Hacking your head: how cybercriminals use social engineering
Social engineering is nothing new. It’s a tool of psychological manipulation that’s been used since the dawn of man. Why? To influence people into taking action that might not be in their best interest.
Sometimes it’s fairly harmless, like a child sweet-talking his mom in order to get extra candy. (I’m a victim of this one.) Many times, however, social engineering is used for nefarious purposes.
There are classic examples of social engineering at play throughout human history. Confidence tricks were first used by charmers in the 19th century to con people into trusting others with their valuables. (They should not have trusted…the charmers made off with the goods.) Psychological manipulation, otherwise known as propaganda, influenced droves of people during World War II to go out and buy war bonds. And advertising subtly hints that you’re not pretty enough until you buy this product.
Social engineering taps into the human psyche by exploiting powerful emotions such as fear, urgency, curiosity, sympathy, or the strongest feels of them all: the desire for free stuff.
Which is why cybercriminals have caught on.
Cybercrooks use this dangerous weapon to get at the weakest link: us. They know that the easiest way to penetrate a system is to go after the user, not the computer. “Attacking the human element has always been a favorite,” says Jean-Phillip Taggart, Senior Security Researcher at Malwarebytes. “Why use some hard technical flaw to acquire a password when you can simply ask the user for it?”
In fact, psychological cyberattacks are on the rise. “We are seeing an increase of blended attacks that rely on a combination of social engineering and malicious software,” says Taggart. For example, a popular social engineering tactic is the technical support scam. An alert pop-up will appear on the screen that tells the user he is infected and needs to download a malware application. The user, fearful of infection, will download the fake antivirus or anti-malware application that is instead a vehicle for delivering malware.
So how are the criminals distributing their social engineering schemes? Here are some of the most prevalent forms of social engineering today.
“Huge snake eats man alive!” Have I got your attention? What if I posted a link to a video of the ordeal? You just might be tempted to click, especially because many legitimate articles and other pieces of content use similarly eye-catching headlines to get people to look at their stuff. Cybercriminals get this, and they exploit it.
A particularly popular approach is to capitalize on the innately human desire to crane one’s neck to see an accident on the side of the road. So beware of links to overly graphic terrorist attack images, natural disasters, and other tragedies.
Watering hole attacks
One of the things cybercriminals do best is collect information about their targets. Browsing habits tell a lot about a person, which is why that ad for cat sweaters keeps popping up in your Facebook feed. Cybercriminals use this information the go after the sites most visited by their target group. Once they discover a particular website is popular with their targets, they infect the site itself with malware. For example, hackers knew the iPhone Dev SDK forum was visited frequently by Facebook, Apple, and other developers. They compromised the website, set up an exploit, and ended up infecting a lot of people.
Social networking attacks
Social networking attacks can be particularly dangerous because criminals mess with your mind in two ways. First, they make digs at your personal information. “Cyber criminals know that one of the biggest vulnerabilities people have is their self-image,” says Adam Kujawa, Head of Intelligence at Malwarebytes. “People are worried about what others think of them.” Second, they make their messages appear to come from a friend.
This two-pronged approach can be accomplished in one attack. You might receive a message from your ex-boyfriend that says, “lol, is this your new profile pic?” (with a picture of a walrus). The picture has a link. You click on it, because what the heck, ex-boyfriend?! And would you look at that…you’re infected with malware.
Ransomware is nasty business. It’s also social engineering at its finest/worst. Ransomware is a type of malware that holds your files or part of your system ransom. In order to return access, you have to pay cybercriminals. People who want their precious data back might pay up right away. But for those who need additional scare tactics, criminals have come up with law enforcement scams that make it appear as though the U.S. Department of Justice or FBI Cybercrime division are contacting you to claim that you’ve done something illegal.
Even worse, some cybercriminals will stoop to the level of claiming they found child pornography on your computer—and then display a piece of child pornography. So, they say, pay up and we’ll make it go away. Users, naturally, tend to panic when faced with a message about child pornography that seems to come from law enforcement. This gross tactic has even lead, in an extreme case, to a user committing suicide.
If your dad has ever fallen for the old Nigerian prince tale, then guess what? He was phished. Phishing is a form of social engineering that relies on fooling people into handing over money or data through email. Bad guys accomplish this by sending a generic message out to a huge mass of people that might say something like, “You won $1 million! Click here for your reward!” Sadly, there are those that still fall for this.
However, in recent years cybercriminals have upped their phishing game with more sophistication. Spear phishing emails are crafted in order to make someone believe they’re from a legitimate source. The messages might appear to come from banks or businesses, and could include full names, usernames, and other personal info. Crooks know that if you get an email that looks like it’s from your medical provider and it’s talking about a surgery you had last year, you will likely believe it.
So how can you fend of these psychological attacks? Here are a few tried and true methods:
- Equip yourself with antivirus, anti-malware, and anti-exploit security programs. These can fight off malware attacks from a technical standpoint.
- Anonymize your data by using the privacy features of your browser. It’s also a good idea to clear cookies every once in a while.
- Lock down privacy settings on social media accounts. Make sure you’re making information available only to those you wish to have it.
- Use the right software and hardware systems. If you just use your computer to surf the web, you probably don’t need a powerful processor or the Adobe suite. “Every piece of software you put on your computer has potential vulnerabilities,” says Jerome Segura, Senior Security Researcher at Malwarebytes. “The more you have, the greater your surface of attack is on a particular machine.”
- Finally, and most importantly, use common sense. A healthy dose of skepticism goes a long way. Verify information. Contact the claimed source. “Trust your gut feeling,” says Taggart. “If it feels too good to be true, it probably is. If it feels slightly off, it probably is. Stop and think about what is being asked of you.”