Michael Erbschloe - Social Engineering Hacking Systems, Nations, and Societies

Social Engineering

Hacking Systems, Nations, and Societies

Social Engineering

Hacking Systems, Nations, and Societies

Michael Erbschloe

CRC Press

Taylor & Francis Group

6000 Broken Sound Parkway NW, Suite 300

Boca Raton, FL 33487-2742

2020 by Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group, an informa business

No claim to original U.S. Government works

Printed on acid-free paper

International Standard Book Number-13: 978-0-367-31337-1 (paperback)

This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.

Visit the Taylor & Francis website at

http://www.taylorandfrancis.com

and the CRC Press website at

http://www.crcpress.com

Contents

Michael Erbschloe has worked for over 30 years performing analysis of the economics of information technology, public policy relating to technology, and utilizing technology in reengineering organization processes. He has authored several books on social and management issues of information technology, most of which cover some aspects of information or corporate security. He has also taught at several universities and developed technology-related curricula. His career has focused on several interrelated areas: technology strategy, analysis, and forecasting; teaching and curriculum development; writing books and articles; speaking at conferences and industry events; publishing and editing; and public policy analysis and program evaluation. He has authored books and articles addressing the use of the Internet and social media in social engineering efforts.

Social engineering is an incredibly effective process of attack with more than 80% of cyber attacks, and over 70% of those from nation-states, being initiated and executed by exploiting humans rather than computer or network security flaws. Thus to build secure cyber systems, it is not only necessary to protect the computers and networks that make up these systems but also to educate and train their human users about security procedures as well.

Attacks on humans are called social engineering because they manipulate or engineer users into performing desired actions or divulging sensitive information. The most general social engineering attacks simply attempt to get unsuspecting Internet users to click on malicious links . More focused attacks attempt to elicit sensitive information, such as passwords or private information from organizations or steal things of value from particular individuals by earning unwarranted trust.

These attacks generally ask people to perform the desired behavior that the attacker wants to induce from the victim. To do this, they need the victims trust, which is typically earned through interaction or co-opted via a copied or stolen identity. Depending on the level of sophistication, these attacks will go after individuals, organizations, or wide swathes of the population. Scammers often use familiar company names or pretend to be someone known to the victim. A 2018 real-world example exploited the name of Netflix when an email designed to steal personal information was sent to an unknown number of recipients. The email claimed the users account was on hold because Netflix was having some trouble with their current billing information and invited the user to click on a link to update their payment method.

One reason social engineering attacks work is that it is difficult for users to verify each and every communication they receive. Moreover, verification requires a level of technical expertise that most users lack. To compound the problem, the number of users that have access to privileged information is often large, creating a commensurately large attack surface.

The act of convincing individuals to divulge sensitive information and using it for malicious endeavors is ages old. Social engineering attacks have occurred on the Internet since it came into existence. But before the growth of the Internet, criminals used the telephone, the postal service, or advertising to pose as a trusted agent to acquire information. Most people agree that the term phishing originated in the mid-1990s, when it was used to describe the acquisition of Internet service provider (ISP) account information. However, the term has evolved to encompass a variety of attacks that target personal or corporate information possessed by individuals, including by telephone, email, social media, in person observation, gaming platforms, theft of postal delivery letters or packages, and, an age-old favorite, dumpster diving or trash picking.

Regardless of the social network, users continue to be fooled online by persons claiming to be somebody else. Unlike the physical world, individuals can misrepresent everything about themselves when they communicate online, ranging not only from their names and business affiliations (something that is fairly easy to do in person as well), but also extending to their gender, age, and location (identifiers that are far more difficult to fake in person). Years ago investigators called these types of people confidence or con men.

Perhaps as a result of the high-tech times, con artists are now referred to as being engaged in social engineering. It should come as no surprise to learn that the Federal Bureau of Investigation (FBI) is investigating classic investment fraud schemes, such as Ponzi schemes , that are now being carried out in virtual worlds. Other con artists are able to conduct identity theft crimes by misidentifying themselves on social networking sites and then tricking their victims into giving them their account names and passwords as well as other personally identifiable information.

In addition to identity theft crimes , child predators routinely use social networking sites to locate and communicate with future victims and other pedophiles. In at least one publicized case from 2018, an individual attempted to extort nude photos of teenage girls after he gained control of their email and social networking accounts. That particular FBI investigation led to an 18-year federal sentence for the offender, reflecting that these crimes are serious and will not be tolerated.