Social Engineering Attacks Are Getting Smarter. Are You?

5 min read

A study of 127 hackers at the Black Hat USA conference was conducted by a cybersecurity firm a few years back. As per the research, over 50 per cent said that their primary motivation to hack was to ‘search for emotions’. This was clear evidence that modern-day cybercriminals are usually curious and intelligent and want to know more about the human mind. They are never really satisfied by just breaking into others’ systems. They also like to control things and take advantage of fear and biases in the human mind. Thus, often, they try and work on the psychology of humans to become successful.

Today, cybercriminals prefer social engineering. They carry out a cyberattack by exploiting human errors and behaviours wherein the victim is tricked into divulging sensitive data, which the criminal uses for fraudulent purposes. They also use tactics that involve manipulation and fear-mongering and work so that the victim loses all control over his network system(s) and is, after that, forced to give in to ransom demands. 

Humans like to be flattered, helped, find fellows who can be trusted, be showered with tempting gifts, etc. Cybercriminals exploit these weaknesses to their benefit. After all, who would not want to click on a link that promises free gifts – sometimes, we do it even when we know that the link is an unverified one, thus exposing ourselves to cybercrime. The same goes for fear. Once our minds are put under pressure, we give into almost anything. This is why having greater control over one’s mind and good sense is very important in avoiding hacking episodes. 

Here is how cybercriminals are carrying out social engineering these days.

Use of Deepfake Technology

Nowadays, cybercriminals have begun using deepfakes to enhance social engineering. It is a technology where Artificial Intelligence (AI) is being used to create synthetic media (images, audio, video). One appears to be doing or saying something that has not happened or been said in reality. Even though examples of this scam are not many as yet, there are dark web forums where the expertise of this technology is being discussed. 

For instance, using deepfake audio, impersonations, like that of bank officials, are being done to transfer money to fraudulent accounts. Impersonating people to get login details is also gaining in popularity. Cybercriminals call people on behalf of a company, point out errors and setal data on the pretence of solving the problem. The deepfake trend can cause a lot of havoc as it is slowly being designed to be so powerful that it can bypass even biometric verification. Hence, one needs to be extremely careful.

Cybercriminals have begun using deepfakes.

To avoid being scammed, the following precautions can be taken.

  • One needs to be trained so that malicious deepfake activities can be recognised. As deepfake scams take time to execute, potential victims have a lot of time to spot the fraud if they know the warning signals. Some deepfakes may actually seem ‘fake’, so it is best to trust your instinct.
  • Analysis systems exist which can spot when content has been manipulated, which can be handy if you are running a business and have a lot of data at stake. 
  • Deepfakes cannot see in different directions or read a phrase. So, repeated wrong answers by a person or bot can be a red flag.

Watering Hole Attacks 

A watering hole is where jungle animals go to drink water. Instead of tracking an animal over a long distance, the hunter can kill the animal more easily if he finds the watering hole. Not just that, but he can find more animals to kill if he waits at the watering hole. The term watering hole attack, thus, implies a form of attack where the attacker finds out the website(s) that potential victims visit most often and infects those websites to compromise their security. 

For such attacks, the cybercriminal profiles his victims first and then targets the websites. Usually, the targets belong to large organisations, religious groups or government departments. For instance, in 2017, the websites of the Ukrainian Government was compromised to spread the ExPetr malware. In 2016, the Canada-based International Civil Aviation Organization (ICAO) infected the United Nations (UN) network by spreading malware. As these attacks breach numerous layers of security, they can be quite destructive. Also, the websites that the attackers infect are usually legitimate websites that cannot be blacklisted. 

Although these attacks are just gaining momentum, one needs to be well prepared. For this, the following tips can be helpful.

  • Keep testing the security solutions regularly.
  • Check whether the web content and security proxy gateways are well configured or not.
  • Add more layers of data security to your accounts across platforms so that you are better protected in the event of a breach.
  • Keep all systems updated with the latest software and OS patches to remove known vulnerabilities.
  • Verify all third-party traffic to whatever extent possible.
Cybercriminal profiles his victims first and then targets the websites.

Exploiting QR Codes 

Many security researchers in recent years have revealed that QR codes pose security risks, especially to mobile devices. Since humans cannot decipher QR codes, free tools that are readily available on the Internet can be used to modify the pixilated dots. In this manner, criminals can embed malicious or even phishing URLs in them to get money, use it to gain access to the personal information of the user or get the user’s real-time location. 

The pandemic has increased the use of QR codes. Today, whether you are accessing a restaurant menu or sending payment across the globe, QR codes are in full use. Thus, breaches have seen a significant spike. 

It is possible to prevent such crimes by doing the following.

  • Scrutinise the preview link before making any payments. For instance, one can check if there are any spelling errors as that could indicate a cloned URL.
  • Not scanning a QR Code that is embedded in an unknown email.
  • Adding email authentication protocols such as DMARC, DKIM, BIMI, and SPF records.
  • Adding the brand’s logo into the code if you are a business owner. 
  • Make the domain URL easily identifiable so that users can easily identify the source.
  • Have a mobile defence system that blocks any downloads from unauthorised sources, disallows repetitive login requests etc.

Scareware 

Scareware is malicious software that appears like a pop-up message from a software company warning about the computer having gotten infected with a virus. Sometimes the fraudsters also send spam mail to distribute scareware. 

These messages/emails frighten the potential victim who, intending to protect his data and fix the problem, pays a fee to download such software. What he downloads, however, is malware that intends to steal the confidential personal data of the individual. Also, when he is buying the software, he gives out credit card information used for cyber thefts. It is, thus, a well-planned cyberattack that exploits the emotion of fear.

To protect yourself against scareware, the following tactics can be used.

  • One can recognise these pop-up scareware messages as appearing suddenly and tending to mimic logos of legitimate antivirus programs, displaying screenshots of the ‘infected’ files, using CAPS and exclamation marks, containing flashing red images etc.  
  • One can prevent this by not buying worthless software or downloading software from non-trusted sources.
  • Enable pop-up blockers to prevent fake advertisements.
  • Usually, computers infected with malware will become slower, or you will find blocked pathways and unusual errors. If this happens, then immediately seek help from an IT expert and secure your sensitive accounts, such as your bank account.
Scamsters use such commonly made spelling errors to direct users into a fraudulent website.

Typosquatting  

Typosquatting is used by cybercriminals as a form of social engineering attack. Sometimes users incorrectly type a URL into their web browser rather than using a search engine. Scamsters use such commonly made spelling errors to direct users into a fraudulent website. Sometimes it is also known as URL hijacking or domain mimicry. Unfortunately, the look and feel of these sites are the same as the original one. Hence, one often remains unsuspecting. 

In the run-up to the 2020 US presidential election, typosquatting domains of some candidates were extensively created by hackers with fraudulent motivations. Visitors can arrive at such malicious sites through a spelling error on their own part or be lured into it by fraudsters. Once this happens, the users are likely to enter sensitive data, which puts them at risk. Cybercriminals achieve typosquatting by registering domains that contain:

  • Deliberately misspelt names of well-known websites.
  • Using alternative spellings by playing on the US vs UK English.
  • Use hyphenated words.
  • Use incorrect domain endings.

Such a form of attack can be avoided by individuals by not clicking on unexpected messages and emails, using updated antivirus software, inspecting the links carefully, bookmarking the favourite sites, using search engines to reach the website, leaving the sites you visit regularly opened on the browser tab. 

Organisations can also prevent it by registering typo versions of the domains before the criminals can, using SSL certificates to show that the website is legitimate, and notifying clients and staff if they feel that someone is impersonating the website. 

Bottomline

Social engineering uses psychological manipulation to access confidential data and cause cyber thefts. The criminals get the potential victim to trust and then provide enough stimuli to make the breach happen. Social engineering is dangerous because it plays on the human mind and human fallacies rather than on software and operating system glitches. Thus, it is only with good cybersecurity and cyber hygiene practices and remaining cautious and intelligent that we can prevent social engineering practices from harming us. 

Leave a Reply

Your email address will not be published. Required fields are marked *