Lisa Forte, cyber threat expert and Partner at Red Goat Cyber Security, recently spoke to DIGIT about the potential pitfalls of one of the trickiest cyber threats to guard against – Social Engineering. Forte explains that Social Engineering is the use of deception to get someone to do something or disclose information in a way that seems benign but is actually malicious.
In the context of cyber security, it is one of the fastest growing cyber-attack vectors because as technical controls such as firewalls get better and more sophisticated, hackers have identified that they can get a much better return on investment if they go “through” the staff instead.
Humans are often the weakest link in a cyber defence strategy even if workers are vigilant to cyber threats at work they may not realise that by lowering their guard on social media outside the office they are not only exposing themselves but also their company to hackers.
Cyber criminals are no longer solely going after digital goodies online, they are also targeting victims offline too. By practicing poor social media sharing habits you are making their task a whole lot easier. In this interview Forte explains how to spot a manipulator, how to identify their tactics, and how to guard against them.
How can you spot when you are being manipulated?
The “art” of manipulation requires the steps to be so small and so subtle that they are almost invisible. With that said, there are some “keys” to successful manipulation and these also help us identify when it is happening.
- The attacker will likely come across as charming and friendly. They may seem to be very similar to you, like the same things as you and mirror your views on the world.
- They will try and isolate their chosen victim. They need to ensure that you don’t discuss the lies he or she is feeding you with other people. One effective way of achieving this is for the attacker to create an ‘us vs them’ mentality in you. For example, getting you to believe that the company you work for is evil or your colleagues are out to get you. That way you are more likely to keep things to yourself.
- Be cautious of any email or phone call that leaves you feeling emotional or panicked. This is a classic technique used. By making you feel anxious, panicked, angry etc the attacker gets you to act impulsively and without thinking logically. You are more likely to make a mistake if you are in a rush or worrying!
One final trick to be aware of is verbal misdirection. Vishing, malicious phone calls, uses this technique a lot. I do lots of vishing tests for companies and verbal misdirection is an easy way to obtain information about the inner workings of the company or person. Here is how it works:
Let’s say I call you up pretending to be a client of the company you work for and I want to find out the name of the I.T manager for another attack that I am planning. I also know from social media that you only joined the company six months ago. I call up and say
“Oh hi, how are you getting on in the role? I was in your office last week and your manager was telling me how effective you’ve been! Are you enjoying it? Look, I need to speak to the I.T manager, Martin, can you transfer me?”
You know that the I.T. manager is actually called Dave. So, because you like me and you know I am a client, you correct me,
“No the I.T manager is called Dave. Martin works in HR”.
I knew Martin worked in HR but by deliberately getting this information wrong you feel compelled to correct me and I get the information I need. Know the value of information and don’t give things out unless you know it is okay to do so.
The most important defence is good face-to-face training from experts in social engineering. Being able to see how a hacker would look at information means you will be more secure.
How can you sort fact from fiction when it comes to social engineering?
The first thing to remember with a social engineering attack is that they want you to do or disclose something. Take a phishing email for example, usually this will contain a malicious link or attachment that they need you to click on. So any unsolicited email you receive asking you to click on a link or attachment, should be cause to pause and think about its authenticity.
This is great in theory; however most phishing attacks are crafted in such a way to create an emotional response not a logical one. If I can make you feel emotional (angry, anxious, excited) I can stop you from thinking logically and get you to react impulsively. They will also create a sense of urgency, “offer ends at noon” or “pay the fine by 3pm”. This is to get you to react spontaneously and not logically. If you ever receive an email or social media message that generates a strong emotional feeling pause, grab a coffee and come back to it. I guarantee that you will see it differently!
What are the most common social media sharing errors that leave you exposed to hackers?
One common argument I hear from people is that they don’t see open posting on social media as a threat because “they have nothing to hide”. This is incorrect for a number of reasons;
- Firstly, just because you have no scandals or secrets to hide doesn’t mean you don’t value your privacy. We share posts and images with specific people and that is our choice. We don’t expect this to be shared with everybody if that is not what we intended.
- Secondly, if your accounts are not locked down and private you have no idea who may be viewing your posts, why they are viewing them, and what they will do with that information.
The common misunderstanding is that attackers are looking for some dirty scandal to be revealed in order to bribe you with. This does happen, but it is rare. Let me offer a more common way that publicly available information could be used.
Let’s imagine we are the attackers. We find a potential target, Rebecca, who posts extensively on social media. Her Facebook is private so we cannot see any of her posts. However we can see that she has over 900 friends. This tells us that on balance she probably accepts people she has never met as friends on Facebook. So we add her as a friend and get accepted. Now we are in! In most cases the privacy settings no longer apply and as a friend I can see everything. On Rebecca’s wall we see a post that says;
“Off out to Gourmet Burger Kitchen in Manchester tonight with the girls. My favourite restaurant- I am such a loyal customer I should get free drinks or something for life!!”
Looks pretty innocent right? We can use this to send her a malicious phishing email the next day:
“Dear Rebecca, thanks for coming into Gourmet Burger Kitchen last night. We hope you and your friends enjoyed the evening. As you are such a loyal customer we have decided to offer you 50% off your next meal with us. Click the link below to register your voucher.”
What do you think the chances are of Rebecca clicking that link are? Pretty high I can assure you. We use specific information from her Facebook post to make it look legitimate. Rebecca had no dirty scandal to uncover, just a post about an evening out and this was sufficient to make her vulnerable to attack.
It doesn’t even need to be a cyber-attack outcome. We have seen people posting that they are at Heathrow Airport about to go on holiday for a week and their house gets burgled. Children have shared inappropriate content publicly and we have found evidence of those photos being put onto dark web child pornography sites. The list goes on and on.
How can social media accounts be turned against you?
I worked on a case where, Jessica, a young graduate, had just started her first job in a big UK company. This company spent a lot of money on cyber security and had a skilled security team.
Jessica spent a lot of time on social media. She had a lot of friends and followers on all the main platforms. Her photos were of her family, pets, lifestyle and travels. Certainly nothing out of the ordinary.
One day, another girl, Nina, sent her a friend request on Facebook. Jessica accepted, and the two girls started talking. Over the next few months, they formed a strong friendship. They got on well and Nina liked the exact same things as Jessica. In fact, they mirrored each other’s views on almost everything.
Nina showed a strong interest in Jessica’s job. She said she aspired to do something similar. Jessica was keen to share all sorts of details about her work and the projects she was working on. One day Nina asked Jessica if she could do her a favour. She told Jessica that she had got an interview with the very same company that Jessica worked at. She asked Jessica not to tell anyone as she was supposed to keep it to herself. So, Jessica agreed to keep it quiet and was very excited to work at the same company as her new-found friend.
Nina said she was excited too but “There is one problem. I am desperate to get this job, you know how much I have been struggling for money. I am the underdog though. I know some other girls that applied and they know far more than I do”.
Jessica, desperate to see her friend succeed said “I will help you! Let me know what information you need and we will rehearse the interview and everything”.
Nina replied “Well I’ve done some research and I think I know some of the clients that you have and some that you are going to be pitching for soon. I don’t have time to research them all so would you be able to get me a list of the clients and the ideas you’re pitching? If I have that then I can tailor my ideas to meet the goals and they will love me!”
Jessica agreed to help her friend. Nina said she didn’t want to get disqualified so Jessica should get one of her colleagues to print out the information so it can’t be traced back to her. Nina also told Jessica to put the printouts in her bag and then scan them in at home to email to Nina. Jessica did just that.
Jessica never heard from Nina again after that day. Without going into the details of the investigation we discovered that “Nina” was fake. It was a totally made up profile. We believe that the culprit was, in fact, a competitor of the company that got attacked. They essentially turned Jessica into a malicious insider without her realising it!
So, in reading that, do you think you would have helped your friend with the interview? If not at what point would you have dug your heels in and refused to help? Perhaps you might have felt a bit uncomfortable, or perhaps it was just a bit of bonding with your soon-to-be work colleague? Staff training on social engineering, highlighting cases like this can be a good way to prevent this from happening.
Attackers could be organised crime groups or one of your competitors. In either case, they will create a backstory that fits the person they are targeting. In this instance, the entire friendship was conducted on social media and “Nina” used all of Jessica’s posts to make out they had lots in common. Think before you hit accept on that next friend request!!
What are some general social media safety rules everyone should practise?
- Never have location services turned on for social media apps and try to avoid “checking-in” at locations;
- Ensure all your social media accounts are set to private. If you do wish to have a more public account, make sure you audit the content carefully. Don’t put out anything personal.
- Hide the number and names of friends you have on Facebook. This makes it much harder work for attackers.
- If you do wish to share a post publicly you should stop and think about whether you are happy to share it with the world and all the good and bad people in it. Only hit post if you are.
It is not about shutting down all our social networking habits. That is unrealistic. However attackers are after quick wins, and the harder you make them work the more likely they will give up and move onto someone who hasn’t made these changes.
What is a good rule of thumb for safeguarding yourself online?
In my work I often mimic the tactics of social engineers to see where both the company and individual weaknesses are. When I look at a target, certain things make my life easier. If you know what helps me out, you know what to change!
Here are some of my top tips:
Privacy Settings: Check that your social media accounts are locked down. Delete people you don’t actually know and hide the number of friends you have. Check the settings on some historical posts too, you would be surprised to see how many I can find!
Audit yourself: Search for yourself online to see what you can find out. If there is anything there that is too personal or that you didn’t realise existed, delete it.
Posts: Be careful what can be seen in pictures that you post. I recently discovered that the barcodes on airline boarding passes could be scanned and I even got people’s dates of birth from it. Birthday photos with cards showing your age also can give me your date of birth. I may be able to see your house number, telephone number on your dog’s collar or the apps you use on your phone all from a poorly positioned photo. Don’t just check if the photo is flattering, look for what else could be seen in the shot!
Talk about it: share information about security with friends and family. Take a screenshot of phishing emails to warn others (never forward a phishing email onto someone else though). The better we get at warning each other about threats the harder we will make the hackers work for their money!