Cyber-criminals are playing the same old tricks using new channels
“Robbery at the biyebari!” These were words that immediately attracted me to an ongoing discussion among my relatives.
A biyebari, roughly translated, is the household where the future bride or groom live and/or all wedding preparations take place. Biyebaris have evolved over my lifetime, but the key components remain -- lots of laughter, fun, innovation, brainstorming, loudness, and chaos.
I soon realized the “robbery” was actually an attempted burglary (the dramatic headline was the 90s equivalent of clickbait) at a bride’s house where the festivities were taking place for days at stretch.
Someone became suspicious of a couple of people, one of whom pretended to be a videographer sent from the groom’s side. When confronted and cornered (meaning literally tied up and placed in a corner to be interrogated by the bride’s clan) they confessed to being part of a team of burglars at the information gathering phase of their project.
This was one of my first accounts of a social engineering attack, happening to people I knew. After the customary judgemental comments (eg “what did the host expect after all their extravagances?”), I came to learn that household helpers were not involved (so not a malicious insider job) and the guilty only carried the camera (no weapons or sedatives).
They relied on speaking to trusting individuals, gathering enough information to sound credible in the next conversation and observing (and recording) peoples’ actions.
Today, some decades later, social engineering is becoming increasingly common in cyberattacks. Insider collusion and fancy hacking tools may be important mechanisms but social engineering is an extremely powerful method to facilitate the crimes.
I used to describe social engineering as the act of conning someone to give you information you shouldn’t have. However, the broader definition by Bernz -- “the art and science of getting people to comply with your wishes” covers it all nicely.
When the infamous Bangladesh Bank cyberattack took place in February 2016, I remember being curious about the hacking technology -- the clever malware that was used to attack and remove evidence and the vulnerabilities within the network (eg inadequate firewall protection and old network switches) that helped it propagate.
But how did the malware get into the network in the first place? According to Reuters, some sources indicate that a trusting employee may have clicked on a link in a targeted email from the hackers. If that happened, then what took place before that?
How did the hackers shortlist whom to target? Did they gather information of employees from social media? Could they also have linked these people to their IP addresses using vulnerabilities in the browser? In the absence of concrete information, I can only speculate, much like what was happening during biyebari discussion above.
Despite being an old trick, social engineering attacks continue to be successful. This is because they rely on a number of positive human traits -- trust, the ability to socialize, and being forthcoming in information. If we stopped being receptive to social engineering in general, then no one would be kind enough to let a pregnant woman or an elderly person get ahead in a queue.
While we undoubtedly become cautious with time, the basic traits of social humans remain as the launch-pad, coupled with new channels of attack from ever evolving technology.
What can we do to combat the use of social engineering for crime? My fellow cybersecurity expert Dr Dalia Khader and I are often asked this question. Here are our top three points.
Kill the shame
Shame faced by victims becomes a hurdle to prompt detection and treatment of the situation. For example, if an employee did click on a link that helped the malware get into the Bangladesh Bank network, or if a family member of the bride truly believed that the videographer was trustworthy, would they own up?
Probably not, because whether they would face dismissal or not, they would invariably be taunted for their “foolishness” forever. Refer to judgmental comments on the biyebari hosts above for an idea. We need to remember positive human traits are often used for these attacks; a recluse with limited words and no friends is the worst target for hackers!
It is imperative to foster the culture where one can comfortably come forward with information without fear of persecution or shame, and instead use the occurrence as an opportunity for education.
Speaking of education, we have to increase awareness to a level where there is no excuse for deliberate ignorance. Organizations must invest in social engineering trainingto educate employees on recent trends using simulation of real world attacks rather than boring presentations.
On the personal front, we should know about cookies and beacons that are sophisticated enough to understand our interests extremely well. And no, there is no miracle vaccine that diminishes diabetes without a healthy lifestyle -- I say almost apologetically to my family elders, who are common targets of online behavioural advertising in social media.
Knowing what is happening in the background can hopefully provide a level of scepticism before one falls for the bait.
No rest for the wicked
Timing is key to all criminals. The burglars at the biyebari were planning to attack on a day when the family would be away attending a ceremony and the elapsed time before detection would be the longest.
The Bangladesh Bank cyber-attack took place on a Thursday taking full advantage of the Muslim holiday the day after, followed by the weekend for the US! In addition to a good response process and team, an organization needs to ensure they are available and equipped 24/7.
Social engineering attacks continue to be the same old trick using new channels. Many go undetected and unresolved for long periods of time, unlike the case of the biyebari where all ended well. The hosts were relieved and the guests got their share of good food and gossip.
Husna Siddiqi, CIPP/E has been an information Protection Management Consultant in UK since 2006, prior to which she was a software engineer (UK and Bangladesh) and a university lecturer in Bangladesh.