A technique that still proves to be successful, with cybercriminals becoming experts in social dynamics to acquire all the information necessary to successfully carry out cyber attacks.
In recent years we have witnessed the growth of cyber attacks aimed at employee PCs, certainly thanks to the frequent use of smart working: from 2019 to 2021 attacks on personal PCs went from 45,000 to 85,000. Here, the end user proves once again to be the real weak link, capable of nullifying thousands of euros in investments in IT security and in the protection of corporate networks. And the personal PC becomes the privileged gateway, skilfully exploited by cybercriminals who have become expert sociologists. In fact, with the social hacking technique they are able to carry out various types of attacks by acquiring the necessary information directly from the accredited user.
What is the technique called social hacking?
In fact, social engineering is a technique that has been used for some time, well before the advent of computers, to obtain information or to make someone do the desired actions. A real art of deception, which has evolved to affect the world of hacking today. A social engineer can get what he wants in the simplest way: by asking for it. Recognizing it is difficult because it is capable of hiding everywhere and able to exploit every weakness of the one who in fact is already the weak link, the human being.
Thanks to the spread in the dark web of malicious codes and real platforms that allow even inexperienced hackers to successfully carry out cyber attacks, the social engineer does not necessarily have to be a skilled computer scientist. Much more often he is a skilled communicator, capable of leveraging the sensitivity and fragility of the victim. Obviously the first move is the choice of the victim, carried out very carefully on the basis of the goal to be achieved and his relationship with the real goal.
The steps of a social hacking attack.
The structure of an attack of this type can be traced back, despite its variety, to defined and recurring phases.
1. The first step is to find the target. This is usually done based on the information you want to steal.
2. Once the objective has been defined, cyber criminals move on to the search for a potential victim. The attacker tries to get to know the employees, often through social media, even the official company ones, identifying the most vulnerable people, such as a new hired or an senior employee.
3. Finally, a bond is established with the intended victim, creating contact and knowledge situations aimed at creating a sort of trust. Today it is quite common to find very sensitive information on social media, published by the victim himself or by close friends of her. It is so easy to pretend to be a friend of a friend, a delegate of some other company or any other figure capable of deceiving to provide the desired information. The last phase is obviously the escape. That is, to disappear without a trace.
Those who use social engineering techniques are very good at grasping and exploiting those psychological situations that lower the defenses: the enthusiasm for a good result, the fear of authority or the gaps in their knowledge for example. In particular, the principle of authority is very widespread: the attacker could impersonate a leader who is elsewhere, or an expert in the sector or even a police officer.
Precisely because the victims are preferably private PCs, less protected, the attacker has better opportunities to install malware that allow him access to very private information to be used to create that climate of trust or identify that weak point to be exploited in the crucial phase of the attack.
Social engineering, real cases of attack.
According to experts, there are two main reasons for clicking on a phishing email: perceived legitimacy or apparent provenance from a senior executive.