Social Engineering
eBook - ePub

Social Engineering

Hacking Systems, Nations, and Societies

  1. 246 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Social Engineering

Hacking Systems, Nations, and Societies

About this book

This book analyzes of the use of social engineering as a tool to hack random systems and target specific systems in several dimensions of society. It shows how social engineering techniques are employed well beyond what hackers do to penetrate computer systems. And it explains how organizations and individuals can socially engineer their culture to help minimize the impact of the activities of those who lie, cheat, deceive, and defraud. After reading this book, you'll be able to analyze how organizations work and the need for security to maintain operations and sustainability, and be able to identify, respond to and counter socially engineered threats to security.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Social Engineering by Michael Erbschloe in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
CRC Press
Year
2019
eBook ISBN
9781000439120
Edition
1
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

1

Introduction to Social Engineering Use by Bad Guys

Social engineering is an incredibly effective process of attack with more than 80% of cyber attacks, and over 70% of those from ­nation-states, being initiated and executed by exploiting humans rather than computer or network security flaws. Thus to build secure cyber systems, it is not only necessary to protect the computers and networks that make up these systems but also to educate and train their human users about security procedures as well.
Attacks on humans are called social engineering because they manipulate or engineer users into performing desired actions or divulging sensitive information. The most general social engineering attacks simply attempt to get unsuspecting Internet users to click on malicious links. More focused attacks attempt to elicit sensitive information, such as passwords or private information from organizations or steal things of value from particular individuals by earning unwarranted trust.
These attacks generally ask people to perform the desired behavior that the attacker wants to induce from the victim. To do this, they need the victim’s trust, which is typically earned through interaction or co-opted via a copied or stolen identity. Depending on the level of sophistication, these attacks will go after individuals, organizations, or wide swathes of the population. Scammers often use familiar company names or pretend to be someone known to the victim. A 2018 real-world example exploited the name of Netflix when an email designed to steal personal information was sent to an unknown number of recipients. The email claimed the user’s account was on hold because Netflix was having some trouble with their current billing information and invited the user to click on a link to update their payment method. 1
One reason social engineering attacks work is that it is difficult for users to verify each and every communication they receive. Moreover, verification requires a level of technical expertise that most users lack. To compound the problem, the number of users that have access to privileged information is often large, creating a commensurately large attack surface. 2
The act of convincing individuals to divulge sensitive information and using it for malicious endeavors is ages old. Social engineering attacks have occurred on the Internet since it came into existence. But before the growth of the Internet, criminals used the telephone, the postal service, or advertising to pose as a trusted agent to acquire information. Most people agree that the term phishing originated in the mid-1990s, when it was used to describe the acquisition of Internet service provider (ISP) account information. However, the term has evolved to encompass a variety of attacks that target personal or corporate information possessed by individuals, including by telephone, email, social media, in person observation, gaming platforms, theft of postal delivery letters or packages, and, an age-old favorite, dumpster diving or trash picking.

1.1 Understanding the Breadth of Social Engineering as a Weapon

Regardless of the social network, users continue to be fooled online by persons claiming to be somebody else. Unlike the physical world, individuals can misrepresent everything about themselves when they communicate online, ranging not only from their names and business affiliations (something that is fairly easy to do in person as well), but also extending to their gender, age, and location (identifiers that are far more difficult to fake in person). Years ago investigators called these types of people confidence or con men.
Perhaps as a result of the high-tech times, con artists are now referred to as being engaged in social engineering. It should come as no surprise to learn that the Federal Bureau of Investigation (FBI) is investigating classic investment fraud schemes, such as Ponzi schemes, that are now being carried out in virtual worlds. Other con artists are able to conduct identity theft crimes by misidentifying themselves on social networking sites and then tricking their victims into giving them their account names and passwords as well as other personally identifiable information.
In addition to identity theft crimes, child predators routinely use social networking sites to locate and communicate with future victims and other pedophiles. In at least one publicized case from 2018, an individual attempted to extort nude photos of teenage girls after he gained control of their email and social networking accounts. That particular FBI investigation led to an 18-year federal sentence for the offender, reflecting that these crimes are serious and will not be tolerated. 3
Social engineering is the broad term for any attack that relies on fooling people into taking action or divulging information. Social engineering has been defined in several ways as is shown in Box 1.1.
Box 1.1 Definitions of Social Engineering
The act of deceiving an individual into revealing sensitive information by associating with the individual to gain confidence and trust.
Source: NIST SP 800-63-2 under Social Engineering [superseded]
An attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks.
Source(s): CNSSI 4009-2015 (NIST SP 800-61 Rev. 2), NIST SP 800-61 Rev. 2 under Social Engineering, NIST SP 800-82 Rev. 2 under Social Engineering (NIST SP 800-61)
A general term for attackers trying to trick people into revealing sensitive information or performing certain actions, such as downloading and executing files that appear to be benign but are actually malicious.
Source: NIST SP 800-114 under Social Engineering [superseded]
The process of attempting to trick someone into revealing information (e.g., a password).
Source: NIST SP 800-115 under Social Engineering
The act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust.
Source: NIST SP 800-63-3 under Social Engineering
Source: Glossary. Computer Security Resource Center. Accessed February 1, 2019. https://csrc.nist.gov/glossary/term/social-engineering.
Today the term phishing has evolved to encompass a variety of attacks that target personal or corporate information. Originally, phishing was identified as the use of electronic mail messages, designed to look like messages from a trusted agent, such as a bank, auction site, or online commerce site. These messages usually implore the user to take some form of action, such as validating their account information. They often use a sense of urgency (such as the threat of account suspension) to motivate the user to take action. Recently, there have been several new social engineering approaches to deceive unsuspecting users. These include the offer to fill out a survey for an online banking site with a monetary reward if the user includes account information, and email messages claiming to be from hotel reward clubs, asking users to verify credit card information that a customer may store on the legitimate site for reservation purposes. Included in the message is a uniform resource locater (URL) for the victim to use, which then directs the user to a site to enter their personal information. This site is crafted to closely mimic the look and feel of the legitimate site. The information is then collected and used by the criminals. Over time, these fake emails and websites have evolved to become more technically deceiving to casual investigation. 4

1.2 Social Engineering Fraud Schemes

There are a variety of Internet fraud schemes being used by cybercriminals at any given time. By way of example, a recent fraud scheme involved a cybercriminal gaining access to an unsuspecting user’s email account or social networking site. The fraudster, who claimed to be the account holder, then sent messages to the user’s friends. In the message, the fraudster stated that he was on travel and had been robbed of his credit cards, passport, money, and cell phone, and was in need of money immediately. Without realizing that the message was from a criminal, the friends wired money to an overseas account without validating the claim.
Phishing schemes attempt to make Internet users believe that they are receiving email(s) from a trusted source even though that is not the case. Phishing attacks on social networking site users come in various formats, including messages within the social networking site either from strangers or compromised friend accounts; links or videos within a social networking site profile claiming to lead to something harmless that turns out to be harmful; or emails sent to users claiming to be from the social networking site itself. Social networking site users fall victim to the schemes due to the higher level of trust typically displayed while using social networking sites. Users often accept into their private sites people that they do not actually know, or sometimes fail to properly set privacy settings on their profile. This gives cyber thieves an advantage when trying to trick their victims through various phishing schemes.
Social networking sites, as well as corporate websites in general, provide criminals with enormous amounts of information to be able to create official-looking documents and send them to individual targets who have shown interest in specific subjects. The personal and detailed nature of the information erodes the victim’s sense of caution, leading them to open the malicious email. Such an email will contain an attachment that holds malicious software designed to provide the email’s sender with control over the victim’s entire computer. By the time the malware infection is discovered, it is often too late to protect the data from compromise.
Cybercriminals design advanced malware to act with precision to infect, conceal access, steal, or modify data without detection. Coders of advanced malware are patient and have been known to test a network and its users to evaluate defensive responses. Malware, also known as malicious code, refers to a program that is covertly inserted into another program with the intent to destroy data, run destructive or intrusive programs, or otherwise compromise the confidentiality, integrity, or availability of the victim’s data, applications, or operating system. Malware is the most common external threat to most hosts, causing widespread damage and disruption and necessitating extensive recovery efforts within most organizations. Advanced malware may use a layered approach to infect and gain elevated privileges on a system. Usually, these types of attacks are bundled with an additional cybercrime tactic, such as social engineering or zero day exploits. Malware is often employed to misappropriate information and data that can be readily used such as login credentials, credit card and bank account numbers, and, in some cases, trade secrets.
In the first phase of a malware infection, a user might receive a spear phishing email that obtains access to the user’s information or gains entry into the system under the user’s credentials. Once the cybercriminal initiates a connection to the user or system, they can further exploit it using other vectors that may give them deeper access to system resources. In the second phase, the hacker might install a backdoor to establish a persistent presence on the network that can no longer be discovered through the use of anti-virus software or firewalls.
Cyber thieves use data mining on social networking sites as a way to extract sensitive information about their victims. This can be done by criminal actors on either a large or small scale. For example, in a large-scale data mining scheme, a cybercriminal may send out a “getting to know you” quiz to a large list of social networking site users. While the answers to these questions do not appear to be malicious on the surface, they often mimic the same questions that are asked by financial institutions or email account providers when an individual has forgotten their password. Thus, an email address and the answers to the quiz questions can provide the cybercriminal with the tools to enter a bank account, email account, or credit card account in order to tran...

Table of contents

  1. Cover
  2. Half-Title
  3. Title
  4. Copyright
  5. Contents
  6. Author
  7. Chapter 1 Introduction to Social Engineering Use by Bad Guys
  8. Chapter 2 The Continuum of Social Engineering Approaches
  9. Chapter 3 Criminal Social Engineering Activities
  10. Chapter 4 Securing Organizations Against Social Engineering Attacks
  11. Chapter 5 Social Engineering Attacks Leveraging PII
  12. Chapter 6 Hacking the Democratic Electoral Process
  13. Chapter 7 Socially Engineered Attacks by Insiders
  14. Chapter 8 Educating People to Prevent Social Engineering Attacks
  15. Chapter 9 The Ascent of Cyber Darkness
  16. Glossary
  17. Index