Posted by Jawaid

Snake oil salesmen using Social Engineering ...

06 January 2016

The world has changed and I’m not talking about the obvious socio-environmental, economic or political changes - It’s the way we do things as a result of the growth of technology, it has made our lives much easier, faster and convenient. Our need to enrich our lives as consumers for products and information increases, as such we demand it to be faster and easier.

The world has changed and I’m not talking about the obvious socio-environmental, economic or political changes -  It’s the way we do things as a result of the growth of technology, it has made our lives much easier, faster and convenient.  Our need to enrich our lives as consumers for products and information increases, as such we demand it to be faster and easier. 

In accommodating this demand the market place constantly launches new digital services at the detriment of disrupting the existing market and traditional value network (Disruptive Change coined by Clayton M. Christensen 1995). The world has surely changed:

  • We see what each of us are doing through Facebook (social meeting place). 
  • Speak to each other through What’s app (Instant messaging)
  • See and speak to each other through Skype or FaceTime (Video conferencing)
  • Tell the world what we are thinking and doing through Twitter 
  • Celebrate special occasions by sending emails rather than greeting cards
  • Pay for products and services on-line with PayPal 
  • Pay for products and services in person with Apple Pay or Contactless debt cards
  • Travel on London Transport with Oyster Cards or on Hong Kong’s MTR with Octopus Cards
  • Look for love or relationships through Match or Tinder
  • Order food through Grub Hub, Just-eat or Hungry House
  • Book taxis with Uber
  • Seek and book holiday accommodation through airbnb

How do we make sense of all this? About a year ago my twin asked me - What was this all about? I was keen not to come across as a babbling geek, spewing out words and phrases that either forced my brother to consciously translate or just plainly give up. 

I used the following picture to put this in context, we both love samosas and you could hear us say to each other ‘fancy a couple of bad boys?’ meaning popping into a local takeaway to grab a couple of samosas. 

 

Twitter – I am eating samosa
Facebook – I like samosa

You Tube – This is how I eat my samosa
Linkedin – My skills include samosa eating
Instagram – Here is a classic photo of my samosa
Blog – Here’s my samosa eating experience
Pinterest – Here’s a samosa recipe
Four Square – This is where I eat samosa

 

 

 

Before social media and disruptive change - if we wanted to go shopping, the transaction would involve initially meeting face to face with shop keepers, suppliers or those that were offering something we wanted, the following interaction would involve an anonymous transaction only requiring cash.

As our increasing demand to want things immediately and to mandate personal delivery meant we are required to meet those, whom offer want we want, halfway. Allowing them to store information about us, sometimes personal information with our bank account details.

Realisation that our identities are not held only in our wallets (in back pockets) and in our purses (in handbags) but on-line in a storage device somewhere in the world fills us with suspicion.
Does this present a risk? Can our personal information be used by someone else? 

Assurances are in place that our personal details are secure and several levels of access are put in place to prevent others from accessing our details or accounts. 

We are advised to not only to use something we know such as a password (one factor authentication) but also something we hold such as a device that produces a unique number (two factor authentication), we are also encourage to use some of the following:

  • Passwords - non obvious ones ensuring passwords are more that 8 characters long that contains at least one upper case and lower case character from the alphabet, one number and one character that is not a number or in the alphabet.
  • Your mother’s maiden name.
  • Something only we’d would know such as the name of your first pet or your first car.
  • A code generated by a key fob you hold or an application on your mobile phone.
  • Entering a number that has been SMS texted or emailed to your personal device or email account. 
  • Visually identifying a handwritten word or phrase on screen, requesting you to type in what you see.
  • Visually identifying a specific item from a number of pictures illustrating a range of items on screen.

With such security elements in place we feel content that no one can access our accounts or steal our identities, so where is the real risk … yes you may have guessed it … the real risk is with you.

You are the real risk in allowing others to access your details and accounts on-line.

History is littered with stories for our enjoyment of tricksters and Snake Oil salesmen seeking to sell you something that isn’t quite what it pertains to be - the saving grace, if caught out, was that (1) you had to be present when it happened and (2) it only happened to you once.

Thing are very different today, with so much of our personal information on-line we at risk as (1) we don’t need to to be present when it happens and (2) it can happen more than once. 

The trickster’s modus operandi has changed. They focus on psychological manipulation by playing on your inexperience and possible insecurities, acting as confidence tricksters to illicit information about you - from you so to take on your identity so you don’t have to be there when the illegal activity is being performed.

This activity, which leads to identity theft, is called Social Engineering and has been around for the last two decades, I recall in 1995 writing paper for my seniors whilst at the Labour Party, not much has changed since then - the approach remains the same whereas it’s much more common as more of us place our personal information on-line.

Social engineering is the art, science and a matter of timing in manipulating you into doing something that you’d wouldn’t normally do - if you understood the consequence of your actions you just wouldn’t do it. It is based around the natural human tendency to trust, attackers (as they tend to be called) seek to gain your trust in the efforts to get hold of your personal information.  They then go on and use this personal information to access your accounts - acting as you (identify theft) to undertake transactions as you, undertaking fraud, theft and/or damaging your brand/reputation/credit score.

... 'People are generally helpful, especially to someone who is nice, knowledgeable or insistent.' Kevin Mitnick - ex-social engineer hacker ...

Attacker may appear unassuming or respectable and may offer credentials, sometimes pretend to be a new employee, support engineer or from an internal team. By asking questions, the attacker may piece enough information together to infiltrate your accounts or even your organisations network.

Considering we are all walking around to the keys to our on-line accounts and logins to our organisational networks, social engineering cannot be blocked by technology alone, no matter how strong your digital infrastructure is - including your firewalls, Intrusion Detection Systems, Cryptography, Anti-virus software - you unfortunately are the weakest link in the security-chain.

... 'You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.' Kevin Mitnick - ex-social engineer hacker ...

Some of you may have been victims of social engineering, whereas most of you have heard stories from friends and colleagues of it happening to them. The news is constantly filled with stories of confidence tricksters emptying the bank accounts of poor victims.

Part of the battle in combatting this is to be fully aware, adopting a security culture on-line as you would with the keys of your home and your wallet/purse.

There are commonly two types of attack that we may be victim to, technical and non-technical:

Technical based attacks 
These are based on deceiving you into believing that the email, website or application is providing the appropriate high-level of security. Most common of these are email based, where the attacker mis-represents themselves by sending an email from a reputable source either:

  • Letting you know that a particular account on-line has been compromised.
  • Sending you either an invoice for a purchase you apparently made or an unbelievable offer that you just can’t say no to.

Either attempt will ask you to log in following a link in the email to a web page that looks exactly the same as the actual page you expect to see, hence depriving you of your login details as the follow pages may either provide an error asking you to login later in the day or harvesting your credentials while automatically logging into the bone fide website which will have no mention of a compromised account or special offer. 
Other technical attacks are based on websites that pop-up whilst you are browsing - you never asked for these so the best policy is to ignore and close these. 

Non-technical attacks
These are based on taking advantage of your good will and trust, attackers use human interaction either via email or over the telephone. As humans we are driven by our curiosity, pleasure, fear and occasionally we are just not thinking at all, almost on autopilot. 

Attackers use these traits to take advantage, common approaches include:

  • Quid pro quo also called ‘something for something’ where you receive an unsolicited phone call from an attacker pertaining to be from an organisation you have a relationship with or even locally from within your own organisation claiming to be a support engineer or from Human Resources. 
  • Pretexting also called ‘invented scenario’ similarly with the above may come as an unsolicited phone call but may also come as a personal letter addressed to you. This method involves impersonating an authority such as your bank or on-line shop (ebay/amazon). Others include the obvious false ones where you’ve been left millions of dollars or a request for help to transfer millions out of a failing country.

It is unlimited the way attackers socially engineer or fabricate a believable story to you, the point is they are preying your insecurities and fears and genuinely convince you that they are there to help you. Believing the problem is legitimate you’ll be grateful they contacted you and end up following their instructions to rectify the issue. During this ‘help’ they will try and elicit personal information, may ask you to do a number of things that involves giving them your personal details. For example, they may ask you to go to a website to enter your credentials, ask you to run commands on your PC or even ask you to transfer money out of your compromised bank account into a much more secure account.  

The best way to stay safe on-line is to adopt similar principles to the way you manage your personal wallet or purse - keep it way from prying eyes. A security aware culture can help identify and repel social engineering attacks, as mentioned technology can help with this although the weakest link is still you. 

Here are a few tips to take onboard:

  • When contacted via email check the address behind the sender’s details, they should match or look legitimate - if not seek advice or contact the person or company by another means to verify.
  • When opening link whether from an email, bookmark, search engine or typing it in yourself always check it remains a legitimate address and when logging in to any site ensure that the website is secure either via a statement or a padlock appearing in the left hand side of the address bar.
  • When receiving unsolicited calls - seek advice don’t share any information with the caller until and unless you have proved they are bone fide
  • Lock your laptop/PC whenever you are away from your desk.
  • Purchase and use anti-virus and anti-spam software, ensure it is always up to date.

Above all, be suspicious of unsolicited phone calls, visits, letters or email messages from individuals asking about internal information, try recognise inappropriate requests for information - if not seek advice or contact the person or company by another means to verify.

Finally, if an offer it too good to be true - it probably is …

Leave a comment