Supp. Chapter 2, Lesson 4 Text
Lesson Four: Social Engineering
Most people are aware of the dangers of viruses and hacking to gain access personal computers and electronic devices. However, some of the most effective ways to steal information or gain access do not involve any viruses or hacking at all! These attacks are performed using a concept called social engineering. A social engineer is someone who can fool people into freely giving confidential information like user names, passwords, social security numbers, bank account numbers or even remote access to control a computer.
Most security-trained personnel will tell you that the weakest link in a security chain is often the human who accepts a person or scenario at face value. When trying to secure your house, you may have put locks and deadbolts on every door and window. You might have guard dogs, alarm systems, floodlights and fences around your entire property. However, when someone appears at your front door with a pizza box, if you open the door immediately to grab that pizza, you have just allowed someone past all of your security measures with no verification! That kind of human error can defeat even the best automated security systems.
Social engineering methods change over time, but they often have common elements. Many of these attacks are performed either over the phone or through email or social media.
Impersonation and Spoofing
Have you ever shared your user name and password to an email or social media account with a friend? Maybe they asked to use it temporarily because their own computer is broken. If you are looking at a person face-to-face, verification of that person's identity is easy. But what if your "friend" sends you an email or calls you on the phone? Impersonation is the act of pretending to be someone that is already known and trusted, and it can be hard to detect.
If someone impersonates a trusted friend and gets some access to your personal information, that information might be valuable by itself or it may be used to launch other attacks. Of course, you should never give a friend obviously private information like your driver's license number, social security number or banking information. But what might happen if you tell a "fake" friend your user name or perhaps just your grandmother's maiden name? That information could be used to help impersonate you to someone else. A social engineer might call up your bank and use your grandmother's maiden name to help reset your online account user name and password. That person would then have complete access to your bank account simply by pretending to be your friend, learning small bits of information, and then pretending to be you at your bank.
One tool used by impersonators is "spoofing". Spoofing can be used to make emails look like they come from someone else like a famous personality or a well-known friend. If you receive an email with what appears to be your friends' return address, you might be more willing to respond to that message than one that comes from a stranger.
Similarly, spoofing is also sometimes used to fake the incoming Caller ID on your phone. Software can be used to make you think you are receiving a call from a trusted number, when the call is actually coming from another person entirely. For example, if you receive a call that appears to be from the Driver's License Office, you might be more willing to recite your driver's license number to verify your identity. In reality, the person on the other end has just received important private information that can then be used to steal your identity.
Protecting against impersonation and spoofing attacks is often done by simple fact-checking and self-awareness. If you receive an email from someone you trust that has suspicious content, you should double-check with that person before responding via email. You should also avoid giving out personal information on the phone unless you were the one that called a verified number first in order to conduct business.
Phishing is an online social engineering attack that typically involves an e-mail, instant message or comment that appears to come from a legitimate company, website or school. The message may tell you that there is a problem that requires you to simply "verify" information by clicking on a link. The link will take you to a web page that looks exactly like a real bank, school or company site. If you believe that you are on a legitimate site, you may then go ahead and enter your login information or other personal information into the fake page. This information is collected and used to hack into your real account.
Why do phishing attacks work so often? Most of the messages will include an urgent "call-to-action". This warning may state that you must quickly act to prevent major loss of access or to solve a serious problem. Social engineers hope to create enough panic in your mind that you will act without thinking.
How can you protect yourself from phishing attacks? The best way is to double-check every link in an email or message before you click on it. The visible link text may read "Click Here to Get Your Free Prize!", but the actual URL leads somewhere completely unexpected like "www.badguyz.com". The URL could also be similar enough to pass at a quick glance (perhaps "www.mybanc.com" instead of "www.mybank.com"). You won't know unless you inspect the URL carefully!
In most email software and web browsers, if you hover your mouse over the link, you will see the website URL that you will visit when clicking on the link. If the website address does not match your expectations, don't click on it.
If you want to visit a legitimate web site to make sure there are no problems, open your browser and manually type in the address that you know to be valid for the bank, company or school web site. You can also contact the company by phone to verify whether or not any action is needed - but be sure to use the phone number from the company's real web site and not a phone number from the phishing email.
Have you ever searched the web for information about the latest video game, movie or music? You might have found links that offer to let you download that game, video or song for free. If it seems too good to be true, it probably is.
If you do actually download that free file, you might get what you expected. But you might have also just installed a virus or mal-ware on your computer. That virus can then lurk on your computer and steal password information, damage your files or even take over your computer. Even worse, these programs might also gain access to your email and social media accounts and can send out baiting or phishing messages from your account to people that trust you.
How do you protect yourself from baiting scams? If you normally need to pay for something, avoid clicking on links that promise you that same thing for free. You should never download files from people or web sites that you do not know or trust. This is especially true for files that you must run or open on your computer, like ZIP files, executable files or word processing documents. If you must download a file, make sure to scan it with your anti-virus software before opening the file. Most anti-virus software will be able to tell you if the file is infected before it's too late.
A hoax is a way of tricking people into believing or accepting something false and often preposterous. Sometimes, hoaxes are harmless and silly, like one widely circulated message that claimed Facebook was closing down for a few days. Readers were encouraged to sign online petitions to keep the social media outlet going and many did! However, it didn't take long to find out that it was all a hoax.
Other online hoaxes are more harmful, like one recent case in Atlanta, GA that claimed a barista at a local Starbucks was sabotaging customer's coffee orders. This hoax, sent out on local social media, caused such a firestorm in the local community that the Starbucks store was forced to close down until they could convince their customers that it was a fake story. In fact, the barista mentioned in the story didn't even exist!
How can you protect yourself from Internet hoaxes? If you receive a message that asks you to pass it along to all of your friends, be very cautious. If you read a story that seems shocking or lacks any common sense, try to verify the information first. Make sure the original poster has their facts straight before you continue to spread the word. Major news outlets will often perform some research and authentication before publishing a story, but even they can be fooled from time to time.
Work with Me: Your Experiences with Social Engineering
Have you ever been a victim of social engineering, or do you know anyone that has fallen for impersonation, spoofing, phishing, baiting or hoaxing? If not, do some online research to find a recent example where social engineering has been successful. Then, share the story with your class or with your teacher. Try to answer the questions below.
- What method was used to fool the victim, and why was the approach convincing?
- What steps should the victim have taken to prevent the attack?
- What damage was caused as a result of the attack?
- What policies, procedures or habits did the victim change to prevent future attacks?