Extremely Easy Security — Learn Social Engineering in Plain English (1.1 Part 3)
--
I realized something the other day. If I ever become famous, which I likely won’t, it’s inevitable someone will hack me. It doesn’t unnerve me, though, knowing that they’ll be successful. When it all comes down to it, I know they won’t find anything.
I don’t mean that they won’t find out where I live. With enough effort, you can find out where almost anyone lives. Just wait for them to leak their IP address on accident, and boom, you’re done. What I’m talking about is what would happen when they actually pulled up to my front yard.
“Why is their entire house covered in tinfoil?” one of the hackers would ask, squinting his eyes at the excessive amount layered upon my walls and roof tiles. “And why is it in the trees?”
Then, assuming I have at least a three-story at that point, because I’m rich, they’d open up the car door and place their feet onto my gravel roundabout that’s shaped like an o-ring. They’d notice that my mowed grass, growing up from the ring about three meters in front of their headlights, had an enormous, green plastic statue of an alien on it, surrounded by electric tiki torches.
“And what the hell is that?” they would whisper.
It’d get even better when they walked up to my driveway. My walkway lights would be green strobe lights that never stopped flashing. There’d be little UFO ornaments hanging everywhere, and a big mural of one painted on my garage door with a metal sign that said, “Daily Abductions — see schedule.”
At that point, if they still really wanted to go inside, they’d find out quickly that I owned nothing valuable. There’d be a bowl that said “free hats” with some tinfoil helmets in it, but that’d be it for what was on the porch. Inside there’d be a lot of furniture, but it would all be made of cardboard and in every drawer there’d just be packing peanuts.
If they got past the front door, a floodlight would turn on and brighten their faces.
“Probe their minds!” a high-pitched voice would say.
Today is the end of the first section of “Threats, Attacks, and Vulnerabilities” on the CompTIA Security+ exam. It’s also the last part of the social engineering section. Last time we left off at Watering Hole attacks and came to the conclusion that most grandfathers are invulnerable to them, because they primarily only visit newspapers.
Today we will begin with “Typosquatting,” which is a word that sounds horrible, and then finish the types of social engineering section to move on to the ways and reasons that social engineering actually works.
Typosquatting
This is, in a way, related to prepending, because it’s taking advantage of people spelling website names wrong and then putting bad stuff on the misspelled website. The only difference is that prepending specifically refers to messing up the first letters (hence, the name prepending) of the website name, but typosquatting is just expecting people to spell it wrong in whatever way they spell it wrong.
So, then why not call all of it typosquatting?
Honestly, I have no idea.
Pretexting
Also not to be confused with prepending. This is just lying about your situation to make yourself seem more believable. You might say to someone in a text message, “Hi, I’m from the IT department, and I need you to reset your password because you’re currently locked out of your account. What was that code you just got?”
Lie 1: “I’m from the IT department.” This is the pretext that makes you sound legitimate.
Lie 2 & 3: This isn’t pretexting, because it’s not the lie you used to make the other lies seem more real. If you had just texted them like, “Hi, I need you to reset your password,” they would have been like “Yeah, and who the hell are you?”
Pretexts don’t always have to be said, either. If you wear the same uniform as everyone else to a place you don’t even work at, people will likely assume you do work there. They might even let you in through the door that says employees only. That’s a nonverbal pretext.
Influence Campaigns
If you read the news online a lot, you might, unfortunately, have fallen victim to one of these. Especially if most of your news comes from social media. You might believe some stuff that’s been shown to you without you even knowing it was placed in front of your eyes by a foreign government, or by people — sometimes good, sometimes bad — who are trying hard to sway your opinion.
With influence campaigns, the goal is to change the opinions of a lot of people at once. That way, some kind of political, social, or military outcome can be achieved. Examples might include establishing distrust in a local government, making people vote yes on a certain law, or causing everyone to start eating veggie burgers.
When the military does this, they sometimes call it “hybrid warfare.” Hybrid warfare in general just means a mixture of traditional military tactics with an unconventional, or unusual, selection of others. In the context of information security, it usually means that the military is not only using physical warfare methods (guns, tanks, and soldiers), but they’re using an influence campaign at the same time to gain a strategic advantage.
So watch out for those campaigns. Always fact check articles that you see online, and if you watch the news like me, lose your voice every morning by screaming into your pillow each time you hear something untrue.
Alright, now we’ve finished covering the types of social engineering attacks. We will now move on to the reasons why social engineering works.
Authority
People will often do something they don’t want to do, or that they find unusual, because an authority figure asked them to do it. Social engineers use this to their advantage. An example might be receiving a phone call that you assume is from the police department, and then giving them sensitive information about your identity.
Intimidation
One of the first phrases that my significant other taught me in her native language was about how to rob banks. It was, “Give me all your money.” The way she said it was accompanied by her holding an invisible bag while holding up a finger gun, which I mimicked. For a while, it was the only phrase I remembered.
“How are you?” she’d ask me.
“Give me all your money,” I said, holding up my finger gun.
“Do you want to go to the store?”
“Yes. Give me all your money.”
The intimidation isn’t usually directed at you physically, though, like it is in movies. It’s typically directed at your assets or your job.
Example: “If you don’t hack into your boss’s computer right now, we’ll post all those photos of you wearing that ugly Christmas sweater.”
Consensus
When a large number of people agree on something, you’re more likely to agree with them, too. A common example is when people pay other people to leave fake reviews on websites listing a product that they want to sell.
You might read online about a computer program that’s supposed to get you free copies of every Shrek movie from 2001–2010. You’re concerned it might be malware, though, but then you see in the corner of the website that it’s got five out of five stars.
“How could this possibly go wrong?” you ask yourself.
Then you download it, and you get your Shrek movies. You rejoice! But you realize that your mouse is suddenly moving around on its own.
That’s, uh, not good.
Scarcity
One of the best examples of scarcity as a social engineering technique are those posts that are like, “We are giving away only 100 iPhones on <insert date here>!” Usually, they’re accompanied by a link that goes somewhere sketchy.
I hate these. Not only are they spammy and annoying, but they take advantage of people who don’t have a lot of internet awareness. They also use scarcity to make people feel pressured into clicking, making people feel worried that the number of iPhones will run out before they get their chance.
Familiarity
If you like someone, there’s a chance you’re less likely to suspect them doing something bad. A few days after a new, charming intern starts working in your office, you notice they’ve been walking in and out of the IT department with no one in there. You find that kind of unusual. You ask, and they laugh it off. They say it’s only because they were looking for their water bottle, but something about that reason seems untrue. You choose to believe them, though, because you like them.
Social engineers are great actors. They know how to be charming because, unfortunately, criminals are some of the most charming people out there.
Trust
You go to a car repair shop, and the repair man, George, finds a problem with your tires and fixes them for a low price. You know George is reliable, so you come back to see him a second time. The second time, he fixes your tires again, but then pretends to find a problem with your brakes that’s not really there. George charges you 1,000 extra dollars and says you need a replacement.
You don’t know enough about cars to understand what he’s talking about. Since George established trust with you last time, you just let him take care of the “problem.”
Urgency
Urgency goes hand-in-hand with a lot of other reasons why social engineering works. When you pressure someone, they’re more likely to act quickly and irrationally.
Example: “We’ve just encrypted all the files on your computer. If you don’t pay up, we’ll delete them all in an hour.”
Congrats! You’ve just finished the social engineering section.
