When we hear the term “computer hacking” we often think of someone sitting behind a computer and writing a bunch of code to gain remote access to systems. While there are plenty of hackers who write computer viruses and malware, there are many more who have a very limited knowledge of coding, but a strong understanding of how to manipulate people into giving them private information. This information can be used to gain remote access without ever having to write a single line of code. These people are known as social engineers and they are an ever-growing problem for IT teams and end-users alike.
According to the site KnowB4, a company that specializes in user security testing, only about 3% of malware tries to exploit an exclusively technical flaw. The other 97% focus on targeting users through social engineering.
The two most popular types of attacks used by social engineers are phishing and spoofing. I could go on and talk about phishing and spoofing for paragraphs, so instead I’ve decided I’ll write a completely separate blog article to cover that in the future. For now, I want to talk about how these social engineers make the perfect spies.
Social engineers are experts at reconnaissance, the act of information gathering and investigation. They may have knowledge about you that you wouldn’t expect a malicious source to have. Social engineers use this knowledge as leverage and will often pose as a company or individual you’re comfortable working with. They might even be able to find answers to your security questions for a banking website without ever needing to speak with you.
So how do social engineers get this information about you? One major way is via social media websites such as Twitter, LinkedIn, Facebook and Instagram. A social engineer can scour through your social media pages to find answers to common security questions such as “In what city did you and your spouse meet?”, “What is your favorite pet’s name”, and “What is your favorite sports team”. It’s not uncommon to share stories on social media about these types of things and most people don’t ever see how they could be used in a malicious manner. Social media can often be a treasure trove of information for these predators.
Not only can social engineers use this information to answer your security questions, they may even be able to use it to simply guess your password. How many of you have had a password at some point in your life that contained your child’s name? What about your pet’s name or your favorite band? I know I have. Hackers and social engineers can use tools to scrape your social media pages pulling all of the words that you commonly use. They can then upload these words into a password cracking dictionary and the password cracking tool will add numbers/symbols to the words to try and find your password. Password crackers can cycle through millions of passwords in a second, so it’s better not to give them any extra help in guessing yours.
It’s also important to note that just because your social media sites might be set to private, it may not completely be secured from the rest of the world. It’s no secret that Facebook is known for their recent data breaches. CBS published an article in April 2019 which states that more than 540 million records about Facebook users were publicly exposed on Amazon’s cloud computing service. It was two third-party Facebook app developers that had posted the records in plain sight. In December of 2019, Tech Radar published an article covering how security researchers found that as many as 267 million Facebook users may have had their contact details left open to hackers.
So what can you do protect yourself against social engineers?
First, use strong passwords and try not to use words that everyone would expect from you (i.e. children’s names, spouse’s name, pet’s name, etc.) The numbers in passwords are often assumed to be birthdays, so it’s best to not use your birthday or your child’s birthday in your password. Make sure that your security questions for things such as banking websites are questions that really only you would know the answer to, and not something that a person can guess about you. Be sure that when you are speaking to someone on the phone about private topics, that you are actually speaking to who you think you are. (Companies like Microsoft will never call you about your computer nor will the IRS call you and threaten to arrest you). Social engineers are masters of investigating and the best way to combat them is to never share private information with someone you do not know and to be careful about the types of things you share online.