Social Engineering
Although Social Engineering is described as a concept related to the hacking of a company in most sources, Social Engineering in its most general definition, it is the job of obtaining account information, passwords or any other information that should be confidential to access the valuable resources of a person, company or institution by using several psychological methods.
In addition to the fact that Social Engineering captures the Admin Username and Password to access a server or a database that keeps confidential information of a company, there are other domains of Social Engineering. For example, a fraudster calls a person, saying that he is from the Courthouse or Police headquarters by using the “victim’s weaknesses and frightening him to ask for a bank transfer or steal his money by getting their account information. This is also a very common Social Engineering method in certain countries.
The basic of Social Engineering is to overcome a technical barrier with psychological attack methods.
As seen in the picture above, the barrier in a company shows a Firewall, which protects the company against malicious people, as accessing the server by using the user’s weaknesses, fears, and hopes. The hacker can overcome the firewall with the help of the user, which he cannot overcome with normal attacks.
The target in Social Engineering is a person. Machines are not targets. Because a machine is not capable of psychological decision making.
In Social Engineering, the targeted valuable information is accessed by using the following psychological situations of the person (user).
1. Fear, Anxiety
2. Hope, Expectation
3. Feeling important, weakness
4. Inability to manage stress
5. Sense of trust
6. Sadness, Depression
7. Not questioning
8. Lack of information
9. Carelessness
10. Gossip, Curiosity
If it is a targeted company, two methods that are fundamental in Social Engineering are used.
1. Distributed, Random Attack: Here, the most basic information leakage method to access the resources of the targeted company is the method of placing a virus or a trauma on the company’s computers. However, this method often ends in the company’s defense (FW, Antivirus, Antispam, IPS). With this method, an e-mail is sent to company employees. For example, an information or picture about a very famous artist and the user is asked to click on the picture. When the user clicks the picture or opens the mail with the easiest method, the Trojan is installed on the computer. According to the function of the trojan used, the confidential information of the person is sent to the Hacker, their address book and even their registered passwords. This can be done via an e-mail or via a Flash Memory.
For example; years ago, Intelligence services, which could not infiltrate a place where the Uranium enrichment center in Iran was located, installed a Trojan on about 50 flash memories and left these Flash memories next to the tires of the vehicles parked in the parking lot. A curious accounting worker took the Flash Memory, entered the workplace and installed it in his computer. The program placed in the flash memory locked the computer system of the whole center and made it inoperable. This attack led Iran back in its uranium enrichment and caused a huge loss of information.
2. Targeted Attack: In this type of attack, the Hacker, who cannot cross the technical barrier, tries to cross the barrier through one person. First of all, it collects all kinds of information about this person. The aim is to find the weaknesses of the targeted person in order to leak valuable information from that person. For this, all kinds of information gathering methods are tried, including the person’s garbage. In fact, by tracking the person, all information such as where he eats, which bar he goes to, if he has a boyfriend or girlfriend, whether he goes to the doctor, whether he likes animals, etc. is collected. With this information, appropriate Social Engineering methods are used to obtain the targeted information by communicating with the person via social media, phone or face-to-face communication. Targeted information might be the username and password of the computer, as well as the copying of the company’s entrance card, the private confidential information of the boss.
For example, finding out that the target person has not had a boyfriend or girlfriend for a long time, the Hacker group sends another person to the target person at the Bar to establish a relationship. He gets the person drunk and gets the company entrance card and copies it. Thus, it enables the Hacker to enter a very large company and operate in very easily.
Social Engineering is actually a core business that intelligence services have been doing for years. However, nowadays, not only intelligence services, but companies are used to outwit each other in the market, individuals are used to steal information or money from companies, or individuals to steal money or information from each other, and even states have started to use them to get valuable information from each other. Some aspects of social engineers are very advanced.
1. Their ability to persuade is highly developed.
2. It has high impact properties.
3. They can quickly produce scenarios.
4. They can lie in cold blood.
5. They can control their psychology. They can tell any lie without any physical signs.
6. They are knowledgeable and equipped to affect the other person quickly with these aspects.
Phishing
Phishing is the most used method in Social Engineering. In phishing attacks, the user is usually trapped by a fake e-mail. The malicious person who made the attack provides access to the targeted information by using the known and trusted banks and companies.
Example 1; the person’s account is copied from the web page of the bank and sent to the target person with a very similar e-mail address, and the data systems of the targeted person are requested to be updated in the bank. When the person clicks on this web page, he will see his own bank page. The user fills in and posts critical information for bank access via this web page. Yes, all your information is now in the hands of the Hacker. Your bank accounts may have been emptied within a few minutes, or a new credit card may be issued in your name and your name may have started shopping on the other side of the world. Here is the information to know: No bank will want you to update your access information via e-mail or web! Phishing can be done by e-mail or by phone. Hackers achieve much greater success in communication over the phone. In this phishing method, the target person is put under pressure by the feeling of trust, not questioning, lack of information, carelessness.
Example 2; A message has been sent to a person’s social media account from the web address of a famous shoe brand. Due to the 100th anniversary of the foundation of the shoe brand, the company would distribute 2,000 pairs of shoes free of charge. For this, it has been requested to fill in the information form in the following. The form contains all kinds of confidential and personal information, from the Bank account number to the person’s mother’s maiden name. Thanks to communication on social media and forwarding this message to each other, Hackers have accessed the personal confidential information of more than 100,000 people within 2 hours. Here Hackers have suppressed the target people by the means of Feelings of Trust, Not Questioning, Lack of Information, Carelessness, Hope, Expectation feelings.
Phishing has been started to be used as an attack method that we come across almost every day. So how do we get rid of phishing?
1. If, someone whom you do not know offers to give you something of value (money, gifts or valuable information), stop for a minute and think why. The most basic rule is that every valuable thing has its counterpart. In addition, even if it is not important to you on a daily basis, your personal information; your account number, your mother’s maiden name, your date of birth and even your dog’s name are very valuable personal information. Never share this information with people you do not know.
2. Do not share your date of birth, passwords, and any personal information that may be critical for you on social media.
3. Confirm against fake or stolen account when someone requests money or information from you on social media.
4. Reliable sources, banks, telecommunication operators and any company that contains your confidential personal information will not ask you to update your information by phone or mail. If someone is calling or mailing you, they already know you, don’t give them any personal information.
5. Do not open e-mails from people or organizations you do not know. For this, although companies have cyber security systems, hackers who use any patch deficiency in the system can easily get the information they want.
6. Never set up your personal e-mail in Outlook where the company’s e-mail is located. An attack can come from an unexpected place.
7. The most important element in phishing attacks is the attacks made from fake addresses. Be sure to check the web page and e-mail addresses. Even the smallest letter change can cause irreversible damage. Also, be sure to check the masked e-mail addresses.
8. Perform Security Control: HTTPS secure protocol is used for user information such as banks, shopping sites and money transfer transactions. The data transmission in this protocol is encrypted and the security is high.
9. Do not throw away the papers containing your confidential and personal information without destroying them. Be sure to pass the papers on which information about the company is written, especially through the chopper.
Social Engineering is the biggest problem of Cyber Security. Today, companies do not invest enough in Cyber Security awareness and training of users, while making investments in Cyber Security and establishing the necessary systems. Although network attacks are attacks on the weaknesses of devices, cyber-attacks are made to the weaknesses of people. In other words, as long as employees are not given enough awareness and consciousness training, investments in Cyber Security will lose their meaning after a while. The most important technical investments to prevent hacking of systems through Social Engineering are NAC and DLP investments. These systems are tools that minimize the attacks caused by the weaknesses of the people. However, of course, what kind of NAC and DLP to be established, what kind of policies and the staff training to be determined are a separate Cyber Security architecture topic, which will be discussed in another post. A special architectural and policy work needs to be done for each company.
Ali Tas / BERN / SWITZERLAND
E-Posta: tas.alich@gmail.com
Linkedin: https://www.linkedin.com/in/ali-ta%C5%9F-71069821/
