Caution! Social engineering!

Online social engineering today

Radio România Internațional, 06.11.2024, 14:00

October has been proclaimed, at the level of the European Union, the month of cyber security. In 2024, the utopian the European Union has been focusing on a category of threat whose presence has been increasing in our day-to-day life, Romania included. We call it social engineering. The appeal specialists have made has been an outspoken one: if we keep ourselves informed, not only for a month a year, but permanently and implementing simple prevention measures, we can avoid falling into the prospective traps of social engineering.

Pretending, luring, asking for a ransom, phishing, vishing, identity usurpation. Put together, all those techniques bear the name of social engineering. Resorting to social engineering are individual of group wrongdoers who, exploiting the prospective victims’ psychological vulnerabilities, have tried to gain access to sensitive information, to steal data or money. In other words, attackers rely on technical knowledge, but to a greater extent attackers rely on psychology and human behaviour…on the art of manipulation, actually.

More often than not, the wrongdoer pretends she or he is a reliable person or source and resorts to various means of persuasion or tricks of the trade to obtain passwords, financial details or access to systems and networks. Provided manipulation works, the attacker encourages the victims to offer personal or sensitive information or to visit a fake website or install a malware program that could affect their device or could even take control over that particular device.

One of the methods used to steal sensitive data is cracking our personal email. Yet attackers favour social media networks more and more. With details on that, here is the National Cyber Security Directorate’s communication manager, Mihai Rotariu:

“Unfortunately, attackers have made extensive use of social engineering attacks, as of late. A massive shift of focus has occurred, to social networks, to social media, which happened because, for them, that is a significant reduction of costs.

They don’t necessarily have to effectively maintain a phishing site which they need to host, they don’t have to pay specialists to support it online, instead, they can just compromise certain social media accounts, for instance, of certain users, to use the trusted codes of those accounts, of the pages they manage, in order to launch posts, which are usually sponsored, to certain traps, to certain fraud attempts. “

As for phishing, attackers send emails, messages or fake links to sites that seem reliable, with the purpose of persuading the recipients to click and give away passwords, credit card numbers or personal data. Vishing is a form of phishing activated through vocal communication, usually through phone calls. Through ransomware, the wrongdoers threaten to reveal give away sensitive info or jeopardize the systems if the victim does not pay a ransom, and suchlike.

But what are the attackers most interested in? Money, of course. Yet there’s more to it than that. Mihai Rotariu once again.

“ They will usually try, provided they have access to our devices or accounts, to take money from the account, directly. And yet, if they cannot do that, they try to get as many data as possible, personal data, financial data, sensitive data, authentication data. All that has its value on the black market and they can further be put up for sale. Attackers can even exchange such data between them, precisely in a bid to target as many users as possible with such online traps. The moment an attacker had a successful attack against a user, you should know that particular user will be on attackers’ lists of good payers one or on the list of users who are careless and give their data away much too easily, precisely in order to continue to become a target for other attackers.”

When we cross the street, we take every precaution: we look to the right, we look to the left, we look at the colons of the traffic lights. In other words, a behavioural routine runs in our veins, and that works all the time in such circumstances. The ideal thing would be for us to have an online routine as well, to have some sort of cyber security hygiene. It is the opinion of National Cyber Security Directorate’s communication manager, Mihai Rotariu :

ʺ We need to stay alert, we need to be patient whenever we activate online, and think logically, we need to get accustomed to and activate at a relatively decent speed this time, as we know that, online, we have gotten used to processing the information much more rapidly than we would that in real life. So we need to do the required check before doing something that could lead up to compromising our data or equipment. “

Specifically, if something seems amiss or too good to be true, we could think that could be cheating. Then we need to avoid to click on certain links or open emails from unknown sources. Sensitive data must never be shared, such as passwords, credit card numbers or personal data, in messages or emails, no matter who asks for that. We need to check the identity of the person or entity who asks for the information, but powerful passwords must also be created.

If we have the misfortune to fall prey to the cyber wrongdoers, we must inform the competent local authorities, we must change the passwords, we need to activate the multi-factor authentication, scan the devices for malware programs and alert our friends or colleagues.