“Social engineering is a form of techniques employed by cybercriminals designed to lure unsuspecting users into sending them their confidential data, infecting their computers with malware or opening links to infected sites” – Kaspersky Lab
Following on from our last article, which looked at the rise of online gaming amongst young people and explored some of the issues around the topic, we are now going to have a closer look at social engineering including:
- An example of social engineering
- How hackers use social engineering
- Why it is popular in the online gaming world
- How to avoid social engineering attacks
An example of social engineering
Social engineering today has become much more common and the complexity level of attacks is very high. The human element has been the main factor in many cyber attacks.
In May 2018, it was reported that an amazing 97% of malware involved the targeting of users through social engineering – the majority of cyber attacks are designed to take advantage of human error and vulnerabilities rather than any failure of hardware or software (source KnowBe4).
The following is an example of social engineering…
In 2016, the US Department of Justice (DOJ) experienced a social engineering attack that meant that over 29,000 FBI and DHS employees suffered a leak of their personal details…
The hacker gained access to a DOJ employee’s email account (it is not known how). The hacker then tried to access a web portal which needed an access code, which he did not have. He then phoned the department, claiming he was a new employee and needed some help. He was given access to the code and then used it to access the department’s intranet using the stolen email details.
He gained access to DOJ computers and databases containing email information and credit card details.
As proof of the hack, he leaked internal DOJ contact information.
One of the highlighted games that felt the DDOJ attack was Nintendo game Pokemon Go. The hacking group was PoodleCorp who claimed the hack which they targeted the serves and managed to be successful and affected 600,000 devices.
How hackers use social engineering
As discussed above, social engineering is the art of manipulating people into giving up confidential information.
Cybercriminals usually use it to trick people into:
– giving them passwords
– giving them financial information
– allowing them access to devices to install malicious software, which will give them access to information (as well as gaining control of your devices).
Cybercriminals use social engineering techniques because it is easier to exploit people’s natural instinct to trust others than to discover ways to hack software – it is easier to fool someone into giving you their password than to try hacking their password (unless that password is really weak and therefore easy to access).
Security is all about knowing what and who to trust and the weakest link in the security chain is someone who accepts a situation or person at face value.
A few common social engineering techniques
1) Emails from friends
If a criminal manages to socially engineer (hack) someone’s email password they have access to that person’s contact list.
If (which is often the case) that person uses the same password across multiple sites and accounts, the hacker then potentially has access to that person’s network of contacts too.
The cybercriminal can then send emails to the person’s contacts or leave messages on social media etc.
These messages may:
- Contain a link which (because it comes from someone you trust) you click on – thereby downloading malware
- Contain a download of a picture, or movie etc., which has malicious software embedded. If downloaded, the device is infected and the hacker has access to the device and all the contents.
2) Emails from other trusted sources
Often these emails contain compelling messages that because they come from trusted sources are easily believed. Here are some popular examples:
- A message asking for urgent help – A friend is stuck abroad, has been robbed, and needs you to send money so they can get home. The message tells you how to send money (to the criminal!)
- A message using phishing (“phishing” is a social engineering strategy that imitates a trusted source and uses a seemingly logical scenario for handing over personal data) – Typically, a phisher sends an email etc. seemingly from a legitimate company, bank, school, or institution
- A message asking you to donate to a cause – It probably has instructions on how to send the money (to the criminal!)
- A message requiring you to “verify” information by clicking a link – The link location may look legitimate with all the right logos etc. These types of phishing scams often include a warning of what will happen if you fail to act soon
- A message notifying you that you’re a ’winner’– The email claims to be from a lottery, or a dead relative etc. To receive your money etc. you have to provide personal information so they know how to send it to you.
These schemes are often found on sites offering a download of something like a new movie, and they are also found on social networking sites.
The scheme may also show up as an amazingly great deal. If you take the ‘bait’ your device may become infected with malicious software.
4) Response to a question you didn’t ask
Cybercriminals may pretend to be responding to ‘your request for help’ from a company such as a bank while also offering more help.
If you don’t use the product or service, you will probably ignore the email or message, but if you do use the service, you may respond because you might want help with a problem.
The ‘representative’, will need to ’verify you’, get you to log into ’their system’ or into your computer and either give them remote access to your computer so they can ’fix’ it for you, or tell you the commands so you can fix it yourself.
Some of the commands they tell you to enter will provide a way for the criminal to get back into your computer later.
Why social engineering is so popular in the online gaming world
One of the top contributors to online social engineering attempts is arguably online gaming.
In the previous article, we looked at how there seemed to be a shift within the online gaming world to more social interaction. As this becomes more of the norm, people (especially young people) are increasingly developing relationships with other gamers online.
– Social engineers (scammers) are taking advantage of this trend and can pose as gamers to build trust with your children in order to gain access to personal information such as names, numbers, and addresses, with the ultimate aim of gaining access to passwords and card details.
They can also sniff out in-game currency and items which are worth actual money.
– Social engineering attacks can also ride on publicity attached to news regarding game releases and updates.
Here’s an example…
The game Flappy Bird was used as bait by hackers.
The game’s developers took the game down, and soon after fake Android Flappy Bird apps started to spread online, much to the delight of players.
However, although the app worked initially, gamers soon started receiving permission requests through text messages and were also asked for payment, to continue to play.
How to avoid social engineering attacks and protect yourself and your children online
- Take your time – Spammers are counting on you to act first and think later. If the message conveys a sense of urgency, be sceptical
- Do some research – Be suspicious of unsolicited messages. If the email looks like it is from a company you use, look it up first by going to the real company’s site
- Be in control of links – Hovering over links in email will show the actual URL, but a good fake can still fool you, so look up the company online
- Be aware of email hijacking – If you aren’t expecting an email with a link or attachment check with the source before opening links
- Beware of any download –If you don’t know the sender personally AND are not expecting something from them, don’t download anything
- Foreign offers are fake –If you receive an email from a foreign lottery, money from an unknown relative, or requests to transfer funds it is guaranteed to be a scam
- Never reveal personal or financial data – including usernames, passwords, and PINs
- A bank won’t ask for passwords – Remember banks and other reputable organisation will never ask you for your password via email
- Set your spam filters to high – Just remember to check your spam folder periodically to check that no legitimate email is accidentally trapped there
- Secure your computing devices – Install antivirus software, firewalls, and email filters and keep these up to date
NB/ Last but not least… have a chat with your children to make them aware of the dangers of providing personal and financial information online, when they are on social media or are playing games. Perhaps show them this article and educate them about the dangers of social engineering?
It is vital you are cyber aware and that you take steps to ensure the safety of your online data and that of your children’s, to prevent the heartache of becoming a victim of a social engineering attack.
Hacker247 will be releasing an interactive game for children to learn about social media techniques… so sign up to our newsletter ASAP, so you don’t miss out!
We will be looking at what account takeover is and whether it can affect your child online.