Social engineering is a phenomenon of recent development. Over the last two decades we have seen the introduction of PCs (personal computers) and the release of the WWW (World Wide Web). These new technologies enhanced the way we complete business and pleasure, but it has also had detrimental effects. Because we can now do our banking and shopping on the internet, we can also have that information stolen from us. One article defines social engineering as the process by which a hacker deceives others into disclosing valuable data that will benefit the hacker in some way. (The Social Engineering of Internet Fraud, n.d.) Ian Mann, (2008) author of Hacking the Human, defines social engineering as the following: To manipulate people by deception, into giving out information, or performing an action (Which Disney Princess Are You?, n.d.)
Phishing is a broad category of online schemes that involve the theft of information. Phishing has been broadly defined as soliciting information via e-mail or the culling of individuals to fake websites (Computer Forensics and Cybercrime, 2009) Within this large category of phishing are many examples of e-mail scams, spoofing, spyware/adware, chat room scams, etc.
E-mail scams are nothing new, we have seen them growing more and more through the years however, and most e-mail servers come with their own spam folders to help sort through the mess we receive. The most common types of phishing e-mails usually pertain to banking accounts. These e-mails will ask for login information such as username or password. When I was eleven years old I had fallen prey to this scam myself. I received an e-mail from what I believed to be America Online (AOL). In the e-mail they asked me to please update my username and password due to some errors they were having. I followed the link provided in the e-mail, and supplied my username and password, and in the process changed my password as the e-mail had asked. I immediately told my mother what I had done to which I was shocked when she began getting very upset. She had me immediately get on AOL and change my password via their service providers and then we conducted further research on my e-mail. Apparently, AOL and other service providers will never ask you for your username or password. All e-mails coming from AOL will have a different look to the whole screen so as to be sure of the difference and authenticity. Lastly, the link within the e-mail did not even go to www.aol.com, but a different URL (Uniform Resource Locator) entirely! I learned my lesson of phishing e-mail scams at an early age. (Sarah M.)
Creating passwords that are too easy are a hazard. I have been victim to having an account hacked into merely by someone guessing my password and then changing it to lock me out. You must create a password that is unrelated to you entirely.
Spoofing is when a website pretends to be another website. This is what happened to me with AOL, the website pretended to be AOL, only it was not. Spoofing must be watched carefully; when logging onto a bank account or any other account that contains private and/or financial information, one must be highly aware of the URL at the top of the page and the overall authenticity of the website.
Spyware and adware come bundled in seemingly harmless programs every day. When I downloaded AIM (AOL Instant Messenger) many years ago, it came bundled with Tangent ñ a spyware. Spyware is software on your computer that can monitor the pages you browse, in essence spying on you, and can sometimes actually alter things in your browsers. Adware is similar to spyware, and in addition can hazard hundreds of pop-ups to proliferate across your screen; I have also been victim to this. In the end the combination of adware and spyware caused my entire hard drive to shut down, and my computer had to be wiped clean.
Chat rooms as we all know, can lead to a certain amount of trouble. From relationships that turn out to be rapists or killers, to robbers, or now, the threat of phishing. It may seem like an innocent request, or maybe even a chance at a relationship, but you never want to give out your information over a public chat room on the internet. Your information may be unwittingly phished from you as you sit there as well.
Physical social engineering scams include in-person persuasion, dumpster diving, and shoulder surfing. It may seem that physical, person-to-person contact would make obvious the threats that would be imposed by civil engineering. Instead, it can enhance the chances and likelihood of success. After all, are we more likely to turn down a person over the internet that we cannot see or hear? Or turn down the person standing right in front of us? It is always easier to hang up on a telemarketer than it is to shut the door on a girl scout selling cookies. We must remember the manipulating factors supporting civil engineering. Convincing one to do something is all that need be done for success.
Physical theft is always a problem. I recently received a letter in the mail from ECMC, a guarantor of federal student loans informing me that my information such as social security number, bank loan accounts, home address, name, and telephone number had been stolen during the theft of multiple hard drives from their facility. I was not alone. I was among over three million to be compromised, but it goes to show you how simply information can be stolen when it is not properly protected.
Most people do not realize the necessity of having a strong password, and keeping that password protected. Some willingly share with their coworkers their personal data and password without a thought. Shoulder-surfing is quite easy and the name is self-explanatory. It involves one individual literally viewing the computer screen over another individual’s shoulder. The person can then watch what is typed onto the screen and effectively steal a password. Many programs encrypt a password as it is typed so that a person viewing the screen cannot interpret what the password is; however, it is as simple as watching the person’s fingers type on the keyboard instead of viewing the computer screen. Shoulder-surfing should be more closely watched out for in an attempt to keep it at bay.
In-person persuasion is the utilization of one’s social skills to convince another to perform some action. It is the art of manipulation embodied. Persuasion is as simple as asking a person’s their bosses name, address, telephone number, or asking the person their own information. It may even be as straight-forward as asking them for their username or password. You may think this is quite illogical and obvious, but to some it is not! This is where social engineering comes into play. The social requirements and vulnerabilities that each human psychologically experiences help develop this mental purport that we must help individuals who are in need. It is almost inherent in most of us, though some of us lack niceties and inner convictions to be such a Good Samaritan. It may even seem that this is a harmless garnering of information so what if they know your bosses name? However, this type of theft can incur other types of damage. A person can now pick up the telephone and dial into the office claiming to be bosses name and mention some important piece of information ñ now their identity is verified and whatever they want is at their fingertips!
Dumpster diving is an age-old crime but with technology it can be both physical and virtual. Hacking into someone’s trash can virtually is easy for most experienced hackers to do, then they transfer data as they see fit. Many company files, specs, blueprints, and employee information can be found in these databanks. They can also be found in real physical dumpsters or trash cans as well.
Telephonic social engineering has not died off as some may think it had. As I have mentioned in previous paragraphs, using a false identity on the phone is one of the main ways to get the information or data that one is seeking. However participating in telemarketing fraud promising someone something for money and then not following through once payment is received or even assuming an air of authority and authorizing things that should not be done. Telephone scams are usually targeted against those who are unsure of such crimes existing. The elderly are a general target for these criminals as they are not much educated in technological scams and crimes.
Website scams which are a form of phishing have a plethora of attack methods. Auction fraud, quiz fraud, stock fraud, and cookie snatchers and/or keyloggers are a few examples. Trojan viruses have run rampant through the years as well.
In one article I read how personality quizzes and the like, some of which are applications on the popular social networking site Facebook (www.facebook.com), have led to phishing! Information can be gleaned through these quizzes that can be compiled and correlated to disseminate your private information!
Stock fraud can occur when one is schemed into thinking a particular stock is selling well via the internet. Many biased or paid writers will create brochures and webpages that promote a certain stock when in reality this is just civil engineering at its most basic manipulating. One must be aware of social standards in place that increase our tension and anxieties making us think we need to buy this now. Emotional play-offs are what are mainly used in all aspects of social engineering, and thus we must always have a strong hold on emotions as we browse the internet.
Cookie snatchers and keyloggers are nearly one and the same. When you browse a webpage or type in passwords on a webpage, your computer/browser has something called cookies which it uses to store this information. The point of cookies is to benefit you, so that when you return to that website again it remembers your password for you and you do not have to type it in. However, when you are browsing a website with a phishing program running, it can follow your browser like spyware and snatch your cookies when you enter a website that has them stored. Keyloggers actually steal your keystrokes as you type them. It is a very dangerous tool to use, but also very effective. Watching what websites you visit is the first and most obvious countermeasure to these attacks.
Lastly, auction fraud is a great example of social engineering. One is promised something via an auction once this something is paid for, and then the something is never delivered. A real life example of this happened to my mother. When the new gaming platform from Microsoft was released Xbox 360, it was hard to attain and very expensive. It was released at Christmastime to heighten sales. My mother ordered one off of eBay (www.ebay.com) for $300.00. Within a week an envelope arrived in the mail with a picture of an Xbox 360 in it this was my mother’s prize for the $300.00 Xbox she had purchased. The transaction had taken place through PayPal (www.paypal.com) and my mother quickly filed a dispute with them. They froze the seller’s account and retrieved my mother’s lost $300.00, thereby creating a happy ending for this story of auction fraud via social engineering. One of the basics of social engineering as I mentioned, is playing on one’s emotions. When the Xbox 360 first came out it was a must have, must get experience. There were limited quantities and they sold out fast. Lines would form outside of stores like Wal-mart and Best Buy at 5AM until all of the platforms were sold out. In this case this auction played to the greatest advantage; not only was it a must have item, but it was a must have item for a Christmas gift which was in a month. This is the greatest key to persuading someone to fall for their phishing tactics persuasion of the emotional state.
The ignorance of individuals is what bemoans us all. Not knowing or understanding what social engineering, or more generally, scams and phishing, consist of is our true downfall. Education is the first step to counterattacking these schemes.
Education can come in the form of newsletters, websites, e-mails, seminars, training sessions, etc., that promote the awareness we must all transmit if we are to succeed against this new form of hacking. Understanding that you should not even open an e-mail if it does not pertain to you is tantamount to being successful. Never try to open e-mail attachments especially that end in .exe, if you are unsure of the sender. Even being sure of the sender is sometimes hazardous. An example of this was a friend of mine e-mailed me an attachment complaining that it would not open in her computer. Someone had sent it to her and it was supposed to be a forwarded joke of unknown origins. I quickly realized it for what it was a virus and she had successfully opened it in her computer, she just did not know it. I quickly informed her to run a virus scan in hopes of deleting it before it caused damage.
Knowing not to follow links in e-mails is another countermeasure. As I have personally experienced it will lead to fraudulent phishing activities if not carefully monitored. Luckily for me none of my personal data was forfeited and I can say I came out unscathed. However, for millions of Americans each year, this is not the case. Personal and financial data is lost by hundreds a week due to the carelessness with which we dedicate to opening e-mails. Learning to block e-mail addresses and harassing IP addresses is a very beneficial lesson for those who come under constant attack.
Having in place telephonic prompts and/or hints will always help you know your real caller. A rule I have had long-standing with my family, is if I am ever in trouble or uncomfortable with a situation I would use the code word purple in a sentence of some sort, alerting them to my duress or awkwardness. It has saved me many times and things of this nature can be implemented into policies for businesses and clients.
Physical security can help to thwart the physical theft of computer hardware or even dumpster diving. The problem with this is the manipulation and psychology that social engineering relies on. I read in an article that social engineering may not be in fact, the actual theft of information, but rather manipulation that can lead to action or theft of information. The example given was a person was using social engineering to bypass a security guard at a facility. The security guard is spoken to and manipulated (not bribed or anything illicit, simply convinced) to let the person enter the facility. Though no act of theft has been committed, and though the guard did not necessarily in his eyes break any rules, theft and social engineering have just been facilitated. In this way physical security was thwarted. We must be more aware of who is who and not fall prey to the pretense of authority that another figure may be trying to impose.
Dumpster diving can be avoided through the usage of shredders. Most people do not utilize this simplest of tasks to avoid the inevitable. I previously worked as a Loss Prevention Detective for a major retailer and when any damaged or unsalable merchandise came through, we had to destroy it before throwing it away to thwart dumpster divers. As well, we shredded voluminous numbers of credit and payroll information before it was also carried to dumpsters. Most people do not realize the necessity and validity in doing this, but it is most certainly a precaution that should never be shirked.
Overall there are many methods that can be utilized and implemented to stop civil engineering, and many are of the most basic standards. Innocence in these situations is not always bliss; we must be aware if we hope to stop it. Below I have included an actual phishing e-mail from JP Morgan Chase Bank’s website. It explains on their website that they would never send an e-mail like this and to never follow a link or reply to an e-mail like this one:
From: Chase Online
Sent: Friday, November 28, 2010 10:14 AM
Subject: WaMu & Chase. Safe & Secure – Message id XLKLTRZBGW
WaMu customers:†we’re proud to welcome you to one of the nation’s largest banks; as of September 25, 2008, all WaMu customer deposits are now deposits of JP Morgan Chase, one of the most stable banks in America.
What will change;
Some aspects of the ONLINE SERVICES: Chase Online and WaMu Online
DEADLINE: December, 30, 2010
What you need to do:
Update your information by visiting Chase Online or WaMu Online. Log on to your account and you will be re-directed to the client information update screen.
If you have not signed up for online access, you can enroll easily by clicking “Enroll” at the bottom of the Login page.
Please do not reply to this message. For questions, please call Customer Service. We are available 24 hours a day, 7 days a week.
Chief Marketing Officer
This site is directed at persons in the United States only. Persons outside the United States may visit International Banking.
Links to third-party sites are provided for your convenience by JP Morgan Chase. JP Morgan Chase neither endorses nor guarantees any offerings of the third-party providers, nor does JP Morgan Chase make any representation or warranty of any kind about the content, use of or inability to use, the third-party sites.
References & Citations:
Britz, M. T. (2009). Computer Forensics and Cyber Crime†(Second ed. ). Upper Saddle River, New Jersey: Pearson: Prentice Hall.
Brower, J. (n.d.). Which Disney Princess Are You?. Retrieved May 13, 2010, from http://www.sans.org/reading_room/whitepapers/privacy/disney-princess-you_33328
Rusch, J. J. (n.d.). The “Social Engineering” of Internet Fraud. Retrieved May 13, 2010, from http://www.isoc.org/inet99/proceedings/3g/3g_2.htm
Kee, J. (2008). Social Engineering: Manipulating the Source. Retrieved May 13, 2010, from http://www.sans.org/reading_room/whitepapers/engineering/social-engineering-manipulating-source_32914
JP Morgan Chase Phishing E-mail Examples (n.d.). Retrieved May 13, 2010, from https://www.chase.com/index.jsp?pg_name=ccpmapp/privacy_security/fraud/page/fraud_examples