Social Engineering?: Written By a Mentalist in Singapore (who was an Information Security Scholar)
Mentalists detect lies, use psychological influence and use other information gathering techniques to know what’s on your mind. They use it for your entertainment, to create the illusion of mind reading. No harm there right?
Today however, I want to talk about a group of people who use similar techniques, BUT they are the bad guys. In the world of information security, the term ‘social engineering’ refers to techniques used on people to get them to diverge information, usually about themselves, the company they work for, or even customer information. Often these bad guys use some form of psychological manipulation, exploit human weaknesses and use various information gathering techniques.
In social engineering, the attacker contacts the victim tries to get information. For example, the attacker can pretend to be from DBS and call you regarding a problem with your credit card. He then asks for you to verify your secret PIN code at the back of your card. This of course is a very simplified case. Attackers go to great lengths to make everything look legitimate. Another common scam is when you receive an email or message to click on a link. You go to a page that looks completely legitimate. But if you look closely at the top of your browser, you might see a url like “https://www.faacebook.io”. If it’s not obvious, Facebook is spelt wrongly, and should end with a .com. So this is a fake website, where the attacker lures you in order for you to key in your username and password.
To make things worse, there is reverse social engineering. In social engineering, attackers contact the victim. In reverse social engineering, the victim is the one who contacts the attacker for information instead. Here’s an example. First, an attacker sabotages a system to cause an error (such as using a virus). This causes the user to seek help. Second, the attacker advertises herself. For example, the attacker might have given out a fake business card weeks beforehand or even input calling information into the error message. Lastly, the attacker waits for the victim to contact her and then assists the victim while also getting more information.
The reason why reverse social engineering is so powerful is because the victim is not suspicious of the attacker. When a victim establishes contact with the attacker, it is because the victim believes the attacker has a certain identity and often believes that the attacker is in a good position to provide assistance. For example, if someone directly calls a victim and asks for the victim’s login details, this would seem suspicious to most victims. Victims would check the person’s identity. If instead, the victim is looking for help and finds a helpdesk number to call, the victim would be less suspicious and more willing to share information. No one calls a helpdesk and then tries to verify the person’s identity first. Hence, trust is established if attackers successfully manage to get victims to initiate contact.
It is really difficult to protect yourself. So always check the url of websites, verify the identity of people, avoid diverging information over the phone or email, only go to reliable sources and follow the best practices set out by your company. There’s plenty more advice online on how to protect yourself, so do check them out!
-Written by Frederick, a mentalist in Singapore.