Author: Ota Brzák
Introduction
When people hear the term “social engineering”, many do not know what to make of it. Moreover, those who have heard the term often mistake it for other topics in cybercrime, especially hacking. The Cambridge Dictionary describes social engineering (from here on referred to as SE) as an attempt to trick people into giving secret or personal information, especially on the internet, and using it for harmful purposes (Cambridge Dictionary, 2024). This definition is close, although we have to note that social engineering can be used for various purposes. White hats (ethical hackers hired for penetration testing) do not misuse any information obtained through SE and only look for vulnerabilities to fix them (Caldwell, 2011). Christopher Hadnagy, a notable recognized expert in information security, defines SE as manipulating or maneuvring someone else to do something that is not in their best interest. This definition is much broader, but so is the concept of social engineering, which makes the definition quite fitting (Hadnagy, 2011, pp. 31-36).
We will talk about specific types of attacks in the second chapter, but some examples of SE might include:
- sending a fraudulent email posing as someone else with the intention of stealing the user’s personal information,
- hanging a fake poster in an office with a “new phone number” of the IT department to get the login credentials from employees who need troubleshooting,
- leaving a USB drive for a victim to find and plug into a computer, which executes malicious code on the victim’s machine.
Interestingly, the last case (distribution of harmful USB drives) is still very effective in this age, despite all public campaigns, school or workplace education seminars, and other methods of raising awareness. A study from 2016 showed that from 297 USB sticks distributed on a university campus, 98 % were picked up, and 45 % were inserted into a computer. This study also shows that many victims have not done so because of their greed but rather with good-hearted intentions of finding the drive’s owner (Tischer, 2016).
Persuasion Principles
As mentioned at the end of the last paragraph, many students fell victim to the attack because the experimenters aimed to evoke compassion and curiosity in the victims. However, there are many different persuasion tactics on which SE attacks are based.
The first principle we will discuss is authority. When the victim is stressed and pressured to make a quick, uninformed decision, they often transfer the responsibility to an authoritative person whom the attacker impersonates. The attacker can create an impression of authority in many ways, such as showing workplace/academic superiority, wealth, or better physical traits. A study showed that people were far more willing to shock another subject with an electric current of 450 Volts when told to do so by an experimenter in a white lab coat than when the experimenter wore regular clothes (Bullée et al., 2015).
Another frequent principle is social proof, a heuristic of mirroring the actions of others in a person’s social circle. Victims of this phenomenon are especially people in unfamiliar situations. The more similar their peers are, the more likely it is for the victim to copy their actions. For example, when trying to get into a building and being stopped by a security guard, a social engineer could use social proof and make statements like: “Why am I being stopped? Your colleague did not have a problem with me coming in!” Such a claim forces the security guard to compare himself to someone in his social circle who works in the same position and, therefore, is very similar to him (Hadnagy, 2011, pp. 267-263).
The last principle we will look at closely is liking. In general, people like people who like them. If a social engineer wants the victim to like him, as that would increase the chance of the victim helping him, he can show affection and liking first. A phenomenon tied to this principle is called the halo effect. When determining a person’s nature, we tend to be biased and focus on their good qualities. The good qualities, like good looks or relatability, often outweigh the person’s bad qualities, making them seem not as bad or less important (Hadnagy, 2011, pp. 264-266).
Interestingly, these three principles and many more are also often used in marketing and advertising. Robert Cialdini, a well-known American psychologist and marketer, describes in his book Influence six common principles that can persuade customers: reciprocity, commitment and consistency, social proof, liking, authority, and scarcity (Cialdini, 2007).
Exploitation tactics
In the last chapter, we discussed the sociologic and psychologic principles of SE. This chapter will put those principles into a technological context and look into specific attacks we might encounter.
Phishing
Phishing is one of the most common SE attacks. Phishing most often involves email, but it can also take place in SMS messages, online chats, phone calls, and other means of communication. The aim of a phishing attack might be monetary gain, stealing sensitive information, or installing malicious software on the victim’s device (Gupta, 2016). Phishing emails are written in a way that can target most users, especially those who are not educated in cyber security and do not take any special precautions to protect their accounts and online identities. However, when a fraudulent email is specially tailored to the recipient, impersonating someone the user knows and often taking advantage of one or multiple persuasion principles, the attack is called spear phishing. A particular case of spear phishing is attacking wealthy or high-profile users like CEOs and politicians, which is called whaling.
Phishing is a very serious matter. The estimated damage of phishing attacks in 2014 was $5,9 billion, a considerably large number. However, aside from money, attacked businesses also lose their reputation and can suffer data breaches or corruption of essential data (Brutavicus et al., 2016).
Spear phishing
The key characteristics of spear phishing are its small scale and high personalization. Spear phishing has been proven highly effective, with its financial damages tripling through the beginning of the 2010s. Somewhat disappointingly, a study has shown that training and spear phishing awareness campaigns have little to no effect on participants (Caputo et al., 2013). Why would a criminal who wants to break into a company database spend a hundred hours manually hacking when he could achieve the same result in an hour spent researching the company, writing spear phishing emails, and have the login credentials almost served to him on a golden platter?
Vishing
As mentioned above, phishing can happen through phone calls and audio communication. We call this type of attack vishing, a combination of the words “voice” and “phishing”. Similarly, as in spear phishing, the attacker often impersonates someone from the victim’s social circle or an organization he is connected to.
Attackers can even make the call appear to be incoming from another number known to the victim, a tactic called ID spoofing (Mustafa et al., 2016). Spoofing can lead to a very realistic and believable attack, which can be brought to the next level with generative AI models trained on the voices of impersonated people. We discuss the use of AI in chapter three and a specific historical SE case that included vishing in chapter four.
Whaling
The main difference between whaling and spear phishing is the victim. While regular spear phishing can affect even low-level employees, whaling is exclusive to high-ranking targets. A whaling attack requires much more planning, resources, and attention to every detail, as its potential payouts and risks are much greater. The criminals achieve high contextualization (extremely detailed attack environment) through extensive surveillance, often involving even the target’s friends and family. A significant problem of whaling research lies in the limited sample sizes of past whaling victims and potential future targets (Pienta et al., 2020).
Waterholing
While phishing relies more heavily on SE and does not have to be technologically advanced, watering hole attacks or so-called waterholing usually consist of several stages and take advantage of software exploits. The attack takes advantage of watering holes. Watering holes are websites a user regularly visits and trusts, much like an animal visits a water source in the wild. They have been proven to be highly effective and to play a critical role in taking down government agencies, important companies, and non-government organizations (Alrwais et al., 2016).
In the first phase of a waterholing attack, the hacker selects a target and starts reconnaissance, obtaining information like often visited sites in the company with outdated plugins. Zero-day exploits (unknown vulnerabilities present in the released code) might not be fixed yet in older versions and attackers can take advantage of that.
In the second phase, the hacker then compromises these websites, either through gaining information with SE directly from the site administrators or taking advantage of a vulnerability in the site’s code. After gaining access, he prepares the payload with spyware, ransomware, or a remote access trojan (RAT). The payload may also be coded to inject itself only to specific users based on their IP address. That way, it only targets users from the attacked company, decreasing the chances of discovery.
The third phase of the attack focuses on payload delivery. When the victim visits the infected site, the payload goes off and installs malware into the user’s system. Some payloads may only work on older browser versions. Because the user visits the site often, they do not expect anything unusual to happen and do not have to be alert.
In the fourth and the last phase, the malware executes in the user’s system and starts doing damage. The malicious program often goes unnoticed and can cause harm for extended periods of time. When infecting a company computer, the malware might also be coded to laterally spread to other computers on the same network, multiplying the damage done (Krithika, 2017).
Tailgating
While all other attacks we discussed in this chapter are not necessarily connected to the physical world, tailgating (also known as piggybacking) is the complete opposite. In this attack, the criminal tries to gain physical access to a secure location. As many buildings with restricted access, such as office blocks, require an RFID card to enter, tailgating attacks often try to get around this measure specifically.
An attacker can try to get in by pretending to lose their RFID card and trying to persuade an employee to let him in, which is relatively straightforward. However, there are much more advanced ways of getting through. The attacker could research places the employees frequently visit outside of the office, like food courts and restaurants. The attacker then visits this location with an RFID cloning device and duplicates the signal from an employee’s card while staying undetected (Salahdine, 2019).
Use of AI in Social Engineering
The rampant evolution of artificial intelligence and large language models has changed the internet in many ways. In the world of phishing, it was not only in a good way. AI can help with detection and protection on one side, but it also can be misused to increase the effectiveness of attackers (Jurgens, 2024)
We will go through this topic in the next three subchapters. In each chapter, we will go through one aspect of phishing attacks with the most significant potential to be amplified by AI.
Creating Realistic Content
The generative aspect of AI is the first that comes to mind. AI models can generate many realistic forms of media that are useful in an SE attack. AI has no problem drafting texts like emails, direct messages, or social media posts. It can generate realistic images like manipulated photographs and falsified documents. AI also excels in producing realistic spoken voices in many languages, which is especially useful in vishing. Detailed videos can also be generated quickly, aiding in pretexting (throwing the victim into a pretext, a fake fabricated situation created to manipulate them).
All these kinds of content can be used for malicious purposes. Criminals can impersonate real-world people, like the victim’s work superiors, friends and family, or famous influential figures, forcing the victim to reveal valuable pieces of information.
It can also be used in blackmailing the victim, with the threat of releasing content harmful to the victim if they do not perform a specific action or pay the criminal a ransom.
Lastly, if shared on a larger scale, it can greatly simplify the spread of misinformation and propaganda online, causing widespread fear, unrest, and panic.
Personalised Targeting
As large-scale attacks are costly and the expenses grow with each user targeted, AI can significantly reduce the resources involved. It will no longer be necessary for a human to do reconnaissance, as algorithms can scrape specific websites and harvest data about the victims by following their digital footprint across the net. The algorithms can also perform this task more efficiently and gather more information, which allows for building more detailed and believable attack scenarios.
Automating Infrastructure
AI and advanced machine learning algorithms can also tie all other tasks of a phishing attack together and scale the attack without additional manpower. They can also perform experiments on their targets, experiment with different approaches, and compare results. By repeating attacks with a feedback loop that focuses on more successful strategies, phishing of the future could look much different from now and be an even bigger threat to cybersecurity (Schmitt & Flechais, 2024).
Famous Social Engineering Attacks
In this last chapter, we will look at two social engineering heists, which involve high-profile targets and theft of large sums of money. The first is unique in its boldness and the notoriety of its victims, while the second one is interesting because of the age of the suspects and because it only happened recently.
Phishing Google and Facebook out of $120 million
Between 2013 and 2015, 50-year-old Evaldas Rimauskas from Latvia phished the tech giants Google and Facebook out of over 120 million US dollars. The criminal began the scheme by opening a fake company in his name called Quanta Computer. He named the firm after a Taiwanese computer manufacturer who had contracts with both Facebook and Google. Then, he sent fraudulent invoices, letters, and other documents to both companies, posing as the real Quanta computer and impersonating many of its employees (Huddleston, 2019).
Accountants at both companies, who reportedly regularly handled multi-million dollar transactions and this was nothing out of the ordinary for them, simply reimbursed the invoices. In 2016, employees from Google noticed the discrepancies and reported the fraud, which resulted in Rimauskas being extradited to the US. For these crimes, he has been sentenced to 5 years in prison (United States Attorney’s Office, 2019).
This case is an interesting example of whaling, as Rimauskas specifically targeted these two successful firms. In this pretext, he also used authority by posing as someone who is being owed money.
Teenagers Stealing $230M in Cryptocurrency
This high-profile case is very recent and happened only in August 2024. 20-year-old Malone Lam from Miami and 21-year-old Jeandiel Serrano from Los Angeles have targetted a man from Washington, who they believed possessed a large amount of money invested in Bitcoin. This assumption was correct, as all his crypto wallets contained over 4,100 Bitcoin, worth over 410 million dollars, as of December 2024.
The young criminals started the attack by sending the man a Google notification alerting him of unauthorized access from overseas. They then called a man posing as customer support and gained access to his Google Drive and account in the Gemini cryptocurrency trading platform (not to be confused with the Gemini LLM).
After gaining access, they made the man download a virtual access program and promptly gained the Bitcoin private keys. While one kept the victim busy, the other anonymously transferred all contents of the wallets (Mangan, 2024).
The following month, both men spent large portions of the money on cars, luxury mansions, expensive holidays, watches, and jewelry. However, they did not get to enjoy their loot for long. When Malone forgot to use a VPN to access one of the trading sites, the authorities quickly located him and arrested both suspects. Currently, they are both awaiting trial (United States Attorney’s Office, 2024). Aside from pretexting and whaling, the criminals also used vishing when making the customer support calls.
Bibliography
Alrwais, S., Yuan, K., Alowaisheq, E., Liao, X., Oprea, A., Wang, X., & Li, Z. (2016, December). Catching predators at watering holes: finding and understanding strategically compromised websites. In Proceedings of the 32nd Annual Conference on Computer Security Applications (pp. 153-166).
Bullée, J.-W. H., Montoya, L., Pieters, W., Junger, M., & Hartel, P. H. (2015). The persuasion and security awareness experiment: reducing the success of social engineering attacks. In Journal of Experimental Criminology (Vol. 11, Issue 1, pp. 97–115). Springer Science and Business Media LLC.
Butavicius, M., Parsons, K., Pattinson, M., & McCormac, A. (2016). Breaching the human firewall: Social engineering in phishing and spear-phishing emails. arXiv
Caldwell, T. (2011). Ethical hackers: putting on the white hat. In Network Security (Vol. 2011, Issue 7, pp. 10–13). Mark Allen Group.
Caputo, D. D., Pfleeger, S. L., Freeman, J. D., & Johnson, M. E. (2013). Going spear phishing: Exploring embedded training and awareness. IEEE security & privacy, 12(1), 28-38.
Cambridge Dictionary. (n.d.). Social engineering. In dictionary.cambridge.org dictionary. Retrieved December 1, 2024, from https://dictionary.cambridge.org/dictionary/english/social-engineering
Cialdini, R. B. (2007). Influence: The psychology of persuasion. HarperCollins.
Gupta, S., Singhal, A., & Kapoor, A. (2016, April). A literature survey on social engineering attacks: Phishing attack. In 2016 international conference on computing, communication and automation (ICCCA) (pp. 537-540). IEEE.
Hadnagy, C. (2011). Social Engineering: The Art of Human Hacking. WileyPublishing, Inc.
Huddleston, T. (2019, March 27). How this scammer used phishing emails to steal over $100 million from Google and Facebook. CNBC: https://www.cnbc.com/2019/03/27/phishing-email-scam-stole-100-million-from-facebook-and-google.html
Jurgens, J., & Dal Cin, P. (2024). Global Cybersecurity Outlook 2024. In World Economic Forum.
Krithika, N. (2017). A study on wha (watering hole attack)–the most dangerous threat to the organization. Int. J. Innov. Sci. Eng. Res.(IJISER), 4, 196-198.
Mangan, D. (2024, October 17). Historic bitcoin theft tied to Connecticut kidnapping, luxury cars, $500K bar bills. CNBC: https://www.cnbc.com/2024/10/17/cryptocurrency-theft-google-kidnapping-lamborghi-bar-.html
Mustafa, H., Xu, W., Sadeghi, A. R., & Schulz, S. (2014, June). You can call but you can’t hide: detecting caller id spoofing attacks. In 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (pp. 168-179). IEEE.
Pienta, D., Thatcher, J. B., & Johnston, A. (2020). Protecting a whale in a sea of phish. Journal of information technology, 35(3), 214-231.
Salahdine, F., & Kaabouch, N. (2019). Social engineering attacks: A survey. Future internet, 11(4), 89.
Schmitt, M., & Flechais, I. (2024). Digital deception: generative artificial intelligence in social engineering and phishing. In Artificial Intelligence Review (Vol. 57, Issue 12). Springer Science and Business Media LLC.
Tischer, M., Durumeric, Z., Foster, S., Duan, S., Mori, A., Bursztein, E., & Bailey, M. (2016, May). Users really do plug in USB drives they find. In 2016 IEEE Symposium on Security and Privacy (SP) (pp. 306-319). IEEE.
United States attorney’s office. (2019, December 19). Lithuanian Man Sentenced To 5 Years In Prison For Theft Of Over $120 Million In Fraudulent Business Email Compromise Scheme [Press release]. https://www.justice.gov/usao-sdny/pr/lithuanian-man-sentenced-5-years-prison-theft-over-120-million-fraudulent-business
United States attorney’s office. (2024, September 19). Indictment Charges Two in $230 Million Cryptocurrency Scam [Press release].
https://www.justice.gov/usao-dc/pr/indictment-charges-two-230-million-cryptocurrency-scam
