![\"socialengineer\"](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2013\/12\/06045015\/socialengineer.jpeg\")
<\/a><\/p>\nWith so many security products<\/a> available today, it\u00b4s the end user who has the power. Be it a set of login credentials (username and password), a credit card number or bank account, most of the time the weakest link in the chain is not technological but human and when psychological manipulation takes place it\u2019s extremely important to know what types of tricks are being used and how to prevent them.<\/p>\n Social engineering is not new. It has been around since the beginning of time, with popular engineers such as Kevin Mitnick or Frank Abagnale, now renowned security consultants, we can see how the transformation from criminal to white hat guru is possible. Frank Abagnale, for example, was one of the most famous con artists, creating multiple identities, forging checks and tricking people into disclosing information he needed to carry on his scams. If you have seen the movie \u201cCatch Me If You Can\u201d<\/a> you\u2019ll get a picture of what a social engineer is capable of doing when he has a clear objective. Just remember, a social engineer might not only rely on technical or computer scams to get your information. You need to be wary about everyday activities that might seem suspicious. For example, your password might be revealed in a phone call. It seems unwise to tell your password to anyone. However, the perspective changes when you receive a phone call from \u201ctech support\u201d of your company early Sunday morning requesting you to visit the office to perform some minor technical updates on your computer. You will tell your password to the \u201cnetwork administrator\u201d, moreover, you\u2019ll say \u201cthank you\u201d! Or maybe you\u2019re too cautious for that, but many of your colleagues are not.<\/p>\n Most cyber criminals wouldn\u2019t spend much time trying complex technological hacks when they know it\u2019s much easier to use social engineering for their purposes. Moreover, there are even websites that exists containing valuable information to learn about these types of techniques and why they are so successful when used to trick people. One of them is SocialEngineer.org<\/a>, which provides a framework to learn the theory behind why each type of attack works and many real world examples that support the definitions and concepts mentioned previously.<\/p>\n We use spoken language daily to influence each other without even being aware of such actions. Language has some drawbacks when viewed from a social engineer\u2019s point of view since it\u2019s linked to our subjective experience. NLP or neuro-linguistic programming<\/a> even though invented for therapeutic purposes is considered an evolved form of hypnosis used by many social engineers as a tool to influence and manipulate their victims in order to get them to do the actions needed to deliver a successful attack. This can include giving up their password, disclosing confidential information, disabling a security measure or pretty much anything that you can imagine in between as a stepping-stone to further develop an intrusion.<\/p>\n Although the link between psychology and hacking seems far stretched, the shocking reality is that online attacks are based around the same principles as their offline counterparts. The desire of every person for reciprocation (if I do you a favor you will quite likely do one for me), social proof (you believe in the judgment of the majority), authority (i.e. trusting a police officer, a doctor, a technical support guy, etc.) and many more, are universal ways to build rapport with someone and attend to our basic human needs. A social engineer knows what buttons to push to get the desired response from us by creating a context (framing) that enables an invented history to be believable. Bypassing our rational thought process<\/a> is not difficult for highly skilled individuals and it only takes a fraction of a second to give them the advantage they need to get what they want.<\/p>\n Nevertheless, in this article we will be focusing mainly on the various techniques used by online criminals to perform their activities in order to obtain illegal information and profit from their victims. As previously mentioned, the principles used for online scams are the same as the ones presented in real life. But, because the Internet is such a massive medium for distributing information, a phishing email, for example, can be sent to millions of recipients in a brief lapse of time making this type of attack a numbers game. Even if a small number of the intended targets believe this ruse it will still reap a huge benefit for the criminal group or individual responsible for it.<\/p>\n Today, one of the most common methods used to obtain confidential information is known as Phishing<\/a> (a contraction of the terms password harvesting fishing). Phishing can be characterized as a type of computer abuse or fraud that leverages social engineering principles with the aim of obtaining private information from the victim. The cybercriminal usually relies on email, instant messaging or SMS to deliver the phishing message which will persuade the victim to either reveal information directly or perform an action (entering a fake website, clicking on a malware download link, etc.) which will unknowingly allow the attacker to carry on their ill-intentioned plan.<\/p>\n We have seen an evolution in malware which goes hand in hand with social engineering. In the old days, any computer virus would be quite obvious to the user and display fancy message boxes, icons, images and pretty much anything that would give the author credit for their creation. In the present, it\u2019s not uncommon to find malware that gains access to the victim\u2019s system via social engineering tricks and stays hidden until it needs to execute the malicious payload. A never-ending cat and mouse game is played between criminals and security companies making education one of the fundamental defense mechanisms for every user.<\/p>\n Many interesting malware samples can be found that rely on social engineering to effectively deliver their attack to the victim. Amongst the most popular we can name are fake Flash Player updates, embedded executable files in Word documents<\/a>, low quality copies of legitimate browsers such as Internet Explorer and many more.<\/p>\n A malware distributing website that uses a fake Flash Player update to trick users into installing the software.<\/p>\n Most of the example attacks listed are targeted at Latin American audiences, mainly because these types of technological threats are not well known or understood in the region. Additionally, most of the computer systems in the region are running outdated software that gives cyber criminals a great business opportunity. It wasn\u2019t until recently that some online banking security measures were strengthened but there are still many loopholes that can enable a successful social engineering attack in South America.<\/p>\n Other attacks are more popular in the region even if they don\u2019t fully fall into the computer fraud category. A scam known as \u201cvirtual kidnapping<\/a>\u201d uses social engineering telemarketing tactics by claiming that a victim\u2019s family member has been kidnapped and a ransom must been paid without further delay to guarantee their safety and freedom. By taking advantage of the victim\u2019s sense of urgency and fear, the attacker\u2019s demands are complied with without even knowing if there was someone kidnapped to begin with. In Latin America, where these types of crimes are common criminals have been getting a huge profit using schemes like this which exploit characteristic traits of the human behavior<\/a>.<\/p>\n In addition, it\u2019s important to keep in mind that whatever information you post publicly online (Facebook, Twitter, Foursquare, etc.) might give criminals a clue on how to connect the dots on where you are and your real identity. A targeted (spear-phishing) attack is not common but if you provide valuable information without a second thought you could be making the lives of cyber-criminals easier. Even an Amazon wish list could be the gateway to an epic social engineering hack<\/a>.<\/p>\n As mentioned earlier, a complete security suite installed is mandatory nowadays if you are doing any kind of online activity (and most likely you are). Moreover, keeping up to date with the latest threats and social engineering tricks might give you the edge you need to avoid becoming a victim in these types of attacks (online or offline). Remember that all the technological gadgets and defense mechanisms mean next to nothing if you don\u2019t know how to use them and are aware of what the bad guys are currently up to. Crime evolves, so should you.<\/p>\n \u00a0<\/p>\n","protected":false},"excerpt":{"rendered":" Social engineering, sometimes called the science and art of human hacking, has become quite popular in recent years given the exponential growth of social networks, email and other forms of<\/p>\n","protected":false},"author":313,"featured_media":3388,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[82,513],"class_list":{"0":"post-3386","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-hacking","9":"tag-social-engineering"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/social-engineering-hacking-the-human-os\/3386\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/social-engineering-hacking-the-human-os\/2763\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/social-engineering-hacking-the-human-os\/2654\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/social-engineering-hacking-the-human-os\/2965\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/social-engineering-hacking-the-human-os\/2802\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/social-engineering-hacking-the-human-os\/3386\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/social-engineering-hacking-the-human-os\/2269\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/social-engineering-hacking-the-human-os\/3386\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/hacking\/","name":"hacking"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/3386","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/313"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=3386"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/3386\/revisions"}],"predecessor-version":[{"id":26181,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/3386\/revisions\/26181"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/3388"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=3386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=3386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=3386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/a><\/p>\n