Social engineering is the process of taking over a system by abusing mistakes or weaknesses in human behavior.
In other words, it is defined as the art of human deception. Cybercriminals can organize cyber attacks by using electronic systems and networks, as well as by targeting the weak link between the employees of the institution and exploiting the vulnerabilities and errors of these people with social engineering techniques and gaining unauthorized access to the systems.
In social engineering attacks, your system is targeted as well as your identity, private and business life. In a social engineering attack, it takes advantage of the weaknesses in human behavior, and various persuasion and deception methods are used to obtain the information that malicious people want to access.
Social engineering attacks are one of the oldest and most dangerous types of attacks in the history of the internet. When we look at the stories that are the most popular stories in social engineering attacks to date, the name of hacker Kevin Mitnick comes to the forefront. Kevin Mitnick, the oldest hacker in computer history, is remembered as a social engineering genius. The term social engineering, popularized by Kevin Mitnick, was first defined as the act of tricking people into doing things they don't want to do of their own accord or giving away their confidential information.
Human nature can and does make mistakes at almost any time. At this point, cyber attackers take advantage of human errors by social engineering attacks and gain access to systems / confidential information.
Kevin Mitnick, who is defined as the inventor of social engineering, draws attention to social engineering attacks in his book written in this field. In Mitnick's book, he explains that he reached 80% of the systems he entered through social engineering methods. Tsutomu Shimomura, the security expert who also played a leading role in the capture of Kevin Mitnick, specifically touched on social engineering methods when describing his struggle with Mitnick. Although no incriminating evidence was provided against Mitnick, he remained in prison for 4 years without being granted the right to be released on that date.
Mitnick has successfully infiltrated some of the so-called most secure computer systems in the world. In the meantime, instead of following a technical path, it gained access to telecom devices by using social engineering.
In 1978, while working with amateur radio systems, Kevin met a woman named Roscoe. Roscoe and his friend Susan were power plant operators during the day. Kevin, who is technically an expert on these subjects, was the one who kept this group afloat and gained access to a lot of information using this group. Kevin first collects information for a system he wants to infiltrate, and then he can obtain confidential information through social engineering techniques. Kevin and his colleagues didn't use the data they obtained for money. They were able to obtain the most detailed information in order to enter the systems. Kevin Mitnick broke into the computers of one of the electronic equipment leasing companies called US Leasing in 1980. Kevin, who identified himself as a technician for Digital Equipments, was able to call US Leasing on the phone and obtain the usernames and passwords needed to resolve a malfunction in the system. When the employee of the company who unsuspectingly gave this information to the other party called Digital the next day, it was too late to learn that there was no such person and that their company was not called by them.
In the summer of 1985, Kevin Mitnick reappeared. His arrest warrant was time-barred, and he contacted his friend Lenny and resumed his work. Lenny had made the computers where he worked available to Kevin. At this time, the NSA (National Security Agency), the largest intelligence agency in the United States, began to penetrate its computers. In about six months, they had the user accounts that would allow them to access almost all minicomputers within the Los Angeles area. Meanwhile, under pressure from the NSA, Lenny was fired. In this and many similar attacks and hacking attempts, Kevin Mitnick has used social engineering attacks.
"When Social Engineering attacks are combined with cyber attacks called Phishing, a great deal of success is achieved."
Methods Used in Social Engineering Attacks
Many topics such as fearful, triggering your sense of excitement, seen as an expected news, disaster scenarios, gifts, raffles and so on are used in social engineering attacks.
People, especially employees of institutions with low awareness and awareness in cyber security, are triggered by triggering such feelings to make mistakes. The cyber attacker can then exploit this flaw to gain access to the systems.
Minutes after the March 11 tsunami disaster in Japan, fake news sites hosting fake antivirus software infected the systems of users looking for the most up-to-date news.
On the other hand, fear is a great motivator for cyber attackers. When targeting their victims, cyber attackers use panic-inducing language to induce fear, threat, and similar exciting emotions to get you to succumb to their desires. At this point, popular events, situations that affect the world, big matches, tournaments or special occasions such as Valentine's Day are often used in social engineering attacks and success can be achieved to a great extent. At this point, cyber attackers provide access to sensitive data such as credit card information, personal data, passwords.
What are Social Engineering Processes and Methods?
The first stage in social engineering attacks is to identify the target and select the victim. When selecting victims, the weakest link, that is, uninformed, careless users, is generally preferred. Information about the targeted unconscious users is collected and the second stage is passed. Information gathering consists of data collected for use in the most important and later stages of social engineering attacks. During information gathering, attackers do not look at the insignificance or value of the data to be collected.
It tries to collect almost all kinds of data about the victim, especially using social networks. When the third stage is reached, weakness screening processes come into play. Weakness screening can be done manually or generally performed using automated tools. The vulnerabilities obtained in the vulnerability screening process provide support for the next stage. The final stage is the process of achieving the goal and eliminating the evidence and evidence that may arise.
When we examine the social engineering attacks that have emerged in recent years, we see that they effectively use techniques that can be directly reached to the personnel of the institution or that can directly affect the employees of the institution.
In general, many techniques such as phishing, fake calls, reverse social engineering, garbage mixing, stealing information are used in social engineering attacks. These techniques can be applied to the targeted victim as well as to the whole of the employees of the institution if the target is an institution. Considering today's technologies, we can group social engineering types under two headings in terms of mutual interaction.
Human-Based Social Engineering Techniques;
In social engineering, it is the case of direct communication or interaction with people. The aim here is to obtain the desired information directly. At this point, it comes across as impersonating someone else, acting like a third party, using help and support services.
Computer Based Social Engineering Techniques;
In social engineering processes, computer-based techniques are used as well as direct interaction with people. In this technique, phishing emails have become an indispensable element. At the other point, the use of phone fraud (vishing), fake sites, trojans and similar types of malicious code enter this area.
In social engineering processes, many methods can be used under the name of help, money, giveaways, gifts and similar interesting and free of charge in exchange for the information that can be obtained from the victim. As a result of cyber attacks, which are a type of cyber attack aimed at using the weaknesses of the person to access sensitive information, the attacker is tried to be convinced of a scenario in which he will be profitable.
Damages Caused by Social Engineering Attacks
Although social engineering attacks are seen as the first step in opening an entrance door to organizations or gaining access to people's computers, they can cause great damage as a result. When we look at the damages caused by social engineering attacks, we see that great damages can be caused materially or morally. When we look at the cyber attacks made around the world, it has been revealed that millions of dollars of damages have been caused to many institutions, including global brands, or to national companies.
When cyber attackers gain access to corporate systems with social engineering attacks, they can cause many damages such as stealing data, copying data, demanding ransom or publishing personal data on the internet.
Social Engineering Attack Examples
When we consider the damages caused to people, ransom and blackmail come to the fore and credit card theft is often encountered. In general, accounts on Facebook and similar networks are seized and the parents or close relatives of the account holders ...
"I lost my wallet, I'm at a gas station now, I don't have any money, my phone is out of charge. Will you write me your credit card number? The uncle at the gas station will give me 100 TL so I can go home..."
In these and similar scenarios, the accounts of young people can be seized and a lot of information and profit can be obtained from the unconscious mother or father.
In another example, using a questionnaire with a gift, it is recommended to enter a password from the victim. In the cyber attack that comes to the victim, personal information or login passwords can be asked, or if he says the password, he tries to gain trust by promising to solve the problem he is experiencing with the system at that time.
In general, attackers seek to build trusting friendships with personnel who have access to infiltrate companies or institutions. In this method, they generally use social networks and face the victim with fake profiles. It is aimed to provide trust by giving the impression that the employees of the company may abuse the relationships formed outside of work, or share common interests and likes with the attackers.
Damages Caused by Social Engineering Attacks
Obtaining Unauthorized Access:
Attackers can gain unauthorized access to systems by obtaining the information necessary to gain access.
Loss of Reputation and Trust:
When cyber attackers take over the systems, we witness that they can damage the reputation of the institution or company as well as cause great damage to the reputation of the institution in the eyes of the company or people it serves.
Data Theft:
With captured passwords or access information, companies' business processes can be disrupted, ransom can be demanded or data can be stolen and sold over the internet.
Service Interruption:
Compromised systems are often rendered unserviceable by cyber attackers. At this point, companies may experience large financial losses.
Legal Sanctions: As a result of the violation of corporate customers or personal data, governments or national standards may impose various sanctions or fines on companies due to GDPR, KVKK or similar laws.
Practical Measures to be Taken Against Social Engineering Attacks
Physical Security Measures:
Physical security is one of the most important measures in system security, especially in companies where critical data is processed or used. Physical security against unauthorized access is the first security step taken before computer systems. Companies have to secure physical security in accessing sensitive data and protecting printed or other printed documents with both human factor and physical security controls.
Compliance with Security Policies:
The security policies established by institutions should be clear, understandable and applicable. Security policies that lack accessibility or are difficult to implement can often cause difficulties for the employees of the institution. At the same time, we would like to underline that security policies determined by global standards are important for corporate security and data security.
Trainings and Sanctions:
Information security awareness trainings are provided to measure the awareness level of the employees of the institution and to raise awareness against cyber attacks. In general, many institutions repeat information security awareness trainings to their employees at certain intervals within the scope of ISO 27001. The most important point in social engineering starts with increasing the awareness level of the employees of the institution.
Use of Firewalls and Antivirus:
It is absolutely necessary to use a Firewall and Antivirus both to control the corporate network and to protect the computers of the employees of the institution.
Callback:
A callback must be enforced if sensitive information is transmitted. Especially when sharing passwords and similar accesses, it is absolutely necessary to adopt the callback method against fake calls.
Password Policy:
It is important that everyone, including management, complies with this policy by setting a password policy throughout the organization.
Be Skeptical:
If suspicious situations, vague or open-ended questions or shares are requested, especially in e-mail and SMS access, being skeptical and doubling when necessary should be reflected in the security policies of the institution.
Central Logging:
In addition to controlling the internal network of the institution and the computers and guest access of the institution's employees, it is necessary to keep logging in accordance with the laws.
As a result, with these and similar security controls, you have to protect your system and ensure the confidentiality of personal data. At the same time, remember that the human factor always plays a big role in the fact that no system is one hundred percent safe. The most important way to minimize the impact of social engineering attacks is to keep security policies up-to-date and to inform the personnel appropriately, that is, through awareness trainings.
