Day 2/7 Human Behavior Manipulation
G’day
Did you know that hackers are master manipulators?
That’s right…
Hackers are some of the best social engineers in the world. I believe this makes hackers the ultimate salesperson. Hackers are the type of salesperson that gets you to buy without you even realizing you have purchased a product. Think of hackers like a puppet master controlling your actions. Influencing you to share information that you didn’t even realize your sharing.
Hackers are continually selling you on taking small actions that result in you having your system or worse your identity compromised.
Cybercriminals know how to exploit your trust. This is why so many cybercrimes go unreported because of the breach of trust and loss of reputation reporting the crime causes the victim. I have met people who have not reported crimes where they lost $175,000.00 because they didn’t want to lose respect in their community.
Every day I hear new stories from people who have been a victim of a cybercrime big and small — cybercrime impacts real-people, not just companies. People fail to remember that these criminals exploit the person, and that can lead to devastating results.
Cybercriminals are equal-opportunity attackers.
You might think you are too small or don’t have anything of value. But your identity is of value to cybercriminals. Who trusts you, and who do you give hackers access when they impersonate you? This is the domino effect of cybercrime.
But what is Social Engineering?
Another name for social engineering is human hacking. Let me explain why:
Social engineering is the art of using deception to manipulate individuals into divulging confidential/personal information that may be used for fraudulent purposes.
Yeah, it’s just like using neuro-linguistic programming (NLP) in the sales process. That’s right; some salespeople think it’s ok to manipulate people into buying. But there is no difference in how salespeople manipulate you into buying and hackers getting you to tell them your password..
Good news… there are hundreds of 1,000’s of hours of video training, audio training, and blog posts created for hackers by hackers to learn Social engineering skills. Black Hat, White Hat, and Grey Hat hackers run events where thousands of people attend from around the world attend to master their skills. Cybercriminals invest the time to master their trade, just like you learn to do your job.
It’s a cybercriminal’s job to master the art of manipulating and exploiting humans to get what they want. It’s their full-time job and their income is a direct result of their skills. Yet, you only think about cybersecurity for maybe 1 hour a year. Cybercriminals think about improving their scams every hour of their working days.
What’s interesting is that many 3 letter agencies (like FBI, DEA, CIA, etc.) learn from hackers, and hackers learn from them. It’s the circle of crime really. Have you ever seen the movie Catch Me If You Can? Check it out, that movie was based on similar events today based in the 1950’s!
Welcome to the rabbit hole of learning something new! Once you discover the art of social engineering, you will become fascinated in new ways, like when a child sees a magic trick for the first time.
But what are some examples of how social engineering is used today?
Social Engineering Example: Using curiosity to comprise your network:
Leaving a USB drive in a hotel or office lobby…employees will plug it into their office computers to see what is on it, to find that the data on the USB drive contained malicious code. Hackers have created special USB devices for this purpose called “rubber duckies.” This device, when inserted into your computer, will run a piece of code a “script” that gives hackers access to your computer. It can also install a keylogger that tracks every keystroke you make.
This attack is so effective even today that many pentesters (penetration testers are people who are paid to discover weaknesses in your security systems) don’t like to use it because it works almost 90% of the time.
To increase the curiosity of the people who find the USB drives, they often will stick tape on them that says something like “employee bonuses” or “Selfies” or “home videos.” This is just one type of social engineering attack by using curiosity to get people to plug-in a USB drive into their computer.
There was one case when we deployed these USB devices at an office, and it was plugged in 6 times in 35 minutes. The receptionist found the device and plugged it into her machine. When it didn’t work, they gave it to their friends in the next cubicle who plugged it in. They gave it to the person beside them. When that didn’t work, they gave the device to IT, and they continued to plug the device into three different machines! This means the entire network was compromised, and IT didn’t even know the breach had occurred.
The lesson here is don’t plug in a USB drive that you find!
We have heard stories of how government offices have been compromised at tradeshows by vendors who are handing out those free USB drives.
The Power of a Phone Call: social engineering example 2
Calling the reception desk and asking them basic questions about the computer system so hackers can penetrate the system. Simple information is compounded by asking simple questions like who manages your IT? or which operating system are you using?
Calling the reception desk and asking them basic questions about the computer system so hackers can penetrate the system. Simple information is compounded by asking simple questions like who manages your IT? or which operating system are you using?
You might not think this information is important. But hackers are master researchers and create profiles on their targets. This includes using data on social media or even organizational charts. This information is used to find vulnerabilities that can be exploited.
For example, if I know who your manager is, and I call when the manager is on lunch and say, “Jim was helping me, but the email he sent included the wrong attachments, can you resend it for me? I need it for this meeting I’m working into, and if I can present it now, we will lose the contract.” Referencing the manager and creating a time pressure creates a layer of trust and authority that employees don’t like to question. In fear of looking bad to their boss.
Did you catch that lesson?
Social Engineer’s will leverage trust, authority and time pressures to get you to do what they want. The telephone is a social engineers best friend for manipulating people, they aren’t afraid of playing dumb to leverage ego. They know how to use tonality to create rapport and connection instantly. Here is a video that shows exactly how social engineers exploit you over the phone:
Yes, that’s a real example just be loading a website they activated malicious code that compromised their system. Watch the video and educate yourself.
Another way this simple information can be used is by asking about your cleaning company or who waters your plants in the office? This allows attackers to impersonate these vendor’s uniforms in a physical location compromise. Or what’s worse yet, impersonate these vendors’ invoices or emails for information access.
Simple pieces of data can result in fantastic access and trust exploitation.
Social engineering the cleaning lady to compromise your network:
This story is how social engineering was used to convince a cleaning lady to plug-in a USB drive into the network to help the “IT guy” to update the system because he was in a rush. The non-IT guy even gave the cleaner $50 for helping them not to lose their job. The story pretext was simple. The IT Person still had to update computers at 4 other locations before midnight and was in a rush, and needed help because he had to get across town so he would not lose his job.
The cleaning lady was willing to help because they could relate to the stress and anxiety of not wanting to lose your job. They took the $50 and helped the IT guy by plugging in the USB drive, into the computers.
The moral of the story is attackers got the cleaning staff to compromise the entire companies network. How have you educated the vendors you use about your security protocols? Or have you assumed they know what they are doing?
Social engineering attacks don’t need to be a large-scale attack but revolve around layering multiple small actions and exploiting trust. Asking for a small favor today, and then building on that for the next phone call.
Who do you trust?
- You trust your boss and managers
- You trust your company
- You trust Caller ID (Makes it challenging when phone calls are spoofed)
- You trust emails
- You trust social media posts
- You trust statements by certain people in your social circle
- You trust people in a uniform
- You trust people who wear a safety vest
Think about why you trust these people. Is it how they communicate with you via email, telephone, sms, social media? How can that trust be leveraged against your own will? What can you do to protect yourself from social engineering?
That’s a great question. It really starts with education and awareness of the types of scams that hackers use to compromise people. This awareness allows your people to be proactive to these threats.
If you don’t have a monthly cyber awareness training program, then you need to review the ChatFortress Cybersecurity training at https://chatfortress.com/cybersecurityawareness
We can provide you with cybersecurity awareness training videos which are 4 minutes or less delivered via email or direct to your cell phone. Explaining real world attacks and how that impacts you as a person.
There is a growing trend for social engineering scams to occur on all communication channels that you use. This includes social media, email, text message, phone calls, voice mail, WhatsApp, etc
We see social engineering in the foundation of all email phishing campaigns. (Email phishing are bad emails). Using the right email headlines to get you to click on the email and open it, or worse click the links. Remember just by clicking on a link you can visit a malicious website that compromises your device.
Today’s Homework:
- Make a list of the 10 companies and people you trust communications from. For example: your friends, banks, PayPal, Amazon, doctors, employees/executives, etc
- What policies do you have in place about sharing information?
- How can you authentic phone callers inbound or outbound?
- How do you validate friend requests?
- How do you share information on social media?
- Which information do you share and are you aware of the photos you take that reveal location data or internal background data?
- What systems can you setup to educate your team to become aware of the types of attacks?
The goal of this homework task is for you to see how you trust people and the extent you trust certain communication channels.
Here is an idea…
One of the things you might want to think about implementing a vendor management system. This would allow you to create a cybersecurity risk report card on the vendors you use. If you want help with a cybersecurity report card contact ChatFortress.
- How do you validate your vendors and keep informed about your vendors?
- Did you check their company registration?
- Ask for a W2?
- Did you do ID Validation?
- Did you get them to sign an NDA?
- Did you review their insurance policy?
- Did you ask to see their Standard Operating Procedures (SOP’s) for cybersecurity or data breaches?
- How do you monitor if they have been compromised?
Think about all the vendors and contractors you use in your business and how this domino of trust is created and can be exploited..
Hackers understand that you already trust your vendors and impersonating them to exploit you is a major cybercrime called invoice fraud and results in major reputation loss for any company.
P.S. Are your passwords already compromised and available to hackers?
When a data breach happens, your usernames and passwords are published on the dark web and available for hackers. ChatFortress has created a complementary hacked dark web scan to alert you to your compromised accounts. Complete your hacked dark web scan today at https://chatfortress.com/hacked
Who is ChatFortress
ChatFortress is a leading cybersecurity company that is helping small and medium-size companies protect themselves from hacking attempts. Using Cybersecurity AI, Gamified cybersecurity awareness programs and providing virtual security analysts. Our goal is to help you create a cybersecurity aware culture.
ChatFortress Email Guardian is the Ultimate Anti-phishing Program as it Detects and Mitgates Email Phishing Attacks in 3 seconds using A.i Real-Time Inbox Scanning for Phishing Prevention!
Helping you verify the device and the person you’re sharing wire information with via our secure chat platform. When you need to validate the person you are sending information you need ChatFortress communication. To speak with a ChatFortress Agent call (307) 999-7755. If you want a demo you can Schedule a ChatFortress demo here.
Has your username, password or PII data been exposed to hackers on the darkweb?
Complete your FREE scan using our Hacked Scan Tool which scans over 11 Billion compromised data records and the darkweb to see if your data has been exposed to hackers. We will tell you exactly which third party services exposed your data and what you can do about it. Complete your free scan now it only takes 30 seconds!
Discover secrets to social engineering scams hackers use to steal your data and money with the 7 Day Cybersecurity Crash Course
The ChatFortress Free 7 Day Cybersecurity Crash Course will give you cybersecurity insider secrets on how to protect yourself from hackers. The 7 Day Crash Course is one email a day for 7 days and will cover password cracking skills, social engineeing scams, how to detect phishing emails, how to protect yourself from attack and current threat trends. Sign up today to unlock these insider secrets.