Social Engineering, not the good engineering you hear so much about.

Background
The Internet has become the largest medium of communication and information exchange in our daily lives. In addition to email and SMS, Web 2.0 services such as Twitter, Facebook, and other social networking sites, and even Web 3.0 services have become part of our daily routine. As a result of COVID-19, we have been forced to become accustomed to a life of working from home, with more and more employees using their own devices to do their work. This increased flexibility means that we need to make more and more data available to our colleagues through online channels. Decentralized data access and cloud services are nowadays mainly carried out through third parties, be it social networks or any other type of platform.

(Kaspersky, 2023)

What is social engineering?

By only knowing your phone number, hackers can get all your sensitive personal information, even including bank account numbers, rooming records, etc. Such a sensational system is operating in the cyber world where people can’t see it. It is called the Social Engineering Vault. Social Engineering Vault refers to a database of personal data that is illegally collected and stored through social engineering techniques. This data includes, but is not limited to, sensitive personal information such as names, addresses, phone numbers, email addresses, social security numbers, bank account information, and more. Social engineering techniques are means of exploiting psychological and behavioral vulnerabilities in human interactions to induce individuals to divulge information or perform certain actions. The existence of social engineering repositories poses a serious threat to our privacy, and hackers and fraudsters can use this information for further fraud, extortion, or other illegal activities. We, as recipients of various digital information and users of digital platforms, need to raise our awareness of self-protection and be suspicious of any information.

How social engineering attacks work

Humans are more likely to trust other people than computers or technology. As a result, we are the weakest link in the security chain. Malicious activities accomplished through human interaction can psychologically influence a person to divulge confidential information or compromise security procedures. Hackers manipulate a person’s psychological weaknesses through social engineering attacks to gain access to sensitive information or to induce victims to perform specific actions. (Pokrovskaia & Snisarenko, 2017) Such attacks include phishing attacks, in which a hacker sends an urgent message disguised as a legitimate organization to entice a click on a malicious link; pretexting attacks, in which information is solicited through the construction of a convincing story, such as requesting a password by pretending to be IT support; baiting attacks, in which free resources are offered to entice a victim to download a file that contains malware; and tailgating that following employees into restricted areas. In addition, hackers have used social media to gather personal data for more precisely targeted attacks. These tactics allow hackers to bypass technical defenses and directly exploit through human interactions. Because of these human interactions, social engineering attacks are the most powerful attacks because they threaten all systems and networks. If people are not trained to prevent these attacks, there is no way to prevent them using software or hardware solutions. Cybercriminals choose these attacks when there is no technical vulnerability to crack the system. (Aroyo et al., 2018)

The main reason why social engineering attacks rely heavily on the development of the Internet is because the Internet provides a wide range of platforms and tools for such attacks, making it easy for attackers to reach many potential victims. The anonymity of the Internet and the high efficiency of information dissemination allow attackers to collect a wide range of personal information and deploy deception tactics without revealing their identity. For example, by sending phishing emails via email or social media platforms, attackers can not only target specific individuals but also be able to send them in bulk to thousands of users, dramatically increasing the success rate of their attacks. In addition, the wide availability of information in the online environment makes it easier for attackers to develop persuasive excuses and fictional stories to enhance the effectiveness of deception. Therefore, with the development of Internet technology and the popularity of its applications, the means and scope of social engineering attacks have expanded, posing greater challenges to network security.

Common Social Engineering Attacks

Hackers use social engineering to attack their victims in a variety of ways, mainly by manipulating human psychological responses to obtain sensitive information or to make people perform certain actions. Below are a few common methods:

  • Phishing: Hackers send legitimate-looking emails or messages that masquerade as credible sources, such as banks, social networking platforms, or internal company communications. These messages often contain urgent language that prompts the victim to click on a link or attachment that installs malware or compromises login credentials.
  • Pretexting: Hackers create a detailed backstory or excuse designed to convince victims that they have a legitimate need to request sensitive information. For example, a hacker might pretend to be an IT support person and ask an employee for a password to help resolve a supposed technical issue.
  • Baiting: Like real-life bait phishing, the hacker offers something enticing to lure the victim into action, which could be a download link for free software or data on a USB drive that could contain malware.
  • Tailgating: In the area of physical security, a hacker or other miscreant may tail an undoubted employee through a security gate into a restricted area. This is usually done without proper security cards or other access rights.
  • Social Media Exploitation: Hackers use social media platforms to collect personal information about their victims, such as birthdays, family relationships, professional backgrounds, etc., which is then used to execute more targeted attacks, such as Spear Phishing.

Hundreds of millions of dollars Google and Facebook spear phishing scam

The biggest social engineering attack of all time was carried out by Lithuanian national Evaldas Rimasauskas against two of the world’s biggest companies: Google and Facebook. Rimasauskas and his team set up a fake company pretending to be a computer manufacturer working with Google and Facebook. Rimasauskas also opened bank accounts in the name of the Rimasauskas opened bank accounts in the company’s name.

According to information released by the Southern District of New York, United States Attorney’s Office, the RIMASAUSKAS incorporated a company in Latvia with the same name as a computer hardware manufacturer based in Asia and opened, maintained, and controlled various accounts at banks in Latvia and Cyprus under the name of the counterfeit company. Thereafter, fraudulent phishing e-mails were sent to employees and agents of the victim company, who regularly transacted millions of dollars with the original company, instructing those payments for goods and services be sent to the counterfeit company’s bank accounts in Latvia and Cyprus. The e-mails purported to come from employees and agents of the original company and were sent through e-mail accounts. However, the e-mails were neither sent by the original company nor were they authorized. The scam successfully deceived the victim companies into complying with the fraudulent money transfer instructions. (USAO, 2019)

Government measures

Governments are also working to protect the security of their citizens’ personal information. The Australian Government has implemented several measures. They have launched the Australian Cybersecurity Strategy 2023-2030 to improve cybersecurity, manage cyber risk, and support citizens and businesses to address threats in the cyber environment through six strategic cyber protection barriers. The barriers aim to strengthen businesses, secure technology, optimize threat sharing and blocking, protect critical infrastructure, develop sovereign capabilities, and build cybersecurity leadership at regional and global levels. In addition, the government is working through public-private partnerships and considering legislative reforms to further enhance critical infrastructure protection. (the Australian Government, 2023)

What we can do to keep our information secure

The Evaldas Rimasauskas scam demonstrates the urgent need for information security awareness. Through his elaborate disguises and fraudulent tactics, he enabled even large technology companies to fail to recognize his scam, resulting in a huge loss of money. This shows that even technologically advanced organizations can be unprepared for sophisticated social engineering attacks. Therefore, increasing the rigor of email validation, raising employee awareness of the various forms of phishing attacks, and implementing meticulous financial auditing procedures are critical to preventing the recurrence of such incidents. This case lesson shows that comprehensive information security training and a systematic vetting process are key strategies to prevent such attacks.

While this case is a social engineering attack against a large organization, it also demonstrates the importance of individual users needing to be vigilant against similar tactics in their day-to-day internet usage. Individual users are just as likely to receive emails or messages that appear legitimate but contain malicious intent, with these scams attempting to lure users into divulging personal information or financial details through forged notifications or urgent requests. Therefore, individual users also need to develop the ability to recognize suspicious emails and requests, learn how to verify the authenticity of the information, and take security measures such as using multi-factor authentication and regularly updating their passwords to keep their information secure.

To try to prevent personal information from being illegally collected into social worker pools, we should take several key measures: firstly, raise awareness of common tactics of social engineering attacks such as phishing and pretexting attacks. Secondly, handle emails and messages with care and avoid clicking on unknown links or downloading unknown attachments. Use complex, unique passwords and enable multi-factor authentication for supported accounts. Regularly update security patches for operating systems and applications. Limit the sharing of personal information on social media and other online platforms and install antivirus software and other security tools to protect your devices. These steps can significantly reduce the risk of personal information leakage.

Bibliography:

  1. Aroyo, A. M., Rea, F., Sandini, G., & Sciutti, A. (2018). Trust and Social Engineering in human robot interaction: Will a robot make you disclose sensitive information, conform to its recommendations or gamble? IEEE Robotics and Automation Letters, 3(4), 3701–3708. https://doi.org/10.1109/lra.2018.2856272
  2. the Australian Government. (2023, November 22). 2023-2030 australian cyber security strategy. Department of Home Affairs Website. https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/2023-2030-australian-cyber-security-strategy
  3. Kaspersky. (2023, November 1). What is social engineering?. usa.kaspersky.com. https://usa.kaspersky.com/resource-center/definitions/what-is-social-engineering
  4. Pokrovskaia, N. N., & Snisarenko, S. O. (2017). Social Engineering and digital technologies for the security of the Social Capital’ development. 2017 International Conference “Quality Management,Transport and Information Security, Information Technologies” (IT&QM&IS). https://doi.org/10.1109/itmqis.2017.8085750
  5. USAO. (2019, March 20). Lithuanian man pleads guilty to wire fraud for theft of over $100 million in fraudulent business email compromise scheme. Southern District of New York | Lithuanian Man Pleads Guilty To Wire Fraud For Theft Of Over $100 Million In Fraudulent Business Email Compromise Scheme | United States Department of Justice. https://www.justice.gov/usao-sdny/pr/lithuanian-man-pleads-guilty-wire-fraud-theft-over-100-million-fraudulent-business

Be the first to comment

Leave a Reply