In our daily lives, we repeatedly encounter warnings and reports about the devastating effects of successfully applied social engineering. The possible damage ranges from the loss of large sums of money and one’s credit rating to the complete destruction of one’s existence. Not only in our professional lives, where many of us are regularly reminded of the dangers of handling our data, but also and especially in our private lives, enormous dangers lurk.
Everyone should be aware that as soon as you leave the digital door unlocked, you are no safer on your sofa at home than in the darkest station alley. And unlike a robbery in the real world, a digital heist is generally more protracted and involves more hassle, although of course the risk of being misplaced is much lower. In today’s blog, we want to look at some of the most popular methods of social engineering. Only those who know a danger can avoid it. Social engineering essentially describes the exploitation of natural human weaknesses to bypass security barriers and cause harm. A rough distinction is made between untargeted attacks, which owe their success to the mass of potential victims, and targeted attacks, in which the attacker directs his methods specifically at one victim. The perpetrators have a whole toolbox at their disposal, which we will now take a look at:
1. „Dumpster Diving“
Every investigator, detective but also stalker knows that our garbage reveals more about us than we would like.
Pharmacy receipts reveal which medications someone is taking. Restaurant flyers or membership letters from clubs and gyms can provide clues as to when someone can be found at which location. Everyone should check how much sensitive information can be found on unshredded junk mail from their bank or insurance company. Sometimes they congratulate you on your birthday, your customer number is on the letterhead, or your own account number is listed. A full invoice from a utility or communications company can be used by a fraudster as proof of address for a fictitious order at the expense of the victim reported at the address. And thanks to a discarded pregnancy test, the person going through the trash may know more about the person being spied on than their partner. Besides the real garbage in front of our house, there is another goldmine for criminals. We’re talking about our digital legacies. Anyone who freely shares their life with the world on unprotected social networks leaves behind a collection of data over time that can pose an enormous security risk. Often, when opening new online accounts, you are asked to answer certain security questions in order to receive a new password in case of need. Where did you go to school? What was the name of your first employer? The name of the pet? Some people are only now becoming aware that the answers to these questions may be available to everyone. Time for a digital housecleaning and conscious handling of our waste. Sensitive data belongs in the shredder and, if possible, spread over several trash cans
Probably the most common technique used to obtain sensitive data. The spectrum ranges from very clumsy and easily recognizable mass emails with the promise of a large profit or inheritance to sophisticated attacks tailored directly to the victim. This approach is also known as spearphishing. To do this, the attacker cleverly knits in the information he has gathered in advance through various means to achieve familiarity. It is conceivable, for example, that the social media are searched beforehand (see point 1). With the name of a friend, an email account is quickly created and a story invented (separation, accident, etc.), with which a sum of money is requested. This has also been successfully used in a modified form as the “grandchild trick” dozens of times. As perfidious as the procedure is, the remedy is simple: Anyone who receives such a request should contact the supposed sender personally and verify that the request was actually made by the sender. Another type of phishing is to send fake e-mails from well-known companies and banks with the request to re-enter one’s respective access data for security reasons. Caution is always advised here. In this case, check the sender address. Often misspellings in the company name or unusual top-level domains (country-specific abbreviations such as .de, .at .ch ) can be found here, which expose the phishing attempt. In any case, you should not click on any links from emails. Instead, you call up the respective page directly in the usual way and log in. As a rule, the login will work without any problems and the fraud will be obvious.
This method builds on human curiosity and sensationalism and is unfortunately very successful. The perpetrator leaves a data carrier (USB stick, SD card) on the paths frequented by the victim and hopes that the victim will plug it into his own PC out of curiosity. File names such as “Staff reduction 2023” or “Salary lists” are very likely to lead to the file in question being clicked on and malware being installed in the process. There are also so-called “killer sticks”, which generate an overvoltage when plugged in, which destroys the computer in question. Such a device, if it destroys a neuralgic part of the IT infrastructure, may well have an impact that threatens the existence of the company. Therefore, one should never plug in found data carriers.
This method is used for attacks on both companies and individuals.
The attacker gains access to areas that would otherwise remain closed to him by taking advantage of people’s friendliness. Sometimes the attacker introduces himself as a new colleague whose key card has not yet been activated, sometimes he disguises himself as a craftsman or parcel delivery man and counts on someone opening the door for him when he stands in front of it with his hands full. The best defense here is a healthy suspicion. Ask the new colleague for the name of the recruiter and personally escort them to their ostensible destination. The tradesman should also be accompanied to the visitor reception to ensure that there really is a job. Devices should never be left unattended in companies where people from outside the company regularly travel, or on public transportation. Screens are to be locked when leaving the workplace and so-called screen filter foils protect against prying eyes. Even in the private sphere, caution should always be exercised when tradesmen arrive at the door unannounced. In any case, it is worth calling the alleged client (waterworks, telecommunications company) and having the order confirmed there. As a rule, the announcement is already enough to expose the attempt.
As you can see, there are numerous areas in our lives and the human psyche that can serve as a gateway for attackers. Since these gaps cannot be closed by any firewall or anti-virus program, the most important defense mechanism is the user himself.
Here are a few sources on the subject:
- “The Art of Deception: Controlling the Human Element of Security” by Kevin Mitnick: A well-known book about social engineering and the methods hackers use to exploit human weaknesses.
- “Social Engineering: The Science of Human Hacking” by Christopher Hadnagy: Another well-known book that describes the methods of social engineering and how to protect against them.
- “Social Engineering Attacks: Common Techniques & How to Prevent Them” by Varonis: An article that describes various methods of social engineering and how to protect against them.
- “The Social Engineering Framework” from Social-Engineer.org: a comprehensive resource on social engineering that describes various methods and techniques, and offers training and certification.
- “Social Engineering: How to Hack Humans” by Cisco: A video that explains the basics of social engineering and how to protect against it.