Social Engineering – old approach with new technology
Social engineering, a term that has steadily gained in popularity in recent years, attracting interest and still remains a taboo. The reason why the extremely sensitive issue – as well as the other „hot iron“ around the topic of economic crimes, non-compliance and cybercrime – is still discussed behind closed doors, is obvious. Even if there is a tendency for the term social engineering to open the drawer of information technology – one needs a certain order – components far more relevant than those of technology are in the foreground here. The name already reveals it: It concerns social factors – the „human factor”.
The wave of success of social engineering (also called social hacking) can be explained by the fact that here too the individual is the weakest link in the chain.
It is due to his influence and manipulability. It represents the biggest risk factor. The various mechanisms of influence and manipulation create the basis of trust in the target subject.
The processes, including their control environments in the context of the defense against hacker attacks and the prevention of information theft appear to be minimally effective, if not useless, from the point of view of the „human“ factor. Known from the Fraud Triangle, the opportunity, the motive and the justification of the accomplished deed are sufficient in this method as well. That’s why social engineering is one of the most dangerous forms of cybercrime and information theft by security officers, IT managers and the top executives of an organization.
A company can have implemented high-tech security solutions, trained staff, and organized a building security service, yet the company remains extremely vulnerable. Individuals can follow all the safety recommendations in the training courses, keep all anti-virus programs up to date, and these individuals remain vulnerable and vulnerable. The „human factor” is responsible for the vulnerability – as the weakest link in the safety chain.
Terminology of social engineering
The definitions of social engineering are – as well as other terminology in the world of cyberspace, non-compliance and economic crime – not uniform. Based on the experience gained from various different cases in practice, the following definition has proved practicable and understandable:
Social engineering involves any act and method that causes an individual to do or refrain from doing something that is not necessarily beneficial to that person, but in favor of someone else.
These actions and methods are not used exclusively in the professional environment. The social aspect – the name already betrays this – plays an essential role. Away from technology to the social, influenceable and potentially manipulated individual. Depending on the starting position, “faked” trust can already be built by giving the attackers access to sensitive data through their existing network. In other cases, these networks, acquaintances or friendships are built up over years.
Since social engineering is not a term that can be delineated by definition, the boundaries to other methods are fluid. In practice, different forms of computer-based social engineering are distinguished. The technological developments will bring other subgroups into circulation due to new developments.
On the one hand, there are technical attacks on technical systems, such as a DDoS attack. On the other hand, there are the attacks that are not aimed directly at technical systems but at their users. This is where we talk about social engineering.
Computer-based social engineering works by faking an identity or misusing a basis of trust. With the help of technical tools (websites, e-mail addresses), the identities of trusted partners (bank, supplier, etc.) are faked in order to obtain sensitive information. This approach includes the methods of phishing. There are three main areas of malicious social engineering.
The driving forces and success factors of social engineering – hacking without a code…
The driving forces of the social engineer can be divided into the drivers as well as other offenses in the field of white-collar crime, non-compliance and cybercrime. It is primarily about the three forms of the fraud triangle, which includes:
Social engineering is a way to collecting information. This method is primarily to be considered as free of charge. Every conceivable method can be used for good intentions or maliciously. In everyday life and with the participation of the media presence, however, social engineering has been combined with the negative association of hacking. Obviously, the methods of social engineering go back to the revolution of human being and not only since we have our new technologies in the age of digitalisation.
Effects of social engineering
The three basic forms of social engineering are phishing, eliciting on the phone and identity fraud. Comparing the forms of social engineering to their effectiveness, it soon becomes clear that identity fraud plays a very dominant role. Probably the most important factor is that in this form of social engineering, non-verbal communication comes into play through the visual confrontation between perpetrator and target subject.
In phishing, non-verbal communication is due to the electronically sent messages to the target subject. These non-verbal elements affect the target subjects based on their presentation, design, formulation, and content. However, a direct personal and visual contact between the offender and the target subject is missing entirely.Eliminating on the phone eliminates non-verbal communication in the form of visual elements. It remains the spoken word, the influence takes the target subject – depending on the emphasis, volume, speech rate, etc.
On the one hand, a social engineer is concerned with recognizing the non-verbal communication of the target subject and, on the other hand, controlling his or her own and that of the target subject. This „skill“ applies to every social engineer – the good as well as the malicious – to master.
The combination of this physical identity fraud and the technical possibilities of targeted personal phishing increase the damage potential enormously. Today’s technologically sophisticated and sophisticated firewalls can prevent a lot of attacks by allowing e-mails with attachments in the form of PDF or EXE files that go into the mailbox to be sorted out and not opened. But if these files get to the target subject through the personal handover of a malicious social engineer through an external data storage device (USB stick, external hard drive), the risk of detection is reduced for the social engineer.
Like any offense, a hacker attack is accompanied by a so-called „modus operandi“ due to the constant evolution of technologies and the difficulty of foreseeing them, as they depend not only on ICT and the level of knowledge of hackers, but also on security. Criminals adapt their mode Operandi among other things, the new, the investigative possibilities of law enforcement.
The core element of social engineering, whether good or malicious, is the deliberate control of a target subject in its decision-making.
Hackers like to use the possibilities of „social engineering“ for their own purposes. The aim of this method is to convince individuals to participate in a (cyber) attack. This participation is rarely aware of the people in focus. If they were aware of it, one would speak of collaboration. Social engineering plays a key role when the goal is an organization, and thus an indispensable means of gaining access to information or systems of that organization. In nonspecific attacks in the form of malware, such as viruses, worms or Trojans, social engineering played no role; they spread and multiplied in a purely technical way. The victims had no active role in this attack. The situation is different with attacks that use social engineering as the basis for intrusion. As technology advanced and improved to protect against and suppress viruses and worms, new ways of gaining access were found. Social engineering became the critical success factor for the attackers.
For potentially affected people (individuals as well as organizations) social engineering is the number one risk factor and their professional mitigation lies solely in the success „human“ factor!
Nowadays, social engineering plays an indispensable role in each of the attacks, the targeted and the non-targeted. Users are lured with exciting movies, updates and information. They play a major role by actively opening a link or document.Social engineering goes much further and uses direct contact with exponents of the company in focus. These people are directly addressed and involved in a conversation – often in the marketing department or in assistant functions of executive employees. The purpose of these discussions is the information gathering with the goal of the penetration into the systems.