By Fernando Velázquez
When talking about computer security, it is inevitable to say the main flaw or weakness of a system lays right in front of the monitor. People, in many cases, are deciding to execute that ‘payload’ arriving by email, through a PDF or an image, without doing relevant verification on the source. This is due to the power that social engineering has over us.
For hackers or professionals in general, social engineering is the act of manipulating a person through psychological methods and social skills, and pushing them to meet specific goals (Sandoval, 2011).
As we can deduce, psychology plays a very important role in the conception of social engineering; the use of psychological techniques makes its implementation perfectly possible.
In addition, there are many attack vectors used; phishing or baiting are among the most common. Phishing tricks the user by impersonating the identity of a trusted domain, such as a bank, and tries to “fish” our access credentials for example. You can use mail, social networks or even messaging applications for an assault.
In the case of baiting, devices like USB memories are abandoned with the intention that someone will find them and connect to their computers, so infection of some malware occurs. In this way, the ‘Stutnex cyberweapon of destruction’ was propagated throughout Iran’s nuclear power plants to obstruct their uranium enrichment program.
But you should never leave out the classics. It seems to me that everyone heard about the famous Nigerian prince scam, in which, posing as friends of your friends, what the scammers seek in reality is to steal your money, in exchange for the promise of multiplying it in the future.
Dark magic
“The art of hacking people” is a practice that takes advantage of different “vulnerabilities” in our brain to give us an incredible effect of amazement. Within Social Engineering this practice is widely used and we can check now, some of the “vulnerabilities” exploited by this exciting art
- Multitasking = NO: our brain is not prepared to deal with 100% of several things at once. Maybe sometimes we think we can do 2 or more things at the same time, but be sure this is not possible to execute at all.
- Altering perception: the “disinformation effect”, for example, when we are asked to choose a card from a deck among several, but somehow we were induced to choose a specific one, and then the magician “reconfirms” to our brain that we had the opportunity to choose a card freely by saying: “You chose ANY card, right?”
- Necessity to fill in the blanks: our brain has an urgent need to fill in the blanks and it is right there where the famous trick of splitting a lady works. When cutting and separating the box where “the woman” is located, our brain refuses to believe there are two women, and that is why even if we do not want to, we are going to believe it was really broken in two.
As social entities, human beings in principle seek not to be different, because being different often involves being excluded (necessity of affiliation).
This psychological fact is used primarily to ‘atomize’ an individual in a more controllable way, so the brain of this individual when consuming many resources is only optimized to handle the most typical situations.
The evolution itself, in a somewhat pragmatic way, has not endowed us with additional cognitive abilities to deal with too complex situations.
Social engineering attacks| Image from Wall Street International.
For this, we must make a considerable mental effort, but as we always prefer to save, we use economic and rapid decision-making methods: heuristics, shortcuts, intuitions, which usually have not very nice consequences. When our cognitive abilities are overwhelmed, our brain loses its effectiveness and can be easily deceived, abused, confused, distracted or manipulated.
Here are some brain biases that are very easy to apply into the field of IT security and are quite useful for influence or attack.
Reciprocity: In exchange for a service, even unsolicited, we feel the necessity to return the favor. This sense of reciprocity is inscribed in all societies. Returning a favor is a basic rule of human behavior. A small initial favor, even if you have not asked it, can generate greater favors back because we feel socially obligated, we hate being in debt. When we are given free samples of a product in the supermarkets we feel more persuaded to buy it.
Then, we socially reject ingratitude. When someone has helped us with the suitcase or has cleaned the windshield, even without our having requested it, we tend to give a tip. And this easily leads to the trap of small concessions: if someone frequently invites us or gives us small favors, even if we have never asked for them or wish them, we cannot avoid saying “yes” when that person later asks us something, no matter how big it is.
Attack: A malicious employee befriends the secretary of the CEO department. By earning her trust through invitations to dinners or gifts, he asks for details regarding the actions of the high chiefs, showing only simple curiosity, but laterally planning an attack involving a good amount of information gathering about the victims.
Countermeasure: Always identify the true intention of a favor or request.
Share all the information available with people in your environment | Image from Wall Street International.
Necessity of association: We imitate what everyone is doing. Somehow we think that, if everybody does it, it should be fine, especially if they are similar to us. This can be exemplified in the marketing of many products: “10 million readers cannot be wrong” or “150,000 copies sold”. We follow this behavior rule from children, imitating the behavior of our parents, teachers, classmates and friends. That is why individuals in the same group tend to behave in a similar way.
This behavior emerges with greater force in uncertain situations, where it is not clear how to react. In this case, the behavior of the group is systematically considered. If you want someone to do something for you, show them how many people have done it before.
Attack: You receive a call from a person who claims to be doing a survey and mentions the name of other people in your department who have already cooperated with him, previously investigated. Believing that cooperation of other people validates the authenticity of the petition, you agree to participate. The attacker proceeds to ask a series of questions; after that he can trick the victim and ask for usernames and passwords, internal addresses of servers, etc.
Countermeasure: Check the evidence provided and never validate the judgment exclusively on the behavior of others.
Commitment: Once a decision has been made, we act in a consistent approach with the commitment made. Consistency is seen as a moral force, as a praiseworthy quality. When a person gives its word and sticks to it, we perceive it as trustful and honest.
Once we have committed ourselves to something, we do not want to appear inconsistent or untrustworthy and we tend to comply with our given word. In fact, our commitment is stronger when it is made public and apparently coming from an internal motivation, in other words, when we believe that it has come from our brain without any kind of influence.
This commitment leads to stupidly absurd behaviors like ending up watching a movie in the cinema because “I paid the entrance”, ending a book because “I always finish what I start” or in a restaurant eating a dish that we didn’t like just because “I’ve asked for it.”
Attack: The attacker contacts a newcomer to the organization informing him of the need to comply with the security policies and procedures, in order to access the company’s information systems. When the victim has committed to comply with all the rules and to do everything that is requested, the attacker can demand anything with the excuse of following a security procedure, which the victim will surely accept.
Countermeasure: Always test the commitments made and analyze new situations to make decisions in the future.
Authority: You tend to listen and follow directions from someone in a position of authority. We absolutely trust experts under any circumstance, even though these experts make recommendations on matters that do not correspond to them. If Stephen Hawking advised on the dangers of Artificial Intelligence, it had to be taken very seriously, despite his expertise only in Theoretical Physics. Of course, we need to delegate to experts. T
he problem arises when an attacker exploits our good faith in authority, using its appearance supported by titles, badges, or any symbolism.
Attack: The attacker pretends to belong to the IT department or to be an executive of the company, cloning a fake badge or any stratagem that validates its authority lowering automatically the defenses of a victim.
Countermeasure: Ask yourself, is this person a real expert? Can I trust him?
Never let yourself be guided by appearances | Image from Wall Street International.
Preference: We tend to say “yes” to people we find attractive, or to people who flatter us. We like the people who adulate us. The more you flatter ‘correctly’ a person, the easier that person will say yes to anything.
Even if you are aware that the compliments are not sincere. Also, there is an effect very related to the preference, named as “halo effect”, that is, to associate all types of positive characteristics to attractive people. We perceive attractive people as smarter, friendlier and more capable. In short, the more attractive you show yourself, the more persuasive you become.
Attack: The attacker pretends to share the same interests as the victim. He seeks to find an emotional connection to awake positive feelings, so his victim will have no guard against him, if he decides to attack in some way.
Countermeasure: Never let yourself be guided by appearances.
Final tips
You do not have to be an expert to carry out social engineering attacks, so there are no computer systems to help us prevent these situations. Network security does not depend on software, but on the ability of users to protect themselves using purely common sense.
Therefore, we are the only ones responsible of knowing how to properly interpret the security policies and enforce them. Additionally, I add these last relevant points for the prevention of social engineering attacks:
- Well-founded suspicions: Never fall to anything that look suspicious, regardless of how promising the benefits may seem. Promises too good to be true are just that, simple promises.
- Fear is not an option: Do not be intimidated by threats. Many criminals use the element of surprise to frighten and lead us to do something that, under other circumstances, we would not do. It is always better to ignore the frightening tactics.
- Sharing knowledge: Share all the information available with people in your environment so they are more protected. Do not let them fall into the trap of cybercrime.
- Prevention is better than cure: Invest in effective training for your own benefit. Explore and use the built-in security features of the sites and web pages you visit frequently. Some sites, such as Facebook, provide information on the latest threats and tips, which will allow you to surf safely online.
Fernando Velázquez is a cryptographer, cybersecurity professional, privacy consultant and writer. He is the author of several articles on general Information Security topics.
.
He is the founder and Chief Technology Officer of Shield CyberSpace Boundaries (S.C.B) an organization specialized in Digital Rights Management, Online Privacy, Malware Analysis, Security and Computer Science.
