The Source March 2020
THE SOURCE MARCH EDITION IS OUT!! STAY CONNECTED, STAY INFORMED!
THE SOURCE MARCH EDITION IS OUT!!
STAY CONNECTED, STAY INFORMED!
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
CYBERSECURITY
The power of
social engineering
What is the easiest way to hack a password? Just ask for it! It sounds a bit straightforward
and silly but the most effect way to hack your way into a system is not by
exploiting vulnerabilities and use a range of cyber weapons but by tricking people
into giving you their logon credentials.
Social engineering, in the context of information security, is the psychological manipulation
of people into performing actions or divulging confidential information.
Hacking emotions using psychology
So, what makes social engineering so effective? The answer lies in how our brain
works. For our survival evolution has wired our brains to be susceptible to several
stimuli namely:
Fear - defined as an unpleasant emotion caused by the belief that someone or something
is dangerous, likely to cause pain or a threat to our wellbeing. This is arguably
the most commonly manipulated emotion in social engineering campaigns as it’s a
powerful motivator. Examples of these are warnings that you have been infected with
a “virus” or “hacked” and should click here to “solve your computer problems”. The
user is prompted to act quickly to mitigate the “threat” that is caused by the fake fear
striking message and sometimes even asks to “warn” all his friends and family, thus
spreading the fake message exponentially.
Greed – our brains are wired for survival, that is why we like to have resources as
it enhances our chances for survival. Even back in the stone age hoarding and greed
meant a bigger chance for surviving and reproducing. This emotion is also easily
abused by offering some (fake) reward in return for an action. Examples are fake
lottery wins or prizes for acting fast and in essence doing what the attacker asks you
to do – click here.
Obedience – As people we live in groups, and just as in the animal kingdom these
groups have some form of hierarchy. Obedience is defined as complying with an
order, request, law or submission to another’s authority. Most people comply with
request from authority, and usually that is a good idea unless it’s an illegitimate authority
with malicious intentions. For example, ransomware notes are sometimes disguised
as fines from the FBI because of some “illegal” download or activity. Also
scam e-mails to instruct CFO’s to wire transfer something urgent for the CEO is a
commonly seen.
Helpfulness – last but not least, people for the most part are good in nature and thus
want to do good. It’s our instinct for survival of the group that prompts our brain to
want to help each other. This is a good thing for obvious reasons but easily exploited
by hackers and scam artists. If you want to get past a security door without an access
badge for example, just carry an empty box and walk up to the door and there is a big
chance someone will open it for you. Other social engineering scams like forwarding
a “warning” to all your friends might actually put them in danger and helps spreading
fake or viral news as well as possible malware.
In these cases, perhaps the most useful piece of advice is to stop and consider the
request or correspondence with a clear head and ask whether it could be used in a
nefarious way before proceeding.
The material damage of business email compromise (BEC)
According to the 2019 FBI Cyber-crime report, business email compromise (BEC)
accounted for 1.8 billion dollars in damages suffered by companies in the US alone,
that is over a tenfold of what was lost due to credit card fraud over that same period.
A multitude of Aruban businesses also lost tens to hundreds of thousands of florins
each in similar scams last year.
20