Black Hat Guide: The Social Engineer

Before 'social engineer’ became a job title, they were called con artists. Social engineering is the art of gaining a person’s trust to trick them into divulging information, such as a password. A con man does the same thing to defraud people out of their money.

The Story of George Parker

One of the most well-known con artists in history is George Parker, an American con man who made his money in the early 1900s by selling things that he didn’t own. One of the things he sold was Grant’s Tomb, the burial site of former President Ulysses S. Grant.  The beautiful moment and popular tourist attraction is located in the middle of Manhattan. 

Parker produced some counterfeit documents claiming he was Grant's grandson and heir, and therefore, the legal owner of the tomb. He also rented an office before setting out to find his victims. He eventually managed to close a deal and sell the tomb even though he was never its legal owner.

George went on to sell many other famous New York landmarks. He sold Madison Square Garden, the rights to famous operas, the Statue of Liberty, and the Metropolitan Museum of Art. The most famous thing he sold was the Brooklyn Bridge. He told prospective buyers that they could set up a toll booth and make a fortune charging cars to drive over it. This worked so well that he sometimes sold the bridge three or four times a month to different marks. 

It got so bad that city police had to regularly come to the bridge to stop the people who thought that they had bought it from building toll booths. This is where the famous term “If you believe that, I have a bridge to sell you” came from. 

George Parker had a lot in common with modern-day social engineering. Social engineering attacks target the weakest link in your security - your people. Social engineers prey upon gullibility, willingness to trust, and best intentions. Social engineers con their way into getting access to your IT systems and networks and confidential information. 

In fact, the process of conning and influencing employees is behind the vast majority of cyberattacks against businesses. Before the hacker tries to hack your servers, login portals, or endpoints, they first try to hack the people with access to them. 

The number one cyber attack, phishing or business email compromise, relies on social engineering and accounts for more than 80% of attacks. ¹  Over 85% percent of organizations have suffered a phishing and social engineering attacks, an increase of 16 percent over one year.²

Phishing Attacks 

Phishing attacks are when attackers send your employees an email asking them to reset their password, open an attachment, or visit a fake website. They are designed to extract credentials from the victim or gain access to their machines.  The hackers are opportunistic looking to hook any victim versus spear phishing attacks which are highly targeted and require research and preparation.

Spear Phishing Attacks  

Spear phishing attacks are more sophisticated forms of phishing attacks because they typically impersonate people or organizations that the victim is familiar with. Information is gathered on social media, which allows attackers to convince victims to perform an action like clicking a link, sending money, downloading a file, or providing credentials.

Whaling Attacks 

Whaling attacks are next-level spear phishing attacks that target senior executives. Whaling involves sending personalized emails persuading executives to transfer funds or provide sensitive information and intellectual property. There have been numerous examples ⁴

of this, where someone pretending to be the CEO emails the CFO and persuades them to transfer funds to a bank account belonging to the attacker.

Baiting Attacks 

Baiting attacks are phishing emails that piques the victim’s interest. A classic example is a lucky person finds a USB loaded with malware dropped on the sidewalk. Once plugged into a laptop the malware infects the laptop and potentially the network. A classic example is a lucky person finds a USB loaded with malware dropped on the sidewalk. Once plugged into a laptop the malware infects the laptop and potentially the network.  This works because everyone likes a free high-end and high-capacity USB key.

Vishing Attacks

Vishing attacks involve the attackers using their voice to defraud you; they will call you up and pretend to be someone they are not in order to induce you to give them some information, usually credit card information or bank details. Vishing has become increasingly sophisticated over the last few years with the evolution of deep fake technology. In 2019 a UK based Managing Director was defrauded when he received a phone call from whom he thought was his EU Chief Executive. The criminals used deep-fake artificial intelligence software to mimic the voice of his CEO and tell him to transfer $243,000 to their accounts. Reportedly, it sounded just like the CEO and the UK Managing Director said he recognized his boss's German accent and the melody of his tone during the call, completely convincing him he was speaking to his boss.

Defending Against Social Engineering Attacks.

Being human makes us vulnerable to manipulation and because of this, we are all targets. Most people tend to be naturally helpful and trust others by default. Combine this with a clever story containing information taken from social media profiles and it gives the attackers all the information they need to strike. 

Ultimately, security awareness training is the best defense against social engineering. Invest in training programs that train employees to verify before they trust, think before they click, recognize phishing emails, and understand the consequences of these attacks. 

Employees also need training to follow policy when transferring company money. Compel them to get multiple authorizations and proper confirmation of the request  rather than just instructions by email.

As more businesses go online and the digital world continues to expand exponentially, these attacks are proliferating. Over and above training there are a variety of methods you can use to mitigate against the risks of attacks, we at Digital Hands leverage emailing phishing protection software, sandboxing, web gateways and email detection and response solutions to help detect and stop social engineering attempts before they can become a serious cybersecurity incident.

Read our guide How to Avoid Social Engineering Attacks to learn how to spot and stop social engineering attacks.

References:

1) Fhurlinger, Josh. ”Top Cybersecurity Facts, Figures and Statistics.” CSO Online, 9, March 2020 

2) ”The Cost of Cybercrime 2019.” >Accenture Security and Ponemon, 2019 

3) Krebs, Brian. ” FBI: $2.3 Billion Lost to CEO Email Scams.” Krebs on Security, 16, April, 2020