This is a continuation of the social engineering principles post. Part 1 is available here.
Urgency is One of the Social Engineering Principles
Some attacks use urgency as a technique to encourage people to take action now.
As an example, the CryptoLocker ransomware virus uses the scarcity principle with a countdown timer. Victims have 72 hours before they’ll lose all their data, and each time they look at their computer, they’ll see the timer counting down.
Using urgency is most effective with ransomware, phishing, vishing, whaling, and hoaxes.
For example, phishing emails with malicious links might indicate that there are a limited number of products at a certain price, so the user should “Click Now.” Executives might be tricked into thinking a subpoena requires immediate action. Many virus hoaxes have a deadline such as at 4:00 p.m. when the hoax claims the virus will cause the damage.
Many of the reasons that social engineers are effective are because they use psychology-based techniques to overcome users’ objectives. Scarcity and urgency are two techniques that encourage immediate action.
Familiarity/Liking is One of the Social Engineering Principles
If you like someone, you are more likely to do what the person asks. This is why so many big companies hire well-liked celebrities. And, it’s also why they fire them when those celebrities become embroiled in a scandal that affects their credibility.
Some social engineers attempt to build rapport with the victim to build a relationship before launching the attack.
This principle is most effective with shoulder surfing and tailgating attacks:
- Shoulder surfing. People are more likely to accept someone looking over their shoulder when they are familiar with the other person, or they like them. In contrast, if people don’t know or don’t like someone, they are more likely to recognize a shoulder surfing attack and stop it immediately.
- Tailgating. People are much more likely to allow someone to tailgate behind them if they know the person or like the person. Some social engineers use a simple, disarming smile to get the other person to like them.
Trust is One of the Social Engineering Principles
In addition to familiarity/liking, some social engineers attempt to build a trusting relationship between them and the victim. This often takes a little time, but the reward for the criminal can be worth it.
Vishing attacks often use this method.
As an example, someone identifying himself as a security expert once called me.
He said he was working for some company with “Secure” in its name, and they noticed that my computer was sending out errors. He stressed a couple of times that they deploy and support Windows systems. The company name and their experience was an attempt to start building trust.
He then guided me through the process of opening Event Viewer and viewing some errors on my system. He asked me to describe what I saw and eventually said, “Oh my God!” with the voice of a well-seasoned actor. He explained that this indicated my computer was seriously infected.
In reality, the errors were trivial.
After seriously explaining how much trouble I was in with my computer, he then added a smile to his voice and said,
“But this is your lucky day. I’m going to help you.”
He offered to guide me through the process of fixing my computer before the malware damaged it permanently.
All of this was to build trust. At this point, he went in for the kill.
He had me open up the Run window and type in a web site address and asked me to click OK. This is where I stopped. I didn’t click OK. I tried to get him to answer some questions but he was evasive.
Eventually, I heard a click. My “lucky day” experience with this social engineering criminal was over.
The link probably would have taken me to a malicious web site ready with a drive-by download. Possibly the attacker was going to guide me through the process of installing rogueware on my system. If my system objected with an error, I’m betting he would have been ready with a soothing voice saying,
“That’s normal. Just click OK. Trust me.”
He spent a lot of time with me. I suspect that they’ve been quite successful with this ruse with many other people.
This is a continuation of the social engineering principles post. Part 1 is available here and includes a practice test question.
