Inside the Mind of a Hacker: How Cybercriminals Mess with Your Mind to Steal Your Data
In 2014, some executives at Sony Pictures received e-mails that asked them to verify their Apple ID. All it took is one executive to take the bait and hackers were able to get into the company’s network. The hackers were able to steal 100 terabytes of confidential information, which include the company’s secrets and their employees’ personally identifiable information (PII) — one point for social engineering, zero for the hapless company who took their security for granted.
Social engineering involves the deception and manipulation of people to make them give up sensitive and confidential information or do something that they are not supposed to. How does social engineering work?
One way to understand how social engineering works is to understand what goes on in the mind of a social engineer. Knowing how they think can help you in preventing an attack or becoming a victim.
So How Does a Social Engineer Think?
1. They are after huge payoffs.
The biggest motivation that cybercriminals have when they do social engineering is money. It can be in the form of credit card numbers that they can use or sell or other valuable data. They can use it to negotiate with the company, and businesses are going to have to play ball because on top of their trade secrets and other confidential information, their reputations are also at stake.
For some, the rainy day comes quick. For instance, hackers love using ransomware because the victim needs to act quickly and pay if they want their files back. In 2017, hackers were able to get $2B from companies they victimized. That figure is double the $1B that was paid in 2016, and much higher than the $24M paid a year before that.
One hijacked computer can cost $1K on average to get back. That figure is close to 300% the ransom demanded in 2016. But here’s the thing: Less than half of ransomware victims get their files back, even after they pay.
The Hack Crash of 2013
One example of this is the hack involving the Associated Press Twitter account. In 2013, the Twitter account of the Associated Press was hacked, and people were surprised to read a tweet that said that the White House was bombed and then-President Obama was injured. As a result of that tweet, which lasted only three minutes on Twitter, the Standard & Poor’s 500 Index fell by at least $136B, and the Dow Jones Industrial Average dropped by 143.5 points.
The Syrian Electronic Army claimed responsibility for the attack, and they revealed that the hack was made possible by spear phishing. Employees of the Associated Press were sent emails that looked like it came from their colleagues. The email had a link to a phishing site, asking them to enter their login information to Twitter.
While this might sound like a prank or mischief, the hackers could have made a killing buying stocks when they were priced lower and then selling it all back when prices went back up.
The Ubiquiti Networks Hack
A more apparent and direct example is the Ubiquiti Networks hack that happened in 2015. In this instance, attackers pretended to be executives at the company that told the finance department to transfer money to bank accounts controlled by the hackers.
The attack is a classic example of business email compromise, one form of a social engineering attack. And in this instance, the hackers hit it big. The company’s finance employees transferred $46.7M out to the hackers. The company was able to recover some of that money but still lost $31.8M in the process.
2. Cybercriminals want prestige.
Another reason is that it’s a game of cat and mouse for cybercriminals. Social engineering is not just a simple con. It takes research and charm. It takes time, but as you have learned above, the payoffs from patience are huge.
Being able to demonstrate their skills in hacking is a rite of passage that every young hacker goes through, according to a young hacker in his early teens interviewed for an article in Economic Times.
That proof that can either come from writing superior code, finding a new vulnerability, or you guessed it, the ability to charm their way through a network’s security.
Gary McKinnon was responsible for the biggest military computer hack of all time, having shut down the Washington Network of the US Military for 24 hours. He was able to get into NASA and military websites, deleted and added files there, and read confidential data. It was going smoothly until he decided to change the website and tell the organizations he was hacking (and let them know that their security is terrible). McKinnon even said that he thought the American government would thank him for exposing their bad security.
3. Social engineers are using stereotypes against you.
What mental image do you have when you hear the word “hacker”? It’s probably some pimply teenager in a dark room, maybe the basement, typing away on his or her computer.
Or you think about that guy or girl in thick eyeglasses, with uncombed hair, and who badly needs a long, hot bath, sitting in concentration with a bluish glow from the monitor reflecting on their faces. You might also think that hackers are awkward in social situations — a nerd with terrible conversational skills.
If you think this way, then you might be on your way to falling victim to a social engineering attack.
According to a hacker named “Ghost” in an interview with Vice, social engineers are usually charming, and know how to use humor. The trick is to make you laugh within 30 seconds. They know how to build rapport, and they come off as nice guys.
4. Social engineering is actually very easy. Cybercriminals get all the help they need from… YOU!
There are many ways that social engineering attacks start. It could be random, such as a hacker sending out thousands of emails and hoping that one of the recipients clicks on the link. That can translate to a huge payoff because they only create the website or craft the email once, and thousands of people will see it.
The other type of social engineering is more directed and organized. Typically called spear phishing, these attacks pinpoint a particular company or individual. These are usually high profile companies, with millions of customers or users, and a lot of protected data.
In this type of attack, a social engineer uses a variety of methods, from phone calls to video calls and even personal visits. They conduct extensive research on both the company and their employees.
Most of the time, they use what you put out on social media to help with their research. They get your first name when they call the company, and you answer, “This is Derek, how may I help you?”
Googling Derek and the company name, they can easily find you on LinkedIn. With your full name and company name, they can find you on Facebook or Pipl. The hacker soon has pictures of your kids, the schools they go to, and even the car that you drive. If you share location data and photos on Instagram, they will know where you eat, where you hang out, and other personal details.
In short, everything they need to set up the social engineering attack is already out there on social media.
5. Social engineers know your weakness.
Humans are not perfect, and this is the reason why they are the easiest way to get unauthorized access into a company, a network, or a computer. In contrast, a computer that has an anti-malware or anti-virus software will be able to detect if there is some sign of unauthorized entry and can fight or alert users to it.
Humans do not have that kind of mechanism. What’s more, a person has several weak points that a social engineer can exploit. As described above, humor can disarm a person, allowing social engineers to walk into an office if they’re able to charm the receptionist and make them laugh. Exchanging playful banter with the receptionist can make them feel comfortable enough to let you into the office without thinking too much into it.
Humans are inherently good. They try to help out whenever they can. The interview with “Ghost” revealed that the receptionist was trying to help him out by printing out a resume he had on his flash drive. The file eventually infected the company’s whole system.
Other times, we are too tired or too careless to double-check what we are clicking. We see an e-mail that looks like it came from our bank, click on the link and provide our login details without even hesitating. Carelessness also extends to losing our smartphones, which we use for corporate business matters, in very public places.
Other times, we want to impress our bosses by acting fast and swift. The problem is, instead of impressing the boss, you will realize later on that you have just handed the company’s secrets or money over to cybercriminals.
How to Protect Yourself & Your Company
One thing that you instantly realize when reading stories of hacking and social engineering is that no one is safe. Technology companies, such as Ubiquiti Networks and Yahoo, fall victim to social engineering and, subsequently, hacking and data breaches.
Digital Guardian has an interesting article that reports on social engineering attacks, including the most common types and how you can avoid being victimized by one. Digital Guardian talked to 34 infosec experts, and the article contains some pretty surprising facts about social engineering.
For instance, Kevin Mitnick is one of the most well-known hackers. He’s now one of the good guys, working as an information security consultant. Mitnick reveals that today’s malware is generally installed via social engineering. Only 3% take advantage of a security flaw in the system.
Education is still the best weapon against social engineering. Since cybercriminals rely on unwitting people to help them, make sure that your employees know what the common types of social engineering are. That way, if somebody tries to pull one over on them, they’ll recognize what is happening and be wiser.
Education should not be a one-off thing. Social engineering attacks evolve rapidly, and new tactics are discovered every day, requiring continuing education for employees.
Also, putting security policies in place is crucial. There is nothing more effective than a written rule that encourages employees not to put flash drives into their laptop’s USB ports if they are not sure where it came from. Caution employees to be more careful when clicking on links in emails coming from people they don’t know, as well as to double-check the links included in an email from somebody they do know.
Using reputable tools such as a firewall, anti-malware, anti-virus software, and others will also help keep you safe. But really, one of the most effective ways to combat social engineering is learning how to say no. If you are being asked to do something that is out of the ordinary, don’t do it.
For most of us, that is difficult to do, especially if it is a superior asking you to send him or her some files via email. But think about it, that stranger asking you to print a resume from a flash drive could very well be asking you to risk your job and the security of your colleagues and company.
Lastly, encrypt all sensitive data. When you do this, you have another line of defense for your files. Even if an employee does send files or login information over to a hacker, and the cybercriminal does gain access to your documents, they will not be able to read it with proper encryption in place.
We hope you enjoyed this promoted piece as much as we did!