Understanding Social Engineering
Each month in Lavasoft News, we bring you updates on the latest specific threats to your online security, so you can be aware of them, and how to stay safe. At the heart of many of these malicious ploys is one underlying concept: social engineering. Deceptive social engineering tactics are interwoven throughout the Web, as you shop, bank, and socialize online. Keep reading to learn how to recognize these attacks and avoid them.
What is Social Engineering?
You may have heard the phrase 'social engineering' before, but what exactly is it? Social engineering is when a scammer - rather than using technical hacking techniques - manipulates, tricks or deceives people into performing certain actions or divulging personal information.
Social engineers take advantage of human behavior to pull off their scams — with the aimed end result of infecting a user with malware, and stealing personal information or money.
Social engineering attacks are becoming more complex and increasingly prevalent, according to security experts. "The nature of malware infections has changed during the past years. A long time ago, malware and viruses were spread in much less sophisticated ways. Now, malware authors constantly invent new intellectual ways to manipulate people and compromise their machines," says Andrew Browne, malware analyst at Lavasoft Malware Labs.
And these types of attacks are on the rise. "Lavasoft Malware Labs has seen a major increase in obfuscated downloads which make use of social engineering tricks. The target has moved from the actual computer to full focus on users," Browne says.
What Methods Do Attackers Use?
Social engineering attacks aimed at home computer users often take advantage of basic human emotions to manipulate and persuade people to fall for their ploys — including curiosity, fear, and empathy. Let's take a look at some common methods of exploitation based on these emotions:
- Curiosity. Exploiting a person's curiosity might involve sending an e-mail that purportedly contains a link to watch a video about the latest sensational news story. The link, however, will lead to a malicious site aimed at installing malware or stealing private information.
- Fear. One tactic cyber thieves use to instill fear and persuade a person to act in a certain way is by sending phishing e-mails, supposedly from a victim's bank. Using the claim that his or her account has been breached, the message will push the user to click a certain link to validate the account. Again, the link will lead to a malicious site aimed at compromising the person's computer, or stealing sensitive information.
- Empathy. To take advantage of a person's empathetic feelings towards others, hackers have been known to impersonate victims' friends on networking sites, claiming to urgently need money. In another prime example, recent social engineering scams have also been seen in the wake of the earthquake and tsunami in Japan, with scammers attempting to profit from the tragedy.
While the above tactics are common ploys, it's important to keep in mind that there are many other methods used by scammers; we can expect almost limitless variations on tried and true attacks that have been found to be successful in the past.
All of these tactics, however, involve an interactive choice by the computer users — meaning that, armed with the right knowledge, you can effectively choose to not be the victim.
What Can You Do To Avoid Becoming A Victim?
Protecting your PC with trusted security software is an effective first step to help keep you safe from social engineering attacks. But, you also need to be aware of social engineering tactics, and employ a healthy dose of skepticism when online.
"The most important thing for users to do is to use common sense while surfing the web," Browne says.
For more information, the United States Computer Emergency Readiness Team (US-CERT) has compiled additional helpful guidelines to avoid being a victim in its Cyber Security Tip on social engineering attacks.