraudulent account in China, after a finance executive was fooled by a message supposedly sent by new chief executive Christopher Sinclair. Whilst earlier this year, Austrian aerospace parts maker FACC fired its president and chief financial officer after losing an eye-watering £36m in a similar business email fraud.
The US Federal Bureau of Investigation says CEO fraud has increased by 270% since January 2015 and has cost businesses around the world at least £2.3bn over the past three years, some from seemingly unsophisticated internal emails along the lines of “Hi, are you busy? I need you to process a wire transfer for me urgently. Let me know when you are free so I can send the beneficiary’s details. Thanks.”
Manifestation
Now that you are familiar with the detrimental impact that these types of social engineering attacks can inflict upon local businesses, multinational organisations and domestic households, it is important to identify and analyse the various techniques that social engineering attackers adopt. All of the case studies mentioned above demonstrate one fundamental flaw; how easy it can be to gain a person’s trust and manipulate it for illegal gain. Listed below are some of the most common, yet innovative, strategies which individual criminals and groups of hackers implement in order to carry out social engineering attacks;
Baiting: This simple yet highly effective method, involves a criminal leaving a malware-infected device, such as a USB stick, in a place where it will be found by their unsuspecting victims. For example, the malware-infected device may be left on the desk of an office worker who works for a large corporation. The intended target will then pick up the device and insert it into their laptop or desktop to discover its contents. By doing so, the criminal has gained access to their target’s private network and any confidential data that it may hold.
Diversion: Often referred to as “Corner Game” or “Round the Corner Game”, this social engineering technique was actually devised by turn of the century thieves in East End London and involves redirecting the delivery of an important package or product to a location different to its originally intended destination. This particular social engineering attack is often used to misdirect parcels containing valuable goods from one property to another and has resulted in many innocent families being cheated out of their prized possessions without the criminals involved even having to break into their homes.
Impersonation: This practice involves a believable con artist acting as a person in a position of authority in order to infiltrate systems and processes. This particular social engineering attack often impacts homeowners with faulty personal computer devices. After believing their desktop or laptop to be infected, the homeowner in question will contact an IT professional to repair their device when in fact this pseudo-official is actually a criminal illegally gaining access to their confidential information!
Phishing: This extremely common social engineering practice involves issuing a duplicitous email or phone call to an employee or homeowner in order to secure sensitive information for illegal gain. From asking families to divulge the username and password for their online banking accounts, to asking employees to reveal their professional log-in details, these phishing attacks are often carried out by a confidence artist pretending to be an official in a ‘position of authority’ in order to gain their intended target’s trust. By posing as a banking official or a company IT technician, these confidence artists lull unsuspecting victims into a false sense of security, resulting in them willingly divulging highly sensitive security information.
Vishing: This technique involves using interactive voice response (IVR) technology to impersonate a person in a position of authority. Victims of such ‘vishing’ attacks are fooled by the high quality nature of the IVR technology and inadvertently hand over all manner of confidential financial information to manipulative criminals.
Despite the prevalence of these social engineering attacks, there are numerous security measures which you can implement in your day-to-day life in order to protect your family and businesses’ banking information and online accounts.
Above all else, you should never underestimate the power of human nature. Although technologies may be advancing and evolving with each passing day, human interaction can still find the means to penetrate even the most fortified of digital defences. After all, these digital security protocols will have been devised by a human!
Conclusion
At Blackstone Consultancy we find that our security personnel are increasingly being sought after to assist businesses and advise influential individuals on how to defend themselves against all manner of social engineering attacks. With our exclusive industry expertise and diverse career experience, you can rest assured that we will deliver you the best threat response possible. Our dynamic and personable staff are perfectly placed to assist you against any personal or professional threats. If you would like to discuss these needs in greater depth then please do not hesitate to contact us here: