Social engineering: the art of manipulation

– Social engineering, also referred to as ‘hacking without code’, is one of the most personal cybercrimes that can be committed. Here, professional hackers manipulate people into unwittingly giving out sensitive information – and even cold, hard cash – to these social engineers.
In fact, last year, Professor SH (Basie) von Solms, director of the Centre for Cyber Security in the Academy for Computer Science and Software Engineering at the University of Johannesburg, stated that local statistics around computer crimes and data breaches are difficult to obtain and that “it may actually be more than the two to three billion rand a year figure that is commonly quoted for South Africa .”
Speaking at the recent Securex South Africa 2018 exhibition, the 25th edition of the show which ran from 22 to 24 May at Gallagher Convention Centre, Jacob O’Brien, managing director of Strategix, advised that criminals use social engineering tactics, as it is generally easier to exploit a person’s natural inclination to trust than it is to try to hack their software. “For example, it’s easier to fool someone into giving their password away than it is to hack their password, unless exceptionally weak,” he explained.
“And it doesn’t matter how many security measures you have in place, if you trust someone and let them in without the proper verification, you are completely exposed to whatever risk they represent.”
O’Brien explained that social engineering occurs in three ways: phishing, baiting, and spoofing. “Phishing attempts look like an e-mail from a friend or associate, sometimes including a link that you just can’t resist clicking on. Phishing mails could also include an attachment – such as a photo, movie or document – that is embedded with malicious software. Once you click, your system is infected with malware, allowing the cybercriminal to take over your machine, collect your data, and access your e-mail account and your social media profiles. From here, the attack spreads to everyone you know, and on, and on.
“The most common phishing example is when the e-mail looks as though someone reputable, for example an employee at your bank, is requesting your username and password, or other details that they should actually have if the e-mail was genuine.”
When it comes to baiting, this is distinguished from other types of social engineering, with an offer that seems (and generally is) too good to be true. Victims are enticed with something free, or offered an appealing item. “Think of the ‘large inheritance’ e-mails that you have no doubt received at some point, or the miraculous lottery winner messages,” stated O’Brien.
Wikipedia describes spoofing as follows: “A very recent type of social engineering technique includes spoofing or hacking IDs of people having popular e-mail IDs such as Yahoo, Gmail and Hotmail. Among the many motivations for deception are:
• Phishing credit-card account numbers and their passwords.
• Cracking private e-mails and chat histories, and manipulating them by using common editing techniques before using them to extort money and creating distrust among individuals.
• Cracking websites of companies or organisations and destroying their reputation.
• Computer virus hoaxes.
• Convincing users to run malicious code within the web browser via self-XSS attack to allow access to their web account.”
O’Brien cited the example of a critical vulnerability that was found within PayPal, the global e-commerce business, that could potentially allow hackers to steal users’ login credentials and credit card details in an unencrypted format. Egypt-based researcher Ebrahim Hegazy found a Stored Cross Site Scripting (XSS) vulnerability within the PayPal Secure Payments domain, which could allow an attacker to set up a rogue online store or even to take over a legitimate shopping website.
“Another simple spoofing trick is where suppliers can be emotionally pressured into giving out sensitive information, such as e-mail addresses or resetting passwords when a caller with a (fake) crying baby makes you feel distressed.”
And while there’s no silver bullet for social engineering, O’Brien recommended several tips to help protect from attack.
“Step one is to slow down,” he said. “Spammers want you to act first and think later. Then, research the facts; be suspicious of any unsolicited messages. Delete any requests for financial information or passwords. If you’re asked to reply to a message with personal information, it’s definitely a scam.
“Finally, don’t let a link control where you land. In other words, make sure that you stay in control by using a search engine to find the website you’re looking for instead of following a link someone has sent you.”
O’Brien presented at Securex 2018’s brand-new Cyber Lab (powered by XGRC Software), set up to create an area where awareness of information security could be raised at the expo through an interactive approach.
Securex is Africa’s leading security and fire trade exhibition. The 2018 show was the largest to date, featuring almost 200 exhibiting companies, of which close to 50 were new on the show, and drawing in more than 7,000 attendees from 46 different countries.
Says Sven Smit, Portfolio Director at event organiser, Specialised Exhibitions Montgomery: “The introduction of the new Cyber Lab and its cybersecurity focused content at this year’s Securex, as well as addressing topics such as artificial intelligence, the importance of cyber and physical security convergence, the Internet of Things (IoT), and the Cybercrimes and Cybersecurity Bill within the free-to-attend Securex seminar theatre, reflects the changing trends within the local security sector. It is critical that Securex, with its pivotal role within the industry, echoes these new dynamics.”
Co-located with A-OSH EXPO, Africa’s leading occupational safety and health trade exhibition, the 26th Securex show will take place at Gallagher Convention Centre once again, between 14 and 16 May next year.