Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception


Published on

White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception

Published in: Technology
  • Be the first to comment

  • Be the first to like this

White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception

  1. 1. SOCIAL ENGINEERING AND CYBER ATTACKS The Psychology of Deception White Paper Kevin Mitnick, reformed computer hacker-turned security consultant and author, popularized the term “social engineering,” maintaining that it was much easier to deceive a user into giving up a password to get into a system than to hack into it. Today, social engineering is at the core of increasingly aggressive – and successful – schemes to manipulate online users into disclosing crucial information or installing malware. Digital “cons” such as phishing emails, are a primary tool of the social engineer that target – and exploit – humans as the weakest link in the security chain. In this white paper, we explore the psychology of social engineering and why it works, provide examples of the latest cyber attacks that rely on social engineering, and examine how education and awareness are crucial as part of the first line of defense in diminishing the impact of social engineering-based cyber attacks. The Psychology of Social Engineering Social engineering is not a new concept. Today’s online social engineer is nothing more than a con man who uses digital methods – such as email – to swindle people out of passwords or to trick them into clicking on a malicious link that downloads malware onto their computers or networks. Social engineering tactics tap into strong human emotions such as fear, curiosity, even greed as motivators to bypass even the most iron-clad security measures and gain access to systems to steal identities, funds, information, and corporate and government secrets. And, while there is no “technology” at play – social engineering uses no software or “hacking” technology – don’t be fooled: social engineering tactics are sophisticated and rooted in the fundamentals of complex human psychology. In fact, we can draw on these fundamentals to gain a better understanding of how social engineering works, beginning with the psychology of persuasion. Because persuasion is such a pervasive component of our society, it is easy to overlook how external influences affect our behavior. One only needs to consider how the constant barrage of persuasive messaging in consumer marketing and television commercials, for example, fuels our decisions on which products to purchase. In social psychology, there are two alternative routes of persuasion that can be employed when attempting to elicit a response from another: a central route to persuasion and a peripheral route to persuasion1 . 1 The Social Engineering of Internet Fraud, Jonathan Rusch, US Department of Justice
  2. 2. PAGE 2 –– A central route to persuasion involves being persuaded by an argument or the content contained within a message. The recipient to listens carefully and thinks about the message itself. –– A peripheral route to persuasion, in contrast, relies on superficial cues to persuade, for instance, the apparent credibility of the source (a television commercial delivered by an actor in a doctor’s lab coat), or a memorable tagline or phrase2 . Cybercriminals rely on peripheral routes in order to persuade a victim into providing the response they seek. Social engineering tactics use the superficial cues to exploit trust, pique human interest, and evoke a strong emotion such as fear, curiosity, or excitement that hinders the victim’s ability to think logically, and elicits an immediate response. Beyond persuasion, attitudes and beliefs play an equally important role in online social engineering. Attitudes and beliefs reveal trends as to the psychological motivation behind a victim’s responses – and ultimately drive the type of tactics a social engineer uses for a particular audience. For instance, consumers have attitudes and beliefs that are different from employees. Each is driven by different motivators. The social engineer must assess his audience’s attitudes and beliefs accurately and customize his tactics in order to maximize impact. Often, criminals do extensive research on a victim or a business prior to an attack to gather the most relevant information that will ensure a response. Today’s trends in social networking, job sites and other online sources reveal a astonishing amount of personal and corporate information that a criminal can piece together to create a profile – and a targeted ruse – for a successful phishing campaign. Perhaps one of the most prevalent – and damaging – beliefs of typical online users is thinking that they have nothing worth stealing. This popular misconception is one that the social engineer counts on. Some studies3 have shown that honesty is the characteristic associated most often with providing an accurate message. Just as the superficial cue of an actor dressed in a doctor’s lab coat in a television commercial, for example, sends a message of perceived credibility, an email that’s addressed from a friend or legitimate business signals trust. Reasonable efforts to scrutinize the message will be dismissed when the source of the message is assumed to be trustworthy. A standard social engineering practice is to make a message appear as though it originated from a legitimate person or entity. By hijacking email accounts and sending out phony messages to the victim’s contact list, criminals can make victims think that these emails are from the actual email account owner. Friends and associates trust the source, open the malicious links, and download malware to their computers. Today, with the enormous popularity and growing use of social networking, social engineers have extended this tactic to social networking sites. When users on a social networking site receive a message from someone within their network with instructions to view a file or video, those users are more likely to respond to the request since it appears to have come from a trusted source. 2 “Social Psychology,” Brehm, Kassin, and Fein, 2002 3 “Source Attributions and Persuasion: Perceived Honesty as a Determinant of Message Scrutiny,” Joseph R. Priester and Richard E. Petty, Personality and Social Psychology Bulletin, Vol. 21, No. 6
  3. 3. PAGE 3 Figure 1: Screenshot of Fake IRS Message Designed to Induce Fear The Emotional Side of Online Social Engineering Cybercriminals have begun to recognize the value of enterprise credentials and proprietary information beyond identity theft. Today, as functionality and technology move to new channels, so does fraud – and the types of online social engineering are evolving to meet these new opportunities. The use of social engineering to commit fraud is successful because it preys not on technology, but on the inherent weaknesses of the human component. By manipulating the human victim with messages that exploit his trust, pique his interests and desires, and evoke a range of strong human emotions, social engineers increase the likelihood of obtaining the response they seek – circumventing otherwise effective technology-based security measures such as firewalls, encryption, anti-virus, spam filters, and strong authentication. In the following examples, we examine some of the most common attacks that rely on social engineering tactics – and the very “human” responses they invoke: Fear or anxiety The earliest phishing attacks attempted to create fear or anxiety in their victims as a way to get them to divulge their personal details. Perhaps the most common method – still used today in many different forms – is to imply that there is something wrong with the user’s bank, credit card, or retail account. The urgent message in this scam states either that unusual activity has been detected in the account, or that a failure to confirm account information will result in the account being closed. The resulting fear or anxiety compels the victim to click the link contained within the email, which, of course, directs the victim to a fraudulent site and requests that the victim input account information, passwords, and other credentials in order to remediate the artificial “problem.” This information is then used by the social engineer to access the victim’s account – and funds – directly. Designed to trigger anxiety in the hearts of its U.S. victims, a spam email entitled “Fraud Application” attempted to trick victims into believing that the U.S. Internal Revenue Service had sent them a notice about unreported income (see Figure 1). The victims who fell for this scam unknowingly downloaded a Trojan executable onto their computer which was capable of capturing anything the user typed, including credentials to online accounts.
  4. 4. PAGE 4 A similar scam targeted citizens of the UK, and was sent to English residents as a message from HMRC (see Figure 2). These types of scams are not just limited to consumers. A common attack targeting employees within an organization alleges to be from the U.S. Tax Court inquiring about a notice of deficiency4 . When the intended victims clicked on the link within the email, a Trojan equipped with a key logger was downloaded to their computers, enabling the criminals to see – and steal – anything the users typed, including corporate credentials such as passwords to multiple, secured corporate systems. Trust Criminals are avid fans of social networking sites. They hijack user accounts to send phishing invites to an account holder’s entire contact list, post poisoned links to a variety of malicious sites, and send credible emails with malicious links – abusing the trust that friends normally share. Some creative criminals have tailored messages to appear to come from the social networking site itself, designed so that users will divulge their login credentials or download a Trojan (see Figures 3). 4 Figure 2: Screenshot of Fake HMRC Message Designed to Induce Fear Figure 3: Screenshot of Fake Facebook Update Message Designed to Abuse Trust Relationship
  5. 5. PAGE 5 Social networking sites are the least of one’s worries when you consider a spear phishing email sent to a contact list inside a military base. The message called readers to confirm their attendance of the General’s retirement party. The consequence of clicking the link? An immediate Trojan download that compromised the PC, the user’s data, and all future communications (see Figure 6). Spear phishing scams affect the corporate environment as well. Would you have opened and/or forwarded an email from human resources that contained employee salaries in a PDF file (see Figure 5)? The PDF attachment, of course, was the clever cloak of a Trojan horse. Human Interest Human interest stories invoke an emotional reaction because they are stories people can relate to. Often part of the evening news or magazine features, these stories present people or situations that drive our curiosity or desire for additional information. Not surprisingly, online social engineers use human interest stories to lure victims. One of the more successful scams was the (fake) story of Michael Jackson’s death that allegedly contained “secret” information for readers (see Figure 6). Notice that the link has an executable extension – yet another direct link to a Trojan download. Criminals also lure victims with interesting current-event stories featured on fraudulent websites that mimic the look of well-known entities. In Figure 7, a social engineer has replicated the CNN website which features a link to a video on Gaza City. Recipients of the original phishing email that led to this site who clicked to watch the video would have downloaded malware to their machines. Figure 4: Screenshot of Spear Phish- ing Message Designed to Abuse Trust Relationship Figure 5: Screenshot of Fake HR Message Designed to Abuse Trust Relationship at Work
  6. 6. PAGE 6 Reward Another popular scam among criminals is the tax reporting scam which targets victims on multiple levels and with multiple emotions. Tax reporting is a civic obligation; it is a must-do and is in the victim’s “best interest.” The promise of a tax refund is a monetary reward. And, of course, the message’s urgency evokes fear and anxiety. Tax reporting scams continuously are phishing taxpayer portals in almost every G8 country, targeting victims in countries including the U.S., UK, Australia, and South Africa. In an HMRC phishing scam, victims were lured into divulging their online banking credentials under the false pretense of being eligible for a tax refund. Victims who enter their details and click “Search” unknowingly send their credentials directly to the criminal’s drop server. While fake client details have been entered, the phishing page still indicates the supposed refund amount of $431.10GBP (see Figure 8). Figure 6: Screenshot of a Spam Message Designed to Lure Victims with Human Interest Story Figure 7: Screenshot of Fake Video Download Designed to Lure Victims with a Current Event Story
  7. 7. PAGE 7 Other spam messages linked with reward are designed to recruit money mules. In Figure 9, criminals looking to cash out money stolen from other victim’s bank or credit accounts in specific geographies targeted people in that country with phony job offers often titled “Money transfer agent” or “Transfer Manager.” Education and Awareness: The First Lines of Defense Consumer awareness of cyber threats has since grown considerably in recent years. Despite increased awareness, users still continue to fall victim to cyber attacks. In 2010, two out of ten consumers admitted to being the victim of a phishing attack5 . This increase can be attributed to the advanced tactics and clever social engineering schemes that criminals are using today. The number of phishing attacks is increasing as well. In 2010, RSA witnessed a 27 percent increase in global phishing attacks from the previous year. Figure 8: Screenshot of Fake HMRC Site Designed to Lure Victims with Tax Refund Figure 9: Screenshot of SPAM Email Designed to Lure Victims with a Job Offer (Mule recruitment) 5 RSA 2011 Workplace Security Report
  8. 8. RSA, the RSA logo, EMC2 , EMC and where information lives are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. ©2011 EMC Corporation. All rights reserved. Published in the USA. SOCENG WP 0711 About RSA RSA is the premier provider of security, risk and compliance solutions, helping the world’s leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. Combining business-critical controls in identity assurance, data loss prevention, encryption and tokenization, fraud protection and SIEM with industry leading eGRC capabilities and consulting services, RSA brings trust and visibility to millions of user identities, the transactions that they perform and the data that is generated. As criminals experience diminished returns from traditional phishing however, they are changing their tactics in order to get a response, and have invoked different media – such as the phone versus Web in vishing attacks – as well as new channels, including mobile devices in smishing attacks. While a strong security posture certainly is critical in reducing the risks and costs of cyber attacks, social engineering tactics are designed to bypass the technical aspects of a security strategy and exploit the weakest link in an organization’s security – the human user. Training users with examples of what to look for in a social engineering scam is a good way to help users identify social engineering attacks. Training should include clues that warn of a spam email – for instance, poor spelling and grammar, typos, or threatening or other strong emotion-invoking messaging. Users of all levels need to be trained. Executives, in particular, tend to be easy or “soft” targets, often untrained and unaware of social engineering tactics, and more vulnerable to more sophisticated, targeted attacks because of the access that they have to highly sensitive corporate information and systems. One of the most effective methods of reducing the impact of social engineering-based cyber attacks is embedded training that actually “test” people in real-time with live examples of phishing – and micro video games that give people the opportunity to have fun as they “practice” identifying potential scams. In one case study that involved more than 500 employees of a large company over a period of one month, embedded training resulted in reducing the number of employees that fell for a social engineering attack by 50 percent6 . Regardless of the type of training, at a minimum, organizations need to establish best practices for avoiding processes that are abused by social engineering scams – and update these best practices as the social engineers adapt and evolve their tactics. In the end, user education and awareness are crucial and part of the first lines of defense in diminishing the impact of social engineering-based cyber attacks. 6 Wombat Security Technologies