Social engineering attacks- techniques and prevention
Social engineering is the persuasion or manipulation of human psychology by threat actors to achieve a malicious goal. The aim is to fool targets into trusting threat actors and lowering their guards so that they can invade systems to steal data, install malware, intercept important documents, make fraudulent financial transactions, etc. They may also ask you to share Social Security numbers, credit card details, health records, family information, etc. Social engineering is usually one of the steps or stages of a larger cyberattack attempted by stealing your identity.
This cyberattack trick is gravely dangerous as it’s not always easy to spot, and employees of big companies like Twitter have also fallen into the trap. This blog discusses the Twitter Bitcoin scam (2020) in detail, along with techniques for the prevention of social engineering attacks.
Real-life social engineering scam example- the Twitter Bitcoin scam (2020)
In 2020, when the world was dealing with the COVID-19 outbreak, a group of malicious actors used social engineering tactics by reaching out to Twitter employees by phone and pretending to be colleagues or legitimate business partners. They smartly convinced these employees to give them credentials that allowed them to access the internal system of Twitter.
They used tools to reset passwords and bypass two-factor authentication for the targeted accounts, including those belonging to celebrities, politicians, and business owners like Elon Musk, Barack Obama, Bill Gates, and Jeff Bezos. They tweeted a similar message from each of the hacked accounts, urging followers to send Bitcoins to a specific address. The bait was the promise of doubling the amount in return.
Here’s what was tweeted from Elon Musk’s account- “I’m feeling generous because of COVID-19. I’ll double any BTC payment sent to my BTC address for the next hour. Good luck, and stay safe out there!”
The response and impact
Twitter acted responsibly and deactivated the compromised account after taking down the fake tweets. The bad actors got away with $121,000 in Bitcoin, which was relatively smaller considering the high-profile targets. This is because the attack’s true intention was to damage Twitter’s trust and reputation.
The FBI convicted three individuals- 17-year-old Graham Ivan Clark from Florida, the mastermind, and his accomplices, Mason Sheppard from the UK and Nima Fazeli from Florida. Clark was later sentenced to three years in juvenile detention.
The takeaways from the attack
The high-profile scam was no less than a wake-up call for social media platforms, businesses, and users alike. It underscored the importance of training employees to read red flags, deploying stronger defense methods, and creating effective and swift incident response plans to mitigate and contain attacks in time.
Social engineering techniques
98% of cyberattacks involve the use of social engineering at some stage or the other. Here are the common conventional and contemporary tactics that are being used.
1. Baiting
As the name indicates, the baiting technique involves a false promise to pique the victim’s interest, greed, and curiosity. The ‘bait’ usually contains malware or other malicious payloads that compromise the systems and security when activated or plugged in.
Baits can be in any form- physical or online. In the case of physical baiting, the bait is placed where the target is most likely to see it—for example, in the parking lot, lobby, washroom, cafeteria, etc. These are usually labeled with something intriguing like ‘Confidential’ or ‘Appraisal 2024.’ For online baiting, attackers leave the baits in free-to-download movies, software, games, etc.
Once the bait is engaged, malware is installed, or the victim is directed to a malicious website, leading to data theft, system compromise, or further infiltration into the network.
2. Scareware
Scareware bombards targets with fake alerts and threats, convincing them to believe their systems are infected with malware. This deception prompts users to install software that is either useless or malicious. Scareware is also known as deception software, rogue scanner software, or fraudware. It’s often spread through spam emails that issue false warnings or offer worthless or harmful services for purchase.
3. Pretexting
In pretexting, threat actors obtain information through several lies they craft creatively and cleverly. The attacker begins by gaining the victim’s trust, pretending to be a co-worker, police officer, bank official, or someone else with authority. They then ask questions that seem necessary to confirm the victim’s identity, but in reality, they are collecting important personal information.
4. Quid pro quo
Quid pro quo is a Latin term that can be loosely translated as ‘this for that’ or ‘something for something.’ In quid pro quo, the cybercriminal offers something valuable or helpful in exchange for information or access to a system. For example, they can pretend to be an IT support person helping you troubleshoot a system or program, but in return, they ask you for login credentials or other sensitive information. You may think you are getting help, but in reality, you are giving away valuable data or access to the attacker.
5. Deepfake technology
Deepfake technology, powered by AI, has been used to create realistic fake audios and videos that can be used in social engineering attacks. For instance, in 2019, a deepfake audio attack was reported in which cybercriminals used AI to mimic the voice of a company’s CEO, convincing an employee to transfer $243,000 to a fraudulent account.
Be wary, vigilant, and defensive
Be wary of offers and deals that sound too good to be true because there are chances that those are actually ‘too good to be true.’ Think and question yourself before accepting it as a fact. Moreso, don’t shrug off the power of multi-factor authentication, as it ensures an unauthorized entity doesn’t get access to your account despite getting their hands on the password.
When it comes to email security, be vigilant by implementing DMARC, SPF, and DKIM. These protocols help protect against social engineering attacks like phishing and spoofing.
Turn on automatic updates or regularly download the latest version of software you use; don’t brush off the notifications asking you to update them. Since social engineering manipulates human psychology, you and your employees are the most vulnerable asset. So, educate them on the latest social engineering tactics so they know what to be wary of.