Social engineering is complex, yet simple. It's a blend of science and art with the way it takes the psychology of the masses and, using clever copy and imagery, turns it into a post on social media or cleverly-crafted website that unsuspecting users just can't stop clicking on. Cybercriminals use social engineering tactics as it is usually easier to exploit the user’s curiosity and natural inclination to trust than to develop other ways to break into their systems. As such, social engineering is the art of manipulating people into giving up private, confidential information. When users are targeted, the bad guys try to trick users into various ends that range from giving them access to their passwords, bank information, and other sensitive information, to eventually gain access and control over their computer. Truly an art of deception.
The risks associated with social engineering are just as serious as the countless hacks and breaches that have been flooding recent headlines. Attackers know that most people take security measures for granted and feed off this dependency, which is why understanding what social engineering is, and the types of lures that are usually used, is the first step towards preventing them. The simplest, yet most effective way to protect yourself from social engineering threats is to be aware of how it works and how these methods hook their victims. To better understand what these are, here’s a list of the biggest social engineering lures used in 2014:
From national disasters and global-scale events to high-profile stories, cybercriminals use current, buzz-worthy headlines as bait to beguile users to click on malicious links. In 2014, news like the Malaysian Airlines flight 370, MH17 crash, Sochi Olympics, and the World Cup were among the biggest news used by cybercriminals. As more countries joined the search for the missing airplane, cybercriminals sought out new victims by using this highly-discussed topic as bait. According to our findings, a fake video attachment, supposedly about the flight, was spread via email. The file was actually a backdoor malware that would allow a remote attacker to collect system information and execute various commands on the system, including downloading and running files from its servers.
A considerable chunk of daily news consumed and shared on social media is usually about celebrity gossip, controversies, and scandals. Because of the huge fan base and followers of famous celebrities, cybercriminals are keen on using such news to attract fans, including casual readers to open spammed emails and malicious links posted on social media.
The news about the untimely death of Robin Williams on August 12, 2014 came as a shock to people around the world. While news about his death spread like wildfire among netizens, spammers and cybercriminals deployed spammed emails which mention the actor’s name in the email subject. The spam mail asks the recipients to download a “shocking” video about William’s death, but clicking on the video link downloads an executable file that was detected as as WORM_GAMARUE.WSTQ instead.
Not long after the tragic news of William’s broke, a collection of over 500 private pictures of various celebrities were leaked online. The photos were obtained via compromised Apple iCloud accounts that Apple described as a “very targeted attack on user name, password, and security questions”. As expected, several social engineering tricks were used against eager users. This time it came in the form of tweets using hashtags that contained the name of one of the victims. Ultimately, when the users click on the malicious links, it would result in the users’ wall being spammed with the link.
When blockbusters are set to come out, cybercriminals are quick to assemble social engineering traps for curious movie-goers too. Because people often check online for schedules and reviews, bad guys use fake sites, malicious links, as well as apps to victimize users. Last Christmas, in light of the recent Sony hack incident, some movies such as Annie, The Hobbit: Battle of the Five Armies, and Mr. Turner were used by cybercriminals as bait to trick users into clicking on malicious links, posts, and even app updates. Unwitting users were led to scam sites, the download of adware, and potentially unwanted programs.
Tech and Games
In the world of gaming and technology, one would think that most tech-loving users would be savvy enough to say away from online threats. While this might make sense, this doesn’t make them less prone to falling victim to social engineering ploys. In fact, attacks ride on the publicity of news pertaining to upcoming tech news and game releases. In the case of Windows XP, where Microsoft announced in April 2014 that it will no longer extend support for the said OS, spammers reacted by sending messages that urged the user to address a critical update. Of course, the update was actually malware that infected .EXE and .SCR files and can spread via removable and physical drives.
It was also reported that the hugely popular game Flappy Bird was used as bait by attackers. When its developer took the game down, a bunch of fake Android Flappy Bird apps started to spread online. Much to the delight of the game’s fans, the app worked just fine until they started receiving permission requests through text messages. In addition, the fake app also asks for payment or user won’t be able to continue playing the game.
Social media scams
Social media can be considered one of the biggest digital platforms that cybercriminals use to attack users. Since you can find almost anybody and anything on social media, from news, to people, to other sources of entertainment, attackers could easily and almost effortlessly lure victims by using a number of social media scams. It's especially effective as unknowing users can also be tricked into spreading the lure by sharing the scam posts to their network.
It's like big news stories, but with headlines that use topics or news relating to tragic or alarming stories that make users feel that they have to read it "or else". Fear is an effective way to gain users’ attention, and cybercriminals are aware of this. While we’re always inclined to learn about critical stories, the dangers could also spring from being careless when clicking on videos and messages from unknown sources. Last year, news of the Ebola outbreak played on this fear and paranoia by carrying out spam campaigns that directed users to a malicious site where a user could download a file that can give a cybercriminal access to their systems.
Steering clear of social engineering threats
These simple steps are key to keeping your account safe from social engineering attacks.
Bookmark trusted sites and don’t trust sites you’ve visited once right away.
Always verify with your contacts before opening email attachments, especially if you don't expect them.
Avoid clicking on links that point to unknown targets, or accompanied by promises that are too good to be true.
Don’t get easily intimidated by fear tactics and worrying news. People have a natural tendency to lower their guard when fearful or paranoid, and bad guys are aware of this.
Be aware of the built-in security features of the sites you frequent.
Investing in an effective security solution is essential to protect your system and data from all kinds of threats.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).