When we design or analyse the security of ICT systems, we must take into account, in addition to the whole range of “digital” security, the fact that one of the elements of each system is its interaction with the person who operates it. Unfortunately, in almost every case it is the weakest security link of the system. Man is, on the one hand, the least predictable and, on the other hand, the most susceptible to the influence of people who want to break the security system and obtain data of interest to them. Attacks on information systems using techniques of influencing users are called sociotechnical attacks and are based on the vulnerabilities not of hardware or software, but on people’s inclination to succumb unknowingly to the influence of people who want to destabilize the operation of the system (and thus the person or organization) or gain access to desired information, such as access data to a bank account, PIN or CVC number of a credit card, detailed personal data, or other information that is necessary for them at a given moment to perform the “mission” of a hacker (e.g. cleaning our account, taking out credits in our name, etc. ). Attacks can be directed not at a specific person, but at the whole company or organization, where the attacker’s aim is to penetrate deep into it, to get to know its structure and vulnerability, and finally to harm it or obtain the desired information.
Throughout the text, statements such as “for example”, “among others” or “etc.”. often appear. This is due to the fact that this text discusses only a small part of the possibilities and techniques of carrying out a sociotechnical attack. Hackers adapt the attack to the victim and the situation, often mixing techniques of social impact and wrapping them in an additional “smokescreen” environment. The above information and examples should be treated only as an indication for further consideration of the course of a potential attack.
When building our defence against such attacks, we should first of all learn and, what is the most important (and at the same time the most difficult), learn a few basic techniques of influencing the behaviour of another person, so that when we are attacked, we can see this fact and manage to defend ourselves against it. The biggest problem, however, is that these techniques must be so deeply imbued, that even during an attack in a moment of sudden stress caused deliberately, in order to confuse us – to notice that we are under attack and we should start defending ourselves. Unfortunately, the lack of information when we are attacked, the use of our weaknesses (perhaps obtained from earlier sociotechnical attacks), the multitude of types of attacks and, above all, the clever hiding of them in interaction with us causes that even outstanding specialists in social psychology once in a while can be caught on the attacker’s bait. However, knowledge of the tools of social impact is the basis for an attempt to defend oneself against an attacker. Just as many martial arts schools teach tricks that can be used to inflict harm on an opponent, but at the same time they teach the principle that the techniques taught should be used only for defence, so too do specialists in social impact who want to make a person immune to sociotechnical attacks, teach methods of influencing another person, while observing that the techniques learned should be used only for defence purposes. The same applies in the case of cyber security trainers and methods of defence against typical IT attacks.
Preparation and execution of the attack
In order to prepare adequately for an attack, priority is given to the search for information that is available without the need to interact with a person or with the employees of an organisation, which is to be the target of a social engineering attack. In this case, so-called footprinting is carried out, i.e. preliminary recognition of the target. The element of this recognition may be, among others, “dumpster diving”, i.e. searching for abandoned information which will help us to profile social and technical attacks accordingly. An attack on a private individual may therefore be preceded by a review of his or her social media accounts. In case of attacks on a company, information about its structure, e-mail addresses, names and positions, telephone numbers or even worn out elements of IT equipment, which may contain useful data for the attacker, are searched for.
In order for a social engineering attack to be more likely to succeed, the target is in most cases first “robbed” in order to make it easier to manipulate. This type of action includes two completely different behaviours – introducing the victim into a state of full trust and comfort or into a state of strong stress. The first of these behaviours is characterized by actions aimed at dulling the victim’s vigilance, introducing them to a mood in which they feel good and safe, in order to launch an attack at a moment when they least expect or may not even notice it. In the latter behaviour, the attacker introduces chaos in the victim’s environment so that the victim feels threatened or confused by the multitude of information and thus acts as automatically as possible. This is related to one of the basic principles of the human psyche, which refers to the evolution of the human species and the development of the human brain. From an evolutionary point of view, the oldest part of our central nervous centre is the brainstem. It is responsible for the automatic operation of our bodies, which seems quite sensible given that our ancestors had to worry about how to hunt or escape animals, and contemplating the beauty of the landscape around us and thinking creatively came a little later, when basic needs such as food and safety were already assured. What is the connection with sociotechnical attacks? Well, in the moment of sudden stress, our brain switches to basic control, it returns to primitive behaviours in order to protect us first of all. Information processing takes place mainly in the brainstem, which results in very high automation of behaviour. And this is where a very good learning of social impact techniques comes in. The more we have assimilated them, the greater is the chance that our brain will take them into account when there is an urgent need to act quickly. We must develop a conditional reflex (like Pavlov’s dogs reacting to a bell for dinner) and introduce appropriate defensive mechanisms into the “core” of our command system.
Holidays not only on holidays
One of the easiest ways to attack with the use of social engineering (although one could argue whether its use here is large enough to categorize this type of attack as social engineering) is to give the victim a gift in the form of e.g. a crafted pen drive containing malicious software that will steal our data. It can be a gift in exchange for completing a survey (a fictitious one, of course, used only to gain grounds for giving us a gift) or a gift from a potential business partner towards future cooperation. Almost every one of us likes to be given a gift, so after receiving such a gift we rarely suspect a person who was nice to us (she gave us a gift, so there are certainly no bad intentions towards us) of trying to rob us. An example of a pendrive may be an extended key logger, which will intercept and send information to the attacker, e.g. about which bank we are using, what login and password we have. In combination with taking control over our phone or SIM card, the hacker can clear our account in peace of mind. There are lively discussions on whether it is possible to fully protect oneself against money theft from the account using intercepted bank account access data and a duplicate SIM card or hacked mobile phone, so at the moment we will limit ourselves to the most basic and “coarse” methods of immunization against this type of attacks. Fortunately (?) in our country we often hear signs of suspicion (“Aha, she gave me something, so she certainly wants something!”), which can save us from thoughtless taking gifts and using them at home or at work. At one time there was a lot of publicity about Chinese companies giving their Western contractors pendrives, on which the software described above was located. In this case, however, it was not a matter of robbing a bank account, but of acquiring information of strategic importance for the business. The gift may also be intangible – it may be a vision of winning a big prize, sent by e-mail together with a link to a page where malware will be located.
People like us
The aforementioned way of dulling the victim’s vigilance through a gift may also take the form of a conversation conducted in such a way that the attacked person feels bond with the attacker and thus gets rid of any resistance to revealing confidential data to him or even giving it willingly “on a tray”, it’s based on the psychological principle of sympathy. The more a person is similar to us, bears a similar name, dresses in a similar way, has similar political views, etc. , the more we are willing to consider him or her as a trustworthy person and automatically treat him or her better. The result of this automatic assignment is that there is no or a significant reduction in pre-disclosure inhibitions. We may think that we are immune to this type of approach. The vast majority of socio-technical hackers are people that are aware of such automatic behaviour and only a small inattention on our part is enough to carry out an effective attack. The attacker can have a long conversation with us, telling us about the things that unite us, pretending to be a person going in the same direction or suffering from the same cause. He or she can also use some of the information he or she has previously obtained from us or about us to create the impression of having a common enemy, or pretend to know someone of our friends in order to creep into the circle of his or her closest relatives, i.e. trustworthy people. For this purpose, the attacker may use the information we disclose during the conversation by attaching our words (“Yes, I have known him/her for years!”) or by using data from previous reconnaissance, e.g. by visiting our profile on a social networking site.
Nowadays a lot of people willingly share information about whom they know, with whom they met and what they ate, where they spent their holidays, etc. on the Internet. All this makes it easier to attack a specific person (spear-phishing) can be used to increase our susceptibility to attack.
Besides, not only people try to make us feel as if we know them, and thus – safe. Websites try to look like the familiar bank, mail and Facebook login screens. A person who sees his well-known colours and layout will not think that he is being attacked and will give his access data to the hacker. And if the hacker hits a person less familiar with IT security or banking procedures, there is a chance that the victim will also be able to obtain confirmation codes for transfers or other information, which can later be used to steal money from the account. Therefore, banks increasingly inform that they never require their customers to provide additional data during the login process or in e-mail correspondence.
Favour for a favour
Another way to prepare the victim for the disclosure of information or the fulfilment of an attacker’s request is to use the principle of reciprocity. This simple mechanism tells us to pay back for the service we have done, whether we needed it or not. A social engineering hacker will therefore try to create a situation where we feel obliged to do him a favour. If the hacker penetrates the company, he can, for example, help the victim collect scattered documents by accident (creating an accidental deduction himself) or help to use a fax or printer. Once the help has been provided, it is time to go back and here you will be asked to disclose information or, for example, to let the victim into a closed part of the company, to which the victim has access, penetrate even deeper and get additional information. The attacker may also ask for a favour that is unlikely to be done, and when we refuse to do so, ask for a much smaller and simpler favour. When a victim refuses to help the first time, she or he will feel the responsibility to correct the situation and will have more motivation to fulfil the second request.
Save my world
Another way to persuade a potential victim to comply with an attacker’s request is to make them believe that what they are doing is valuable and necessary. To put it simply, it is to create a sense of being a superhero, a saviour of others. Contrary to appearances, only older people are not exposed to attacks on the “granddaughter” at all. In the case of a cyber-attack, we only replace a relative’s accident with a system failure, a policeman with a network administrator, and the money for login data – the mechanism of the offender’s action is exactly the same. This technique is often used in combination with the impression of haste and disorientation of the target person. This can be used both in a telephone conversation (“There has been a server failure, we ask for the server room access code, we need to fix the failure quickly.“), e-mail correspondence (“Here the administrator, we detected an attack on your computer, please provide your login and password to your computer/mail so that we can verify the perpetrator. Please do not disseminate this information in order not to frighten the burglar”), as well as in direct interaction. These requests are often irrational if you think about them for a longer time, but the fact of performing operations in a hurry and the awareness that the recovery of company data depends on our action, for example, prompts us to follow the path indicated by the attacker. We do not hastily verify whether the site we are logging on is not a hacker-supported site or whether the person calling us is really who you are claiming to be, and the additional statement that you are not disseminating information will on the one hand provide the attacker with time for further action, and on the other hand will make us see ourselves as an important element of an important rescue mission.
It may also happen that the attacker will call us with information about our holiday, where we should be staying. When we answer that we are not on holiday, the attacker manages to be surprised and embarrassed that a mistake has crept into the system. At this point, he creates a situation in which we can turn out to be a salvation for him, if we give him a few data to correct the problem (“And when are you going on holiday? Or maybe someone from your department is on holiday today? What login do you have in the system?”).
Is there a doctor in the room?
The rule of authority is also very often used to create a sense of security in an attacked person. The attacker pretends to be someone we do not suspect, because the person has a uniform or other attributes of one of the typical and familiar professions. A hacker takes the form of a doctor, a policeman, a firefighter (i.e. a person whose clothing is a proof of their profession) or an IT technician (whose work clothes are not obligatory, but may, for example, be recognizable by the company’s T-shirt of the company servicing the equipment, identifier and tools). Research has shown that even a police uniform or a medical kit does not have to be a “disguise” – it is enough to wear working clothes of a waste disposal company, so that nobody even asks about the legitimacy of the “disguise” order. In a huge number of events such people had no problem with penetrating a given institution and persuading people to perform the actions desired by the attacker. What’s more, they were even overly trusted and harvested more than they expected.
However, even without appropriate business clothing, it is possible to penetrate into the interior of a company or other organisation. In some cases it was enough to enter the so-called “brazen” – as long as you look as if you know what you are doing, you certainly do it. In this context, the “by the way” entry technique may also be used. (tailgating) when an attacker takes advantage of the fact that someone who has access to a particular building/area enters it and enters it along with it, as if nothing ever happened.
Of course, it is not only people who can be a false authority. If we receive an e-mail with an attachment, we would be more willing to open it, if the content of the e-mail contains the rule “Attachments scanned successfully by antivirus software X”.
Another mechanism of human influence is the rule of social proof of rightness. People tend to do things just because others do. Such behaviour can be used by a hacker to access information if he convinces the victim, for example by e-mail, that he is the last person who has not yet provided his access data to the company mail to a (fictitious, of course) administrator who required it. There may not even have been a request before, but knowing that others have already done so, at least for a moment, makes the attacked person track down and perhaps allows the hacker to extract the data he is interested in. The attacker can also develop a conviction in the attacker that he should do something by sending him a copy of forged correspondence which shows that several people have already spoken on a particular issue and have done a specific action. The victim of the attack gets a message only at a certain stage and, seeing the actions of others, also tries to follow the group.
You said A, you said B…
The Rule of Consequence is another tool that is used in attacks with the use of social engineering. Our commitment and consistency mean that we do not withdraw from the opinions that we have just presented. One of the specific techniques within this rule is the so-called “foot at the door”. It says that after agreeing to the first, small request, we are more willing to fulfil the second, bigger and even unrelated to the first one.
People also tend to follow the beaten and known routes, so if, for example, at the turn of the month, large amounts of invoices appear in the mailbox, it is much more likely that the employee will not verify the attachment, but will open it immediately. The attachment will of course be infected by a hacker pretending to be a business partner and at best it will end with a warning in antivirus software, and at worst with encryption of the entire disk (or even worse, with a disk with backups connected at the moment) and a ransom request.
Only 5 minutes to the end of the promotion
The rule of unavailability can be used to force people to perform an action just because if they don’t do it now, they will lose a unique opportunity. That’s why there may be phrases like “This is the last message before you delete your mailbox. Log in to the new <here link to the trap page> to keep all your messages and contacts!”, “Your password has expired and you must change it immediately.” or “A dangerous virus has been detected on your computer! Download antivirus software quickly!” In addition, an e-mail can be sent on Friday after working hours so that the person attacked after coming to work on Monday thought that he or she must act quickly, otherwise he or she would lose his or her data. Names and/or logos of e.g. tax authorities or the police can be used as a stress-inducing element.
Stress is a bad adviser – these words have probably been heard by each of us at least once in our lives. And it is our stress that is an ally of hackers, because it gives them much more confidence that their intentions will be done by the victim. By artificially generating a “crisis” situation around the attacker, where decisions have to be taken automatically, without the possibility of thinking, and additionally bombarding us with still a lot of information, they cause disorientation of the person concerned. Therefore, if the hacker wants to extract information e.g. on the phone, he will try to impose the pace of the conversation dictated by the sudden and unexpected situation, saying e.g. “We have fire in the corridor, can you give a code to open the door to Director X’s office? We have to check that nobody is there!”. The sudden surge of adrenaline caused by the information about the fire, combined with the responsibility for the boss’s office or his own may cause the code to be given without hesitation.
Methods of defence
One simple question
Defence against sociological attacks, as well as the attacks themselves, is a very broad subject matter and can be a combination of several techniques. However, in every case of a sociotechnical attack, from the simplest gift – a Trojan horse, through an attempt to make a friendship with us or pretend to try to destabilize the environment around us and expect us to make a very responsible decision, one can initially verify the legitimacy of one’s own actions and their consequences by asking oneself a simple question. This question found its way into one of the radio commercials that most often remain in our heads in the form of their strange melodies or rhymed advertising slogans. In this case, the voice in the advertisement dictated: “Always ask: Why?”. This seemingly trivial question can sober us up in a moment, when we realize that there is really no rational reason why we should do something (or even not be allowed to do it), or that the attacker will be beaten up with a question for which he is not prepared. Of course, it may turn out that our opponent has considered the possible paths of the attack, but this step may be a point of reference in the course of defence against a sociological attack.
Just like in interaction with people, we should give ourselves a moment to think about when we receive emails. Should I open this invoice/consignment information when I have not ordered anything? Is it certainly possible to have such an attractive offer especially for me?
Control by the highest form of trust
As part of our defence against trying to influence us by suggesting that we should trust the attacker because he or she deserves it (regardless of the type of technology he or she uses), we can consciously introduce an element into the conversation that we will control and that will allow us to check our interlocutor. If someone claims to be a member of our circle of friends or family, we cannot check them with questions such as “Is it you, Steven?” (in the case of a phone call – when we do not see the person on the other side) or “Do you know Kate?”, because the only thing that a hacker can answer at this point is “Yes, of course!” He will not admit that he is the same hacker, but he will continue the plot, making sure that he is a trustworthy person (“Sure, Steven here! Of course, I know Kate!”). It is in the interest of the attacker to give as little information about himself as possible so as not to arouse unnecessary suspicion, but at the same time enough to be considered a specific person we know. In order to check a potential false friend, we must use an affirmative sentence, which is untrue to the point where our real interlocutor would be surprised and denied. At this point, the hacker should be able to “catch” our lure (if it is not at the level at which it is resistant to such tricks or has so accurate information about us that it is impossible to get caught). So we can say, for example, “Your brother has recently become very old, hasn’t he?” (assuming that the person claims to be someone who we know has no brother) or “Your manager/manager has a new wife, doesn’t he?” (if the hacker claims to be someone who also works in our department, which we know is run by a woman). If the other person ignores the opinion or seems to be confused, it means that perhaps our interlocutor did not predict this course of events. If he replies to our false opinion, it will be a clear sign for us, that we are being attacked.
Do you really know where you are?
If a hacker tries to sleep our vigilance by displaying us a page that we know well and on which we have logged in so many times safely, it is worth making sure that we are certainly where we want to log in, and not on the trap page. You should verify if the address of a given page in your browser corresponds to the address which should be there and check the so-called “green padlock”, i.e. if and to whom a certificate for a given website is issued. In the case of links on the pages or in e-mails sent to us you should not only check which address is shown as a link (e.g. underlined), but also where it leads to – after moving to a given link at the bottom of your browser you should see the actual address to which the link is directed. If the address is different from the name of the link, or if it seems suspicious to us, it may be an attempt at attack. In mobile phones the subject is a bit more difficult, because in the touch interface there is no way to get to the link sent by e-mail without clicking on it (you can, of course, display the full test of the message and verify how the link is constructed). It is also worth checking if there are no typos or characters in the address (in the link or already on the page to which we have moved), which only resemble the letters that we would expect in a given address. This way of camouflaging the real address of the website is quite common lately.
Updates and backups are the basis for
An important element of protection against social engineering in general, and not only against social engineering, is software updates, both in terms of the operating system, ordinary software and, of course, antivirus software. If the attack consists of phishing information electronically (and not verbally or physically by us as a user), it will certainly be a hindrance for the attacker. However, when the antivirus doesn’t work or you lose data through a vulnerability in other software, it’s a good idea to have a backup, which should be done often enough so that the possible loss is not too painful. Backup media should be read-only (CD/DVD/Blu-ray) or connected to a computer only when we know that it is safely and quickly disconnected. It is also worth restoring data from a backup at least once, because it is known that people are divided into three groups: those who do not make a backup, those who do, and those who do and know that they are able to restore data from a backup.
The same slogan everywhere is the door to hacker’s paradise.
However, it may turn out that we will be fooled by the tricks of a hacker and we will provide our access data on a prepared trap page. It becomes important whether we use the same password everywhere or not. If the attacker gets to know our email address and our (even super-secure in terms of complexity) password, and it turns out that we used the same password not only for the mail but also for logging in everywhere else (or we use a clear key like the bank name123, allegro1, etc. ), we can lose much more than e-mails. It is therefore advisable to use different passwords for mail and any other login and, where possible, to use multi-component authentication, using SMS codes or devices supporting such authentication.
Even the best passwords won’t help if they’re lying on your desk
A separate issue is the subject of storing passwords. Use password storage software, protected by a strong master password. Keeping passwords (as well as other key information) in paper format on your desk, computer case, monitor or whiteboard at your desk can lead to the fact that we won’t even know when someone just looked at our place of work and remembered / took a photo / saved our passwords.
Such an outfit can be bought in every shop.
Let’s remember that not everyone who wears a white putty must be a doctor. Nowadays, you can get all kinds of specialist clothing in shops, from medical, rescue and nursing clothes (standard ones, although an attack on nursing temptations would also be largely based on the use of social engineering), through police and fire brigades’; clothes, and cassocks. Everyone can also make any ID, stamp or even ID card! Therefore, before entrusting important information or money, it is worth verifying the identity of a given person, e.g. by asking the staff of a given building or looking for information about a given person on the Internet.
Training with examples, or show me what I can’t do
Some organizations provide special training for their employees based on previous attacks (they could be called “vaccines”, although I am afraid to use the word in the context of the n-th vaccination war on the Internet). Employees are familiar with the situations that may happen to them, so that once they happen, they are easier to recognise. At such meetings, among other things, lists of questions that can be asked and to which we should be alerted. The easiest way is to present it on the basis of the “green-orange-red” list, where in the green section there are questions that can normally fall from a stranger’s mouth and are not alarming, e.g. “Do you get to work by bike?”, said in the company hall, where you can see that we are dressed “on the bike” and we are currently waiting for someone else, for example. Such behaviour may be dictated by the willingness to ask about the best route, time, conditions or simply by an attempt by a person interested in us (in the positive sense of the word). Our affirmative answer will not reveal any information other than those already in the possession of the questioner (since we have bicycle clothes, we rather came by bicycle). However, if the conversation goes on and the questioner digs deeper (“Where do you keep your bike?”), the “orange lamp” should light up for us, because such a question may already be a prelude to obtaining information that the questioner does not necessarily need to know. Of course, this may be an innocent question, absolutely not part of the attack (let’s not fall into paranoia!), hence the orange colour. But when you ask the question “Where is your boss’s office/server room/archive?”, a red light comes on. Such information may already be used for an attack and we should not give information to people we do not know who they are and whether they can receive such information. If we think that we could have been the target of an attack, then it is also worth notifying the persons responsible for data protection (IT administrator, security inspector, etc. ) of any attempt to obtain information by suspicious persons. Before giving really important information, it is worthwhile to inform your supervisor about who is asking and to ask if we can provide such information. If we were subject to an attack, there is a very good chance that we will defend ourselves at this point. A very important element is the training of personnel, not only in attack techniques, so that they are prepared for various attempts to intercept information or destabilize the environment and are able to recognise it, but also in the techniques to be used when they find themselves in such a situation. During the training an important element is the awareness that not necessarily what is important for the organization must be important for the potential hacker and vice versa, what may seem to be of little importance from the point of view of business in the company, is also of little importance for the burglar. It is worth showing how someone can try to get some data from us by pretending to be our friend. The best examples of successful attacks from the past. It is important to make it clear that the attacker is acting in order to steal information and/or harm the organisation and thus hinder or even ultimately deprive potential attackers of their jobs. Such an attitude often makes people more resistant to attempts at phishing information and destabilising the environment. Of course, trainings must be cyclical in order for the knowledge to be constantly updated and consolidated. However, in order to ensure that employees know how vulnerable they are to attack, it is advisable to test them before training or during the training itself, which will show how much information they are able to reveal to a potential hacker. Only when we actually become a victim of an attack (even an exercise attack) will we realize that we are not as clever and resilient as it seems to us. Play according to the rules of the game
Procedures are another important element that can make an organisation (as well as an individual) immune to sociotechnical attacks. The procedures determine how to proceed: how often passwords should be changed, how to pass on information, how to destroy documents, what permissions external guests may have, who may have access to our equipment, who to inform in a given situation, etc. The procedures are described in the table below. In the era of large organizations it is also important to have at least one person per defined area, who knows what people may be inside the area and who should not be there. This allows us to catch intruders who got there by exploiting the gaps in this area.
The above information about the most common methods of attack and defence against them is only a small piece of knowledge, which combines elements of knowledge about controlling people’s behaviour with elements of typically IT knowledge, allowing to prepare attack tools. Like any other attack, it depends largely on the knowledge and ability to use it by the hacker. Of course, one cannot let oneself be crazy and suspect everyone, because in normal life and work there is simply no time for it, and sometimes it can be simply wrongly perceived by the environment. However, knowledge of this subject is becoming an important element of peaceful life and work in today’s times.