Jake Moore, ESET Security Specialist, talks you through how the internet has changed scamming and how social engineering plays a major role.
Being conned out of cash is unfortunately not a new concept. Scam artists have been tricking people out of their hard earned cash for centuries, but it’s only within the last 10 years or so that we have seen this shift to the internet. Not only is this crime still happening, but the speed, convenience and anonymity of the internet has made it stronger.
Scams that use the internet, known as cyber enabled crime, use the same method as before - the art of manipulation. Social engineering is another key aspect: it is a powerful tool offering the ability to manipulate people using cyber-crime and psychology.
"Cyber-psychology is the study of the human mind and its behaviour in the context of human interaction and communication of both man and machine, further expanding its bounds with the culture of computers and virtual reality that take place on the Internet" - Wikipedia
When it comes to conning someone on the internet, it can be frightfully simple. Techniques such as creating a duplicate site that looks genuine can lower the guard of a victim who then intentionally types in sensitive information, such as card details or a password.
More targeted scams such as ‘spear-phishing’ require personal information to target victims without suspicion. Using information found on the internet, scammers are able to act as a friend or a familiar entity and send a convincing but fraudulent message to their target, manipulating their way in.
Real-world hustlers have proved to be excellent psychologists. They have identified these patterns and principles before anyone else. These behavioural patterns are not just ideal opportunities for scams and criminal activity, but also pose a security weakness of “the human element”. This highlights a potential risk for any system, especially for businesses.
MAGIC
Distraction is at the heart of many fraud scenarios and is a fundamental ingredient of most magic performances. There is a theory among conjurors that the idea of being “one ahead” is the cornerstone of magic and that everything else is merely a variation of it.
Street cons are referred to as 'misdirection', but in fact, a better term could possibly be ‘distraction.’ The audience will always follow the thing that is offering the most interest - just like in magic. If their focus wonders then the illusion is lost. This is exactly how distraction scams work and these can be delivered using the internet with ease.
Even very private and suspicious people will let their guard down without thinking sometimes… Just think... if a TV production company researcher emailed you and said: "Hi! We love what you are doing and we need someone like you to be part of a documentary we are making for ITV, are you interested?"
Boom! Your guard is down whilst you think about what you will wear on national telly. The next minute, you're downloading a "declaration form" which turns out to be ransomware extorting your company for a couple of BitCoin!
SOCIALLY ENGINEERED
In the past, I have been asked to see if I could hack into an email address (ethically of course) at a local Digital Innovation Show on stage in Bournemouth.
I thought it would be fun to start engineering my target's passwords by trying my luck on his personal information such as his daughter’s name and football team (which by the look of his face, I am sure it was the football team!).
I didn't have too much time to play with alternatives such as ".1" at the end of them so I headed over to his "security questions" by 'forgetting his password' which included the name of his first school and the make and model of his first car. As you can imagine, these weren't too difficult to find. In fact, I came out and asked the guy six weeks prior what his first car was knowing that I would need it on stage.
Back at the show, within minutes of entering these answers, I was given access to change his password to something brand new which would give me full control.
I didn't fill in this entry as that would be committing a computer misuse act but being offered this opportunity in front of him made him worry. A lot.
The psychology behind a cyber-attack reverts back to simplicities. Reduce the suspicion and a hacker will be in before you have had a chance to make your morning coffee. Social engineering proves this in multiple ways on YouTube and you will be shocked at how easy it is.
How often do you see scams like this? Let us know on Twitter @ESETUK.