Human brain – best hacking device and weakest system at the same time
Most successful cyber-attacks are not brilliant math, software hacking in a minute, and other fantastic movie tricks. You will be surprised, but most attacks occur due to human inattention and disregard for information security rules.
For example, in Australia, the number of losses from fraud in 2021 reached $248,880,003!
Pharmaceutical and medical companies and organizations with access to confidential and biometric data remain the most coveted targets of hackers. Moreover, 75% of organizations worldwide have been phishing attacks in the past year (as you remember, phishing is one of the social engineering methods).
I am here to educate you about social engineering techniques and protect you from dangerous cybercriminals. Let's figure it out as soon as possible on this challenging topic so as not to leave hackers a single chance!
Table of Contents:
According to Verizon's 2021 data breaches investigation report, phishing has been the primary hacking method over the past year. Found that 43% of hacks are somehow related to phishing or pretext.
As I mentioned earlier, 75% of organizations worldwide have been victims of phishing attacks in the past year; another 35% of companies suffered from spear phishing, and 65% faced attacks such as BEC (Business Email Compromise).
The BEC attack is hacking and forging emails to impersonate a company executive with the target to gain access to internal employee data.
However, I draw your attention that there is a big difference between an attempted phishing attack and a successfully implemented one.
For example, in 2021, 74% of organizations in the United States suffered from successful phishing attacks. It is 30% higher than the world average and 14% higher than last year.
According to Verizon, 96% of phishing attacks carry via email. Another 3% carry through malicious websites and only 1% by telephone. Through emails, cybercriminals fraudulently obtain confidential data, which they then sell on the dark market.
For example, as of Q4 2020, the most popular phishing email subject lines were:
- IT: Annual inventory of assets
- Changes in your health benefits
- Twitter: Security Warning: New or Unusual Twitter Login
- Amazon: Action Required | Your Amazon Prime membership has been declined
- Scale: scheduled appointment error
- Google Pay: payment has been sent
- Incentive cancellation request approved
- Microsoft 365: Action Required: Renew Xbox Game Pass for Console
- RingCentral is coming!
- Business Day: Reminder: Important Security Update Required
IBM investigated the cost of data breaches and found that the causes of data breaches depend on the level of costs that affect the business.
According to an IBM 2021 report, phishing is considered the second leading cause of data breaches and costs companies an average of $4.65 million.
Ranked #1 is a BEC attack, costing businesses an average of $5.1 million per leak.
IBM also found that companies using AI-based security solutions have significantly reduced the costs associated with data breaches. Thus, solutions for ensuring security based on artificial intelligence allowed costs to decrease from $6.71 million to $2.90 million.
In addition to emails, cybercriminals also actively use instant messengers to distribute malicious files.
For example, WhatsApp Messenger detected about 900 phishing links per day during the 3Q of 2021.
From 12 to 16 July 2021 saw a surge in cybercriminal activity: the system blocked about 4,000 malicious links a day! It is suspicious that this activity coincided with an increase in the number of detections of Trojan.AndroidOS.Whatreg. b, which registers new WhatsApp accounts from infected devices. Is it a coincidence?
Image source – kasperskycontenthub.com
Today, Internet scam is one of the most significant problems in the world. Companies are working hard to improve their corporate security, but nobody cannot guarantee the 100% safety of your data.
However, I still strongly recommend that you understand the phenomenon of social engineering to be aware and take care of the privacy of your data as much as possible.
It doesn't matter which organization is attacked. The main prey is information. There is nothing on the Earth more valuable than information; no cars and penthouses are as expensive as information.
Hackers who use social engineering methods want to get information quietly, without unnecessary witnesses and attention. After a successful cyber-attack, the criminals make several dozen copies of the stolen data not to lose their loot.
Further, as a rule, hackers resell this data and use it for their dark purposes: for example, blackmailing the data owner for financial gain.
Often, such cyber-attacks are commissioned by a competing organization that wants to eliminate a strong adversary at any cost; but sometimes hackers work alone. As you can see, the targets of cyber-attacks are very different, so it isn't easy to talk about any trend.
Hackers hone their skills daily, which is why there are many social engineering techniques. Most hackers use manipulative methods to influence the self-esteem and psycho-emotional state of the victim, thereby making him unarmed.
Lying, moral pressure, and gaslighting are the standard set of a hacker with social engineering skills. Before moving on to the analysis of the types of cyberattacks, let's see what techniques are used by fraudsters to gain moral superiority over the victim:
- Psychological tricks. Successful hackers are good psychologists. At our next meeting, I will explain why it is vital for hackers and information security specialists to study psychology.
Still, in the meantime, I can highlight several manipulative techniques used by cyber fraudsters. So, hackers can instil a sense of guilt in their interlocutor, affect his pride or cause strong emotions: irritation, fear, joy, anger, etc.
The offender provokes a change in the psycho-emotional state of the victim, thereby making her vulnerable. It is much easier for a person in an altered state to succumb to manipulation and not notice what he would pay attention to in a calm state.
- Over-informing. The fraudster tries to bring up a lot of arguments to confuse the opponent. When you dodge with just one argument and your opponent with ten, then both you and everyone around you will consider your opponent a winner.
- The use of words and terms unknown to the opponent. This technique is considered one of the most effective because it puts pressure on the significance of the victim. The opponent, in response, hesitates to ask the meanings of the terms again, as this will show the superiority of the manipulator.
The manipulator wins since the victim is afraid to ask again (because he understands that he is unlikely to talk about what he does not understand).
- Avoiding discussion. Demonstrative use of resentment: "It is impossible to discuss serious issues with you", "Your behaviour is infantile." As you may have guessed, scammers use these arguments when their arguments are over, and you cannot lose.
Otherwise, the significance of the manipulator will evaporate, and he will not be able to "get into the trust" of the victim to get the desired information.
- Demanding an unambiguous answer. The hacker asks the victim to give an accurate and precise answer to a question that cannot be answered unambiguously. Although this technique seems to be honest and moral, it is manipulating. Not all questions can be answered unequivocally "yes", even if you are most inclined towards accepting the argument.
- The accusation of theorizing. When people around him hear the argument, "Well, this is all just theory, but in practice ...", they tend to accept the point of view of the manipulator, forgetting that some things cannot be implemented without careful preparation in theory.
- Growing demands. The manipulator insists on admitting some petty argument, so the opponent often gives in because the argument is unimportant. But then the stakes rise - and the manipulator demands recognition of other, already significant demands, thereby disarming the victim.
- Support of others. This technique summarizes everything I mentioned above. Suppose the manipulator manages to arouse the sympathy of others. In that case, it becomes challenging for the opponent to argue because he feels condemnation from the majority.
As you know, it is difficult to argue with the crowd alone, so the victim most often loses and is depressed.
Of course, this is only a tiny part of the manipulations that hackers use. Social engineering is woven from cunning, knowledge of psychology, and logic. Armed with these skills, the victim becomes almost powerless against the attackers.
I highly recommend re-reading the techniques I described above several times to track such manipulations if you feel that your interlocutor is playing a foul game.
Well, now I propose to next with the most interesting − the types of cyberattacks.
Of course, hackers regularly hone their skills and invent new ways to invade your privacy. However, I can still identify several types of attacks that are especially popular among cybercriminals.
The most popular social engineering method is email-phishing. Since almost everyone uses social media nowadays, creating email has become our responsibility and fertile ground for cyber fraud. However, only experienced hackers can do this kind of this social engineering method.
The point is that if the attacker is going to send a "false letter" on behalf of a person with whom the victim is familiar, it is necessary to copy the spelling style of the sender accurately.
Any little thing − and an experienced user will immediately notice something amiss. For example, I sometimes receive strange messages on behalf of my friends with a request to transfer several hundred dollars to their account urgently.
As soon as I see such messages, I immediately understand that my friends' accounts are a hack. However, elderly relatives may believe such a request and transfer money to the fraudster's bank account.
However, if the victim does not know the identity of the "sender", things become much more accessible. In addition, you need to take care of the header of the letter. It can be done using, for example, a standard mailer client.
By the way, many scammers use a telnet client when writing and sending letters. Connecting to the standard 25th port of the mail server will allow all the dark plans of fraudsters to be carried out.
Important: Please disable vulnerable Windows ports if you haven't already!
Many cyber criminals use this social engineering technique to obtain the victims' bank card details. This species does not work as effectively on the younger generation as on the elderly. Hackers break into the data of social services and hospitals to obtain phone numbers of older adults and then call them, posing as bank employees.
Important: Bank employees never ask for passwords and other confidential data!
Sometimes fraudsters infiltrate the corporate network and can call company employees on behalf of superiors with a request to check the security system and name passwords and logins. Do not disclose the data and call your boss back to ensure that it really was him if you received such a call.
This type of attack includes all those in which there is no victim and no impact on it. In attacks of this type, the principles and stereotypes of society are used, which refers them to as social engineering. For example, having cameras in an organization creates a false sense of security.
Many believe it will stop the perpetrator. Be that as it may, many fraudsters have already learned to turn off the surveillance camera system in minutes and find "dead zones" where the object is out of the range of cameras.
Or, for example, the scale of an organization (like Meta) creates the feeling that the company is 100% protected from cyber threats. It is not so − absolutely everything can be hacked!
Stereotypes are everywhere − most believe that no one can hack a security organization's site. This negligence and perceived sense of security open up additional opportunities for hackers to hack.
Tech social engineering is more commonly known as situation analysis. The fraudster realizes that he will not be able to go through the usual way (standard). It begins to look at other options, i.e., is engaged in analyzing the situation where he found himself.
Important: The more you neglect information security and hope for fate, the higher the likelihood of your data being stolen.
Image source – us.norton.com
The first thing that comes to mind when I mention this attack is DDoS. Indeed, this method of social engineering is called so for a reason.
The essence of the attack is to force a person (imperceptibly for him) not to react to certain situations. In other words, to instil in the victim your unshakable authority so that the person does not doubt your words for a minute.
This attack also includes a distraction method. For example, you create a false impression that you are doing one thing. Still, you are doing something completely different. Thus, the victim, too busy with one, does not notice the other.
This type of attack is quite challenging to carry out. It is necessary to calculate well the psychology of the victim, her knowledge, and reactions to such incidents.
Let's simulate a situation: a hacker creates an emulation of an attack on a port. It is a distraction: while the administrator is busy with the "attack" logs, a fraudster can quickly enter the server and steal any information.
However, this method only works in situations where the system administrator is incompetent or poorly familiar with the corporate model of the organization. Suppose the administrator knows that the attacked port does not and cannot have vulnerabilities. In that case, he will quickly suspect something was wrong.
To successfully implement a cyber-attack, a hacker needs to understand what level of knowledge the administrator has.
Well, the icing on the cake is phishing. It is by far the most popular and frequently used method of online fraud. Many hackers use phishing because of its simple implementation and effectiveness.
- Emails. Attackers fake emails by changing only a few minor details in the "recipient" field, so many users may not notice the differences and click on a malicious link.
For example, instead of cooltechzone.com, an attacker could write cooltech_zone.com. At first glance, it may seem strange that the recipient may not notice such a difference between the original and the phishing link.
However, you do not remember by heart the exact addresses of all the portals from which you receive messages, do you? It is human inattention that fraudsters take advantage of.
- Banking sites. Hackers fake banking sites by copying the design of the portal you are using. When you enter your account, your password and login are automatically sent to hackers.
- Registration forms. Leaving contact information when registering for an event, you must ensure that the site that receives your data is not fake.
Image source – us.norton.com
To stay safe, never repeat these mistakes:
- Do not succumb to the provocations of your interlocutor, even if you have been insulted; remember that you are manipulated and deliberately provoked a conflict because, in an altered emotional state, it is easier to control a person's feelings
- Do not disclose to anyone your passwords and CVV codes of bank cards, as well as passwords from social networks and other vital files; remember that bank employees and system administrators never ask for your passwords
- Use only safe browsers and private search engines − this way, you significantly reduce the risk of falling for the bait of phishing
- When the interlocutor shows an increased interest in your personal life and confidential information, ask yourself the question, "What is happening now, and how can this affect my future destiny?"; stay alert and remain critical
- If you feel that you are being pressured by third parties and ask for classified information about your company − immediately report your concerns to management
- Change passwords on your accounts regularly
- Observe information hygiene and do not let unnecessary information into your life − this reduces the ability to think critically
- Save your passwords in password managers
I urge you never to lose your vigilance and control your emotions. If your interests do not suffer much, feel free to let go of the situation.
Today we have moved away from the usual software hacking methods and analyzed a new humanitarian branch − social engineering.
Now you know that hacking is programming skills and analyzing human feelings to achieve your goals.
Man is the main vulnerability. It is our imperfection that provokes many "holes" in systems. However, despite careless mistakes, our imperfection makes us unique − alive and emotional, unlike cold computers and routers.
My dear cyber fans, please, write if this article was helpful for you. Your opinion is critical to me.
Observe information hygiene! See you!