You wake up in the morning, energized and ready to start a new day, then you grab your phone and find a new text message telling you: Hi, I am a hiring manager at Amazon, and we are currently looking for 80 part-time online employees. Working from home using a mobile phone, you can easily earn 1000-3000 Egyptian pounds per day, and the salary is paid on the same day. At the end there is a link asking you to click on it to communicate with them and apply for this job.
Take a moment and think how lucky I really am! A hiring manager at Amazon International writes to me on my phone number, and tells me that there are jobs available, and the best thing is that they are part-time and from home and using my mobile phone, and the most amazing thing is that I will get 3000 Egyptian pounds per day, on the same working day. Looks like the dream job has finally arrived!
But we know of course that this is just a misleading message, the purpose of which is for us to click on the link sent. We do not know the next step, because we have not tried clicking on that link, but it will be a large percentage of a scam whose goal is to hack your phone and steal your private data. Well, this message, even if it seems naive, is one of the famous hacking methods known as social engineering.
*** Digital Trojan Horse
You must have heard of the Trojan Horse, one of the most famous stories in ancient Greek mythology. After the Greeks’ siege of Troy lasted ten full years, their army did not succeed in storming the walls of the city’s impregnable fortress. Here the Greeks decided to resort to a cunning trick; They made a giant wooden horse and left it in front of the city gates of Troy, and convinced the city’s residents that it was a gift of peace, and that this was a declaration of the end of the war.
But as we know, the wooden horse was filled with Greek soldiers, and we also know that the Trojans accepted the gift and brought the horse inside the walls of their city. During their victory celebrations, the Greek soldiers came out from inside the horse, opened the fortified city gates for their army to penetrate, and finally win the war. This famous story has a huge impact on our human culture, so that it has become synonymous with deceiving and defrauding a person after gaining his trust, and it is perhaps one of the oldest social engineering tricks that we know.
These fraudulent methods have existed for centuries, and the ideas and principles of ancient times are still valid in our digital world. What has changed are the techniques and channels that the hacker uses to reach his victims, which adapt and develop with scientific and technical progress, especially in recent years. Classic scams have given way to more sophisticated techniques that combine knowledge of psychology and sociology with the use of digital technologies.
Carnegie Mellon University defines social engineering as: A tactic used to manipulate, influence, or deceive a victim with the purpose of taking control of a computer operating system or stealing personal and financial information. The tactic includes the use of psychological manipulation to trick a user into making security errors or revealing sensitive information. We can think of it as a set of strategies and plans often associated with understanding human behavior and how the digital world works.
In our case, the hacker resorts to digital devices as a channel through which he reaches his victims, whether those devices are mobile phones through calls and SMS, emails, social media networks, personal computers, and other digital devices that We use it in our daily life.
The main key to the success of these attacks is often gaining the trust of the user, which prompts him to do exactly what the hacker wants, and to provide his personal data such as passwords or bank account numbers, or to click on a link that leads to running malicious software, which does not look like that, of course, on one of his personal devices. This type of software is even called a Trojan horse. Simply put, the goal of a social engineer is to get you to make a hasty decision without thinking; So the more logical you think, the more likely you will realize that someone is manipulating you, which of course does not serve the hacker.
*** weakest link
If we decide to slow down a bit and think even for a moment about this type of attack, we will find that it does not depend on the traditional vulnerabilities in our phones or other technical equipment that we use, and on the contrary, we will find that the human element is the most important pillar of this type of cybercrime, unlike Other types of crimes are more complex in their technical dimensions.
This is what makes social engineering attacks completely change the methodology of cybercrime. You do not need to attack the fortress itself (the security protection system against electronic attacks, for example), as the Greeks concluded ten years later, but you must attack the people behind that fortress, to make them agree with their full will to enter you to open the fortress gates yourself from the inside.
Social engineering attacks depend mainly on the idea that the weakest link in our current digital world are humans, and not the machines, robots, and algorithms that operate in this world. Therefore, psychology and sociology must occupy a large part in the design and implementation of these attacks. This collides with the well-established popular perception about cybercrime, especially what we see in Hollywood movies, because we often imagine that behind these crimes are groups of hackers with extraordinary skills in using computers that enable them to penetrate the most powerful security systems and devices. But the reality is not always that stereotypical, to the extent that an 18-year-old teenager can penetrate the systems of a global company such as Uber, by targeting one of its employees using a social engineering tactic.
This requires knowledge of psychology, sociology, and different methods of communication, because these fields of knowledge allow the hacker to understand how the victim thinks, how humans act when they are placed in different scenarios, and what is the best method to communicate with the victim in order to fall into the trap of fraud, this prior knowledge of human behavior patterns Their reactions to certain life issues are the hacker’s starting point; For example, how does a person respond when he receives a message from the telecom company telling him that it will cut off his service because it does not have his bank account details, and he must click on the attached link and write the credit card details?
Many may simply discover this deception, but a percentage of them may panic and respond, as Adel Imam said in the play “Watch a Thing” while talking to rabbits: You pay a 10-pound fine, or we either get the kit. Between you and me, I was afraid for the kit, frankly. I went to motivate, and I didn’t care about anything.They may make the mistake and click on the link sent, and provide their bank card information to the hacker on a silver platter, for fear that the telecom company will cut them off from the service!
*** Attacks from everywhere!
Perhaps the most famous classic of films that take place mostly on one set is 12 Angry Men, which takes place almost entirely in the jury room of a New York City courthouse. In that room sit 12 members of the jury, and they must reach a unanimous decision on the murder, in which a young man is accused of killing his old father. Their first vote resulted in 11 votes believing the accused guilty, but the 12th member wasn’t so sure about that choice. Although he was not completely convinced that the young man was innocent of the charge, he saw the importance of having a fair discussion between them before the man was sentenced to death, and with it he tried to convince the rest of the members of his point of view. A beautiful movie that we recommend watching, but what is its relationship to today’s conversation specifically?
Well, in the case of social engineering attacks, unlike a movie that takes place in one place, it can happen in places as wide as the internet itself! These cyber attacks can be committed everywhere, perhaps through social networks, for example a link in a post on Facebook or in a tweet on Twitter, or even through a direct message on Messenger, without forgetting, of course, instant messaging applications, such as WhatsApp and Telegram, which A torrent of malicious messages can be sent through it. Like the movie, there is always the possibility that one of the victims will respond, no matter how naive the message, one overcome by their own fears.
This is in addition to phone calls and SMS messages such as the case of the “Amazon hiring manager” that we mentioned, but perhaps the most important and most used method in these attacks is e-mail, which may become an ideal gateway for the violation of personal information and sensitive work data. But with all these methods used, what goals might the hacker seek behind social engineering attacks?
*** Various goals
Often times, technically sophisticated social engineering attacks aim to run malicious software to control a specific device or infiltrate an entire internal network, and there are many such malware spread, the most famous of which is the “Trojan horse” that we mentioned. The idea here is to lure the victim and convince him to click on a link that opens the gates to that malware. Simply clicking on the link may lead to a security crisis, through which the hacker can obtain all the information available on the infected device. A wealth of valuable data that may cause harm to a person or company if it is leaked.
The second goal is to seize passwords for personal accounts, which is associated with psychological manipulation of the victim since it requires the person to provide passwords of their own volition. It could be the password for his email, or the password for his online banking accounts.
Email accounts, in particular, are one of the most important targets for hackers, simply because they are a major gateway that opens more private portals. Getting the keys to an email account gateway means having access to a huge amount of personal as well as business information which makes the fraud process much easier. Social engineering attacks can also involve the victim in fraudulent financial transactions, such as buying a non-existent product or service or sending money to another account and waiting for something in return without getting it.
Social engineering attacks are not the same; Some targets are more important than others, the attack scenarios themselves vary and differ according to each type, and therefore the steps differ as well. The hacker is not satisfied with writing a fraud message, then sending it and waiting for someone to fall into the trap, like the scenario of the movie “12 Angry Men”, but there is a scenario for each case, and for each response from the victim, and there are different methods to deal with the changes of this scenario.
To understand these types simply, we can classify them according to the number of times of communication between the hacker and the victim. The more times of communication, the more complex the steps and the difficulty of their implementation, and this does not happen, of course, unless the goal is important and large.
*** Hunting and farming
The first classification is hunting, and in this type of attack there is one connection between the hacker and the victim, which means that the goal is to attack the largest possible number of users, targeting, for example, a general audience, through fraudulent emails or text messages that are sent to thousands People at once, or targeting a specific age group, often the elderly. Here, relying on designing as persuasive messages as possible, because it will be the primary means of communication with the victim, and the only way to convince him to click on a link that carries malicious software, for example. The goal is to get the most out of it with just one attempt, but it won’t do much if the goal is to get confidential information, such as passwords or bank account numbers.
One of the most famous types of attacks that belong to this category is phishing, and as the name indicates, this method relies on hunting victims as fishing in the sea with a net, and e-mail is often used as a communication tool and a site for executing a fraud scenario.
The message includes a file with a virus or malware attached, or a link that takes you to fraudulent pages. The goal here is to infect the device from which you clicked on this link or file, and then control it for the purpose of stealing confidential and important information and data on the device, perhaps related to work or your bank account. There are other derivatives in which the type of communication changes, such as using phone calls or text messages, as in the case of the fake employment letter from Amazon.
Phishing is a kind of general attack, such as the idea of catching fish in the net, after the hacker casts his net and waits for the victims to fall into it, meaning that it is not suitable if the target is a specific victim. While the most specialized and sophisticated type is spear phishing, here the content of the e-mail focuses on a specific person who is targeted by the hacker, in order to obtain from him a specific type of information.
For example, a hacker can send a fraudulent email to all employees in a company, and wait for any one of them to fall into the trap and download the file or click on the link. But in the case of spearfishing, it can target a specific employee, by personalizing the message with the aim of building trust with him until he clicks on the link or downloads the file containing the malware.
If the matter develops, and the number of times of communication between the hacker and the victim increases, to steal the largest amount of personal or work-related information, then here we will enter into the second category, which is known as farming, because it depends on several prior procedures and steps, after which the hacker reaps his gains.
Planning for this type of attack is more complicated, because the hacker needs to think about the different scenarios that may occur during his communication with the victim, and he needs to research well before execution and know the largest amount of information about the identity of the target person, to use it against him when communicating with him, and to help him design a strategy attack.
It is possible for the hacker to impersonate another person with authority, as happened in the case of the teenager’s hacking of Uber’s systems, by targeting an employee within it, after sending him several notifications to log into the system with Multi-Factor Authentication. More than an hour later, the hacker himself contacted the employee on WhatsApp, pretending to work in the “IT” technical department of Uber, and told him that those notifications would stop once the employee agreed to log in.
The question now: How can you protect yourself against social engineering attacks?
*** How to protect yourself?
It may seem obvious, but we need to always remember it, we must now be careful in all our digital dealings. If a message or a phone call raises any doubt to us, we should not click on any link in it or download any file in it, not to mention, of course, providing any personal or confidential information to anyone who communicates with you, whatever he claims and whatever his capacity.
This approach is known as the “zero trust security model,” and as its name indicates, it means that we don’t assume trust in anything or anyone, and that we check and make sure that every device, user, service, or anything else is reliable before granting access. to our data, and should be re-verified frequently to make sure none of these things are compromised in use.
We must always make sure of the source of anything that reaches us, and think a little about the logic of things, because as we know, the hacker in these attacks depends on the victim not thinking about her decision, so we will find that a little logical thinking will kill the matter in its infancy.
The second point here is our constant need to increase our awareness and knowledge of what is happening around us; If the weakest link in social engineering attacks is the person himself, then he should change this rule, he should always strive to become the strongest link, and not be easily deceived or defrauded.
In this type of attack, many hackers target our lack of knowledge about some basics of the digital world, especially the elderly. For a person who knows these basics, and deals with the Internet and various technologies easily, it can be discovered that the e-mail announcing that a widow is waiting for him in southern Africa, after the death of her husband, who is by chance one of the wealthy of the continent, who left her millions of dollars, and she needs you specifically in order to Smuggling that money out of her country is nothing more than fraud.
Of course, this example may seem very naive, but there are messages that may be more convincing, and even if you discover them yourself, it may not be discovered by anyone else, who does not know anything about them or did not pass through them before. So this type of attack always needs to follow the latest scams, and needs to educate yourself about it constantly.
After all, no one is born with knowledge or knowledge, and no matter how smart any of us are, we are all vulnerable to fraud, especially in today’s digital world. The leaders of the city of Troy withstood the siege and the war for ten full years, and proved their intelligence and knowledge of the arts of war, but in the end they fell into the trap of the Greeks with trick and trick, with a wooden horse they thought was a gift without any logical justifications. That is why we must always question everything, as the hero did in the movie “12 Angry Men”. We must continue to learn and increase our collection of information and various knowledge and follow what is happening in this electronic world, so as not to build ourselves a digital Trojan horse.
Leave feedback about this