Security Bloggers Network 
SBN

Beware of Being Played With

by Jason Chavarría on September 19, 2021

Are you comfortable posting pictures of the town where you were born?
How about sharing a story about your first pet? Yeah? You have no
problem having the name of your elementary school on your profile or
talking in your blog about your most favorite food? No? By the way, can
you please tell us, what was your mom’s name before she was married?

The previous topics are related to some of the most common password
reset questions. When the particular answers to these questions are
readily available on the Internet, they can be easily found by a social
engineer targeting you. What happens next is that they will try to use
phishing against you to deploy
ransomware on your computer, among other
possibilities. But you wouldn’t notice until it’s too late.

In this post, we will expand on a previous
entry about how social engineering works.
We’ll see why it is effective and how to prevent being scammed.

What is social engineering?

Social engineering can be
defined as “a
technique that uses psychological manipulation […​] to force people to
disclose private personal or corporate information, or take a particular
action.” As explained in our latest post, an
attack, ethical or not, has to be planned first with an exploration
mindset. As investigator and author Joe Gray
says,
“Rarely will an effective social engineering attack happen without an
informed understanding of the target.” Gray is an expert in gathering
Open Source Intelligence (OSINT), which is information taken from
publicly available sources and used in the intelligence context. Gray
explains that
intelligence means that each piece of information is gathered on the
basis of how it furthers the investigation.

In one talk, Gray said
that most OSINT operations start with a single piece of information: “A
business, a name, an email address, physical address, phone number, meta
data.” This is further matched with social media accounts, blogs,
websites, even leaked information in password dumps. (Talking about
dumps: They may even search your garbage! That is a thing called
Dumpster
Diving.)
While gathering OSINT of a company, Gray likes to check the Securities
and Exchange Commission (SEC) files. These files allow him to “find out
how the business is doing, find out some of the things the business has
been struggling with, or what the business is looking out for in the
future.”

After extensive research, social engineers get a good idea of an
employee’s likes and dislikes and the organization’s operating
environment, organizational structure and lingo. Eventually, they come
up with a reason to talk to their target. For example, Gray tells an
anecdote about how he learned that the CEO of the company for which he
was doing ethical social engineering was retiring and that the Chief
Operating Officer (COO) would be taking over. So he set off to buy a web
domain and design a legit-looking survey website. Then, he impersonated
the COO in an email, using direct quotes from him, which he found in
sources like press releases. In this email, he asked employees to fill
in the survey, which prompted them to share sensitive information. Out
of 150 targets, he got 17 usernames, 18 passwords and 17 sets of
password-reset questions.

Weapons of influence

Social engineers’ techniques are often analyzed using the principles of
influence proposed by psychologist Robert Cialdini in his book
Influence: The Psychology of
Persuasion.
Here are some brief descriptions of social engineers’ actions appealing
to Cialdini’s principles and the reasons why they make people talk:

  • Claiming to have the same interests as the target in order to
    increase their likability, for we tend to cooperate more with
    persons who share our affinities.

  • Claiming that they are acting under the authority of the CEO, an
    expert or a specific law, which works because we tend to obey these
    people or rules.

  • Asking for sensitive information after having granted the target a
    great offer in a (bogus) product, appealing to our tendency for
    reciprocity.

  • Claiming that a target’s peer has already shared some information,
    so the target should cooperate too, because having social proof
    that something our peer did is appropriate, we tend to follow their
    lead.

  • Claiming that there is limited time to take action, like paying a
    ransom before impending doom, forcing the target to act fast, which
    works because the scarcity of time makes us act more recklessly.

  • Convincing the target that doing what they’re told is consistent
    with their values, which works because we are pressured daily to
    maintain consistency in our acts.

After earning the confidence of their target, social engineers commonly
get the info they want and may even ask victims to click on dangerous
links. Shortly after, they leave abruptly on some made-up excuse.

Some phishes are easier to catch

You may think: “Certainly some people are more sensible than others? Not
everyone is as easily influenced?” Well, there may be some people who
are more vulnerable to some of the weapons mentioned above. A recent
review
article, published in the journal Cybersecurity, lists some traits that
make some people easier to manipulate.

According to the review, people who are more
agreeable, meaning they tend
to cooperate more, are more vulnerable to the scammer’s likability, use
of authority and social proof, and demand for reciprocity. The authors
argue that these people would be more susceptible to fall for phishing
and to share passwords. Those who are more
conscientious, meaning
they are organized and hardworking, may also fall for the use of
authority and reciprocity, and yield to the pressure to maintain
consistency. Finally, those who are more
extraverted would react more
promptly to the scarcity of time.

But it is argued that some traits may protect against the influence of
social engineers. The authors suggest that
neuroticism, that is, higher
proneness to experience situations as distressing, indicates lesser
vulnerability to the weapons of influence. Furthermore, they suggest
that people who are more open to new
experiences, being
also probably more tech-savvy, are not open to being manipulated by
social engineers.

That sounds phishy!

We already listed some tips on how to prevent social engineers’ most
favorite scams here and
here. In short, look out for generic email subjects,
awful spelling and grammar, and emails or calls prompting life or death
decisions. They are all fishy.

Let’s add to the list some of the
tips provided by the
United States Computer Emergency Readiness Team (US-CERT):

  • Check the sender’s email address. Are there misspelled words trying
    to pass for a legit company’s address?

  • Do not open a link before inspecting it. Has the URL been shortened?
    Also, hover your cursor over the link. Is it awfully long? Is it a
    hot mess?

  • If you are being asked to download an attachment, ask yourself if
    the request makes total sense. Remember that attackers use time
    scarcity to manipulate you.

Finally, have in mind that conducting ethical OSINT and social
engineering can help you identify what sensitive corporate data is
being, or could be, shared publicly. Then, data removal and educating
employees on how to detect scams and limit the sensitive information
they share may be the best options.

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Jason Chavarría. Read the original post at: https://fluidattacks.com/blog/social-engineering/

Jason Chavarría