[BreachExchange] Social engineering attacks: What makes you susceptible?

[Destry Winant]

https://securityboulevard.com/2018/08/social-engineering-attacks-what-makes-you-susceptible/

We now live in a world where holding the door open for someone
balancing a tray of steaming hot coffee—she can’t seem to get her
access card out to place it near the reader—is something we need to
think twice about. Courtesy isn’t dead, mind you, but in this case,
you’d almost wish it were. Because the door opens to a restricted
facility. Do you let her in? If she really can’t reach her card, the
answer is clearly yes. But what if there’s something else going on?

Holding the door open for people in need of assistance is considered
common courtesy. But when someone assumes the role of a distressed
woman to count on your desire to help, your thoughtful gesture
suddenly becomes a dangerous one. Now, you’ve just made it easier for
someone to get into a restricted facility they otherwise had no access
or right to. So what does that make you? A victim of social
engineering.

Social engineering is a term you often hear IT pros and cybersecurity
experts use when talking about Internet threats like phishing, scams,
and even certain kinds of malware, such as ransomware. But its
definition is even more broad. Social engineering is the manipulation
or the taking advantage of human qualities to serve an attacker’s
purpose.

It is imperative, then, that we protect ourselves from such social
engineering tactics the same way we protect our devices from malware.
With due diligence, we can make it difficult for social engineers to
get what they want.

Know thy vulnerable self

Before we go into the “how” of things, we’d like to lay out other
human emotional and psychological aspects that a social engineer can
use to their advantage (and the potential target’s disadvantage).
These include emotions such as sympathy, which we already touched on
above. Other traits open for vulnerability are as follows:

Carelessness

The majority of us have accidentally clicked a link or two, or opened
a suspicious email attachment. And depending on how quickly we were
able to mitigate such an act, the damage done could range from minor
to severe and life-changing.

Examples of social engineering attacks that take advantage of our
carelessness include:

- Typosquatting
- Homograph attacks
- Blackhat SEO/SEO poisoning
- Clickjacking
- Tailgating or piggybacking
- Eavesdropping

Curiosity

You seem to have received an email supposedly for someone else by
accident, and it’s sitting in your inbox right now. Judging from the
subject line, it’s a personal email containing photos from the
sender’s recent trip to the Bahamas. The photos are in a
ZIP-compressed file.

If at this point you start to debate with yourself on whether you
should open the attachment or not, even if it wasn’t meant for you,
then you may be susceptible to a curiosity-based social engineering
attack. And we’ve seen a lot of users get duped by this approach.

Examples of curiosity-based attacks include:

- Malware campaigns in social networking sites (“Hot video” Facebook
scam, celebrity scandals)
- Other scams that bait you with exclusive content (videos related to
accidents or calamities)
- “Who visited your profile” social media scams
- USB attacks
- Snail mailed CD attacks
- Newsjacking

Fear

According to Charles E. Lively, Jr. in the paper “Psychological-Based
Social Engineering,” attacks that play on fear are usually the most
aggressive form of social engineering because it pressures the target
to the point of making them feel anxious, stressed, and frightened.

Such attacks make participants willing do anything they’re asked to
do, such as send money, intellectual property, or other information to
the threat actor, who might be posing as a member of senior management
or holding files hostage. Campaigns of this nature typically
exaggerate on the importance of the request and use a fictitious
deadline. Attackers do this in the hopes that they get what they ask
for before the deception is uncovered.

Examples of fear-based attacks include

- Business email compromise (BEC)/CEO or CFO fraud
- Blackmail/extortion (sextortion, ransomware)
- Cold call scams
- Rogue software (fake AV)
- Vishing
- Malware campaigns that pretend to be fake software patches

Desire

Whether for convenience, recognition, or reward, desire is a powerful
psychological motivation that can affect one’s decision making,
regardless of whether you’re seen as an intellectual or not. Blaise
Pascal said it best: “The heart has its reasons which the mind knows
nothing of.” People looking for the love of their lives, more money,
or free iPhones are potentially susceptible to this type of attack.

Examples of desire-based attacks include:

- Catfishing/romance fraud (members of the LGBTQ community aren’t exempt)
- Catphishing
- Certain phishing campaigns
- Scams that bait you with money or gadgets (e.g. 419 or Nigerian
Prince scams, survey scams)
- Lottery and gambling-related scams
- Quid pro quo

Doubt

This is often coupled with uncertainty. And while doubt can sometimes
stop us from doing something we would have regretted, it can also be
used by social engineers to blindside us with information that
potentially casts something, someone, or an idea in a bad light. In
turn, we may end up suspecting who or what we think we know is legit
and trusting the social engineer more.

One Internet user shared her experience with two fake AT&T associates
who contacted her on the phone after she received an SMS report of
changes to her account. She said that the first purported associate
was clearly fake, getting defensive and hanging up on her when she
questioned if this was a scam. But the second associate gave her
pause, as the caller was calm and kind, making her think twice if he
was indeed a phony associate or not. Had she given in, she would have
been successfully scammed.

Examples of doubt-based attacks include:

- Apple iTunes scams
- Payment-based scams
- Payment diversion fraud
- Some forms of social hacking, especially in social media

Empathy and sympathy

When calamities and natural disasters strike, one cannot help but feel
the need to extend aid or relief. As most of us cannot possibly hop on
a plane or chopper and race to affected areas to volunteer, it’s
significantly easier to go online, enter your card details to a
website receiving donations, and hit “Enter.” Of course, not all of
those sites are real. Social engineers exploit the related emotions of
empathy and sympathy to grossly funnel funds away from those who are
actually in need into their own pockets.

Examples of sympathy-based scams include:

- Fake orphanages (prevalent in Cambodia)
- Disaster fraud, for which Fraud Magazine identified five primary
categories: - charitable solicitations, contractor and vendor fraud,
forgery, price gouging, and property insurance fraud
- Cancer fraud
- Specific physical social engineering attempts, like this one
- Scams that take advantage of crowdfunding websites like Indiegogo,
GoFundMe, or Kickstarter

Ignorance or naiveté

This is probably the human trait most taken advantage of and, no
doubt, one of the reasons why we say that cybersecurity education and
awareness are not only useful but essential. Suffice to say, all of
the social engineering examples we mention in this post rely in part
on these two characteristics.

While ignorance is often used to describe someone who is rude or
prejudice, in this context it means someone who lacks knowledge or
awareness—specifically of the fact that these forms of crime exist on
the Internet. Naiveté also highlights users’ lack of understanding of
how a certain technology or service works.

On the flip side, social engineers can also use ignorance to their
advantage by playing dumb in order to get what they want, which is
usually information or favors. This is highly effective, especially
when used with flattery and the like.

Other examples of attacks that prey on ignorance include:

- Venmo scams
- Amazon gift card scams
- Cryptocurrency scams

Inattentiveness or complacency

If we’re attentive enough to ALT+TAB away from what we’re looking at
when someone walks in the room, theoretically we should be attentive
enough to “go by-the-book” and check that person’s proof of identity.
Sounds simple enough, and it surely is, yet many of us yield to giving
people a pass if we think that getting confirmation gets in the way.
Social engineers know this, of course, and use it to their advantage.

Examples of complacency-based attacks include:

- Physical social engineering attempts, such as gaining physical
access to restricted locations and dumpster diving
- Pretexting
- Diversion theft

Sophisticated threat actors behind noteworthy social engineering
campaigns such as BEC and phishing use a combination of attacks,
targeting two or more emotional and psychological traits and one or
more people.

Whether the person you’re dealing with is online, on the phone, or
face-to-face, it’s important to be on alert, especially when our level
of skepticism hasn’t yet been tuned to detect social engineering
attempts.

Brain gyming: combating social engineering

Thinking of ways to counter social engineering attempts can be a
challenge. But many may not realize that using basic cybersecurity
hygiene can also be enough to deter social engineering tactics. We’ve
touched on some of them in previous posts, but here, we’re adding more
to your mental arsenal of prevention tips. Our only request is you use
them liberally when they apply to your circumstance.

Email

If bearing a dubious link or attachment, reach out and verify with the
sender (in person or via other means of communication) if they have
indeed sent you such an email. You can also do this to banks and other
services you use when you receive an email reporting that something
happened with your account.
Received a request from your boss to wire money to him ASAP? Don’t
feel pressured. Instead, give him a call to verify if he sent that
request. It would also be nice to confirm that you are indeed talking
with your boss and not someone impersonating him/her.

Phone (landline or smartphone)

When you receive a potentially scammy SMS from your service provider,
call them directly instead of replying via text and ask if something’s
up.
Refrain from answering calls not in your contact list and other
numbers you don’t recognize, especially if they appear closely related
to your own phone number. (Scammers like to spoof area codes and the
first three digits of your phone to trick you into believing it’s from
someone you know.)
Avoid giving out information to anyone directly or indirectly. Remind
yourself that volunteering what you know is what the social engineers
are heavily counting on.
Apply the DTA (Don’t Trust Anyone) or the Zero Trust rule. This means
you treat every unsolicited call as a scam and ask tough questions.
Throw the caller off by providing false information.
If something doesn’t feel right, hang up, and look for information
online about the nature of the call you just received. Someone
somewhere may have already experienced it and posted about it.

In person

Be wary when someone you just met touches you. In the US, touch is
common with friends and family members, not with people you don’t or
barely know.
If you notice someone matching your quirks or tendencies, be
suspicious of their motives.
Never give or blurt out information like names, department names, and
other information known only within your company when in the common
area of your office building. Remind yourself that in your current
location, it is easy to eavesdrop and to be eavesdropped on. Mingle
with other employees from different companies if you like, but be
picky and be as vague as possible with what you share. It also pays to
apply the same cautious principle when out in public with friends in a
bar, club, or restaurant.
Always check for identification and/or other relevant papers to
identify persons and verify their purpose for being there.

Social media

Refrain from filling in surveys or playing games that require you to
log in using a social media account. Many phishing attempts come in
these forms, too.
If you frequent hashtagged conversations (on Twitter, for example),
consider not clicking links from those who are sharing, as you have no
idea whether the links take you to destinations you want. More
importantly, we’re not even sure if those sharing the link are actual
people and not bots created to go after the low hanging fruit.
If you receive a private message on your social network inbox—say on
LinkedIn—with a link to a job offer, it’s best to visit the company’s
official website and look up open positions there. If you have clicked
the link and the site asks you to fill in your details, close the tab.

A happy smart ending

- When it comes to social engineering, no incident is too small to be
neglected.
- There is no harm in erring on the side of safety.

So, what should you do if someone is behind you carrying a tray of hot
coffee and can’t get to her access card? Don’t open the door for her.
Instead, you can offer to hold her tray while she takes out and uses
her access card. If you still think this is a bad idea, then tell her
to wait while you go inside and get security to help her out. Of
course, this is assuming that security, HR, and the front desk have
already been trained to respond forcefully against someone trying to
social engineer their way in.

Good luck!