2020, the year of the pandemic, was the one in which there was the highest rate of cyber attacks in the world, with an increase of + 12% compared to 2019. According to the Clusit 2021 Report on cybersecurity, the figure even reaches 66% if compared to 2017, causing damage of varying amounts and affecting, mainly, government and military areas, law enforcement agencies and secret services. The overwhelming majority of the attacks, however, were Multiple Targets, that is, they involved multiple targets hit in parallel.
The picture that the Clusit Report gives us is certainly not the most comforting and suggests the need to invest more in solid security systems and to acquire greater awareness of online risks. For major companies, such as companies, governments, institutions, it is imperative to have solid security infrastructures to avoid the possibility of being the target of cybercriminals. Private individuals, on the other hand, have only one weapon left: information. Knowing the modus operandi of some of the most common cyber attacks is in fact a fundamental step to prevent them.
Cyber attacks can be of various kinds and often leverage an aspect frequently underestimated by users: human weaknesses.
What is meant by social engineering?
One of the many possible definitions is the one made available by Kaspersky, an important software company specializing in IT security:
Social engineering is a manipulation technique that uses human error to obtain private information […] Social engineering scams are based on the way people think and act, they are functional to the manipulation of user behavior.
According to the definition , social engineering represents a form of manipulation , which presupposes in-depth knowledge of the manipulated and the reasons behind its actions. In fact, the user generally follows precise patterns of behavior, dictated by his emotions which do not always lead to the most rational (and therefore safest) choice possible.
Social engineering is not a concept that is unique to the IT sector , even if it finds one of its most significant expressions in the context of cybersecurity. Cybercrime, in fact, has its roots precisely in the logic of social engineering and draws its sustenance from the weaknesses of users.
At the basis of our company is the concept of trust
We live our lives one act of trust at a time. We trust others because it is often precisely to others that we have to rely on : our doctor, our therapist, our mechanic, our lawyer. Or we just trust, because this is our natural inclination and therefore we trust our partner, our friends, often even strangers. However, we are used to making a quick check of the situation that presents itself to us before definitively lowering our defenses. If you were waiting for a package to arrive and the post office would contact you to tell you that it was being held at a shipping center, would you trust me?
At a first analysis of the situation, there would be no reason to doubt the truthfulness of the information provided to us. This is because we are interfacing with an accredited interlocutor, the Post Office. Our experience suggests that we can trust that our package has got stuck; therefore, at this point, there is an urgent need to resolve the situation as soon as possible.
When fear sets in, so does shame
Being afraid of missing out on a major purchase could lead the user to rush into a solution . Let's assume that a first road to it is already inside the warning message: “please follow the instructions here: [hyperlink]” . Instinct, driven by trust in the sender of the message, suggests clicking on the link indicated to unlock the stalled package.
There is nothing strange in this sequence of logical actions and those who perpetrate criminal acts based on social engineering know it well, which is why the example just reported refers to a scam actually in place that has spread in particular in the last year. By clicking on the link you are generally sent back to a form to be filled in to start the package release procedures. By following the instructions you end up delivering your data not to the post office, nor to any official and reliable courier, but to the proponents of a scam called smishing (a type of phishing based on communication via sms).
The purpose of the deception lies in the appropriation of the victim's virtual identity which is presumably used for malicious purposes, which can in some way guarantee economic advantage to the cybercriminals responsible for the scam. According to a report published in the last year by Comparitech, it is possible to buy stolen identity packages (including very sensitive personal data, such as the telephone number) on the dark web for only eight dollars. Credit card data, on the other hand, is sold with a price range between eleven cents and $ 980.
The economic purpose is even more evident in cases of sexual blackmail : users report the arrival of e-mails from anonymous people who threaten the disclosure of explicit material that would involve the victim. The only way to prevent it from spreading would be to pay a certain amount to the sender of the email, strictly in cryptocurrencies. Often this material does not even exist, but the reference to it represents a way to exploit another entirely human facet: the sense of shame that inevitably generates fear. In a regulated society like ours, in which every behavior not accepted by the community corresponds to a moral and discriminatory sanction, it is not difficult to imagine that a threat of this type could be enough to convince the victim to pay the requested sum.
The need to feel accepted and to perceive oneself as successful people
A short time ago we talked about how much Instagram plays a central role in the dynamics of acceptance among young people : social networks in general are increasingly crucial in the perception we have of others and of ourselves. The desire to appear successful and to be accepted by our fellow men can lead us to resort to shortcuts with dangerous consequences. It is no coincidence that many users choose to download unofficial applications on their smartphones that promise to increase the number of followers of their social profile in exchange for data or, trivially, for money. More often than not, the price you pay includes both.
Instagram is predictably the most involved platform. Follower calls follower, this is the principle behind it. Although Zuckerberg's social network has been trying for some time to counter the spread of these unofficial extensions, the phenomenon is still very widespread, with consequences that should not be underestimated. A research conducted by ESET denounced the existence of 13 applications on the PlayStore with the aim of stealing the login credentials of Instagram accounts. Users, who entered username and password to allow applications to increase their following, ended up delivering them to remote servers instead.
How to defend against social engineering?
Fortunately there are good practices useful to avoid the possibility of being the victim of a social engineering attack , we recall the main ones:
- never deliver sensitive data to unofficial and dubious sites / applications;
- pay attention to grammatical, spelling and punctuation errors: when present they can be an indication of the lack of reliability of a site;
- do not follow links from unclear or suspicious destinations and apply the same caution for downloads.
It is also very useful to make sure that the protocol of the site to which you are delivering your data is https and to activate two-factor authentication for all accounts.
Not just weaknesses: the importance of sharing
Social engineering and cybercrime generally draw on knowledge related to human behavior: our behavioral characteristics, now intrinsic now shaped by the society in which we operate, represent a window into which online crime often manages to enter but can also be used as a defense weapon. Whoever hurts from humanity, perishes from humanity.
The concept of sharing has become more and more pervasive within our society , also thanks to the technological evolution still underway. Just think of the rapid spread of the sharing economy and the very concept on which the online social networking platforms and the information exchange logic that constitute the foundations of open source are based . The contribution takes on a widely recognized value, sharing becomes more important than ownership. Internet today is the maximum expression of this.
Countering cybercrime and not getting trapped in the complex networks of social engineering is something that passes through the sharing and consultation of information, which is why complaints and reports play a key role. If we know the scam of the “parcel stuck in the shipping center” it is thanks to the circulation of information , probably originating from the victims and fed by the media that have picked up the news. Although this may appear to be a trivial principle, the widely spread narrative that the internet represents a "no man's land", a gray area in which crimes can be perpetrated with impunity, hinders the sharing of experiences, invaluable for achieving truly collective awareness.
Distrust of the competent authorities in terms of cybercrime leads to the neglect of the indirect benefit of reporting / reporting: the production of knowledge. In fact, if tracing the perpetrators of cybercrimes is not always possible, sharing experiences generates knowledge and, therefore, opens the doors to evolutionary and defense processes that it would be a real sin to underestimate.
Article by Ivana Lupo