What exactly is social engineering?
Social engineering, in a cyber-security context, refers to manipulative acts performed by hackers to get people to give up confidential information, or perform actions that may compromise their computer system.
It is one form of cyber-attack that is often used to gain an initial entry point into an organisation. Social engineering is highly effective as it exploits human vulnerabilities which, unlike computer vulnerabilities, are difficult to pinpoint and fix.
Phishing is one of the most commonly known techniques of social engineering. Phishing scams are conducted via the Internet, and often involves spoofed emails and re-created websites that look like the original.
Like the scenario mentioned at the start of this article, one of Singapore’s largest banks was also the target of such a phishing scam in 2014. A phishing website built to resemble the bank’s original website was detected by the bank. At first glance, it was impossible to tell them apart.
In 2011, a renowned security company which creates 2-factor authentication devices fell victim to phishing emails. The attacker sent emails to employees with a malicious attachment named “2011 Recruitment plan.xls”. The attachment contained a zero-day exploit – one that takes advantage of software vulnerabilities that have yet to be disclosed publicly and have no ready security fix or patch – which allowed the hackers to break into the company.
In Singapore, KPMG has investigated several cases whereby phishing emails are the root cause behind data breaches for companies. Victims include multinationals, law firms and banks. The malicious payload of these phishing emails are obfuscated and exhibit a consistent trend of being able to bypass traditional signature-based anti-virus scanning solutions.
Social engineering may also be performed in person, such as by piggybacking an employee through restricted doorways without a valid pass. One famous example is the story of Kevin Mitnick1, who masqueraded as a Pacific Bell (AT&T) employee, entered the telecommunication company’s premises, and obtained sensitive information in the process.
However, physical social engineering techniques are high risk manoeuvres. With the proliferation of high definition security cameras and video analytic technologies, physical social engineering techniques could easily compromise a hacker and are rarely practiced.
A relatively ‘safer’ approach is vishing – the act of social engineering conducted through the phone. This is generally considered safer due to the low risk of being traced, identified and caught. Recent cases in Singapore include the high profile “DHL scam calls” whereby social engineers masquerade as DHL and overseas customs officers to extort money from unknowing victims. It was reported by the Straits Times2 that over SG$12 million was lost to the scam.
Another similar social engineering campaign also took place in 2016. Social engineers changed their phone’s caller ID to that of the Singapore Police Force’s “999”. Leveraging on the “false authority”, the scammers went on to obtain personal and banking information from victims . This method of putting up a false pretence is a social engineering technique known as pretexting.