Project Bytesgate
Most social engineering attacks rely on actual communication between attackers and victims. The attacker tends to motivate the user into compromising themselves, rather than using brute force methods to breach your data.
The attack cycle gives these criminals a reliable process for deceiving you. Steps for the social engineering attack cycle are usually as follows:
This process can take place in a single email or over months in a series of social media chats. It could even be a face-to-face interaction. But it ultimately concludes with an action you take, like sharing your information or exposing yourself to malware.
It's important to beware of social engineering as a means of confusion. Many employees and consumers don't realize that just a few pieces of information can give hackers access to multiple networks and accounts.
By masquerading as legitimate users to IT support personnel, they grab your private details — like name, date of birth or address. From there, it's a simple matter to reset passwords and gain almost unlimited access. They can steal money, disperse social engineering malware, and more.
social engineering life cycle
Social engineering attacks center around the attacker’s use of persuasion and confidence. When exposed to these tactics, you are more likely to take actions you otherwise wouldn’t.
Among most attacks, you’ll find yourself being misled into the following behaviors:
Heightened emotions : Emotional manipulation gives attackers the upper hand in an any interaction. You are far more likely to take irrational or risky actions when in an enhanced emotional state. The following emotions are all used in equal measure to convince you.
Urgency: Time-sensitive opportunities or requests are another reliable tool in an attacker’s arsenal. You may be motivated to compromise yourself under the guise of a serious problem that needs immediate attention. Alternatively, you may be exposed to a prize or reward that may disappear if you do not act quickly. Either approach overrides your critical thinking ability.
Trust: Believability is invaluable and essential to a social engineering attack. Since the attacker is ultimately lying to you, confidence plays an important role here. They’ve done enough research on you to craft a narrative that’s easy to believe and unlikely to rouse suspicion.
There are some exceptions to these traits. In some cases, attackers use more simplistic methods of social engineering to gain network or computer access. For example, a hacker might frequent the public food court of a large office building and "shoulder surf" users working on their tablets or laptops. Doing so can result in a large number of passwords and usernames, all without sending an email or writing a line of virus code.
Now that you understand the underlying concept, you’re probably wondering “what is social engineering attack and how can I spot it?”
Perhaps the most famous example of a social engineering attack comes from the legendary Trojan War in which the Greeks were able to sneak into the city of Troy and win the war by hiding inside a giant wooden horse that was presented to the Trojan army as a symbol of peace.
In more modern times, Frank Abagnale is considered one of the foremost experts in social engineering techniques. In the 1960s, he used various tactics to impersonate at least eight people, including an airline pilot, a doctor and a lawyer. Abagnale was also a check forger during this time. After his incarceration, he became a security consultant for the Federal Bureau of Investigation and started his own financial fraud consultancy. His experiences as a young con man were made famous in his best-selling book Catch Me If You Can and the movie adaptation from Oscar-winning director Steven Spielberg.
Once known as "the world's most wanted hacker," Kevin Mitnick persuaded a Motorola worker to give him the source code for the MicroTAC Ultra Lite, the company's new flip phone. It was 1992, and Mitnick, who was on the run from police, was living in Denver under an assumed name. At the time, he was concerned about being tracked by the federal government. To conceal his location from authorities, Mitnick used the source code to hack the Motorola MicroTAC Ultra Lite and then sought to change the phone's identifying data or turn off the ability for cellphone towers to connect to the phone.
To obtain the source code for the device, Mitnick called Motorola and was connected to the department working on it. He then convinced a Motorola employee that he was a colleague and persuaded that worker to send him the source code. Mitnick was ultimately arrested and served five years for hacking. Today, he is a multimillionaire and the author of a number of books on hacking and security. A sought-after speaker, Mitnick also runs cybersecurity company Mitnick Security.
A more recent example of a successful social engineering attack was the 2011 data breach of security company RSA. An attacker sent two different phishing emails over two days to small groups of RSA employees. The emails had the subject line "2011 Recruitment Plan" and contained an Excel file attachment. The spreadsheet contained malicious code that, once the file was opened, installed a backdoor through an Adobe Flash vulnerability. While it was never made clear exactly what information was stolen, if any, RSA's SecurID two-factor authentication (2FA) system was compromised, and the company spent approximately $66 million recovering from the attack.
In 2013, the Syrian Electronic Army was able to access the Associated Press' (AP) Twitter account by including a malicious link in a phishing email. The email was sent to AP employees under the guise of being from a fellow employee. The hackers then tweeted a fake news story from AP's account that said two explosions had gone off in the White House and then-President Barack Obama had been injured. This garnered such a significant reaction that the Dow Jones Industrial Average dropped 150 points in under 5 minutes.