This article was first published as a part of the cover story in the February 2018 issue of Digit magazine. To read Digit’s articles first, subscribe here. You could also buy Digit’s previous issues here.
For the uninitiated, social engineering is about exploiting the weakest link in the security chain – you. Social engineering attacks try and trick people into revealing crucial pieces of information, by using a variety of means including fake websites, cold calls and spoofed emails. If you want to get a sense of just how powerful social engineering can be, check out the exploits of Kane Gamble, a 15-year-old who managed to break into email accounts of the CIA and DNI chiefs.
Thanks to the ample number of data breaches last year, one can find out quite a bit about an individual by just, say, Google-ing their email ID. On the other hand, there are a lot more avenues to misplace your trust on. For instance, Messenger bots are becoming a thing, from mental counselling to ordering Pizza. A near identical bot could give you the same experience but also siphon off your data, including payment details, based on the primary permissions granted to it and could also be configured to get more information out of you with its responses.
A trust issue
A lot of us trust celebrities and famous people. If tomorrow you receive an email asking for donations for educating the girl child, and that email contains a video message from Malala Yousafzai that explains how the charity is authentic, you’d probably not doubt it. Projects revealed in 2017 have shown the immense potential of AI as a tool to create fake videos of known figures. There are ways to superimpose your expressions on a celebrity, ways to generate a video of the celebrity lip-syncing to specific dialogue and even highly realistic doctored videos that only have the face of the celebrity as a reference. It is relatively easy to create augmented reality masks that replace your face with that of a famous individual, in fact, Facebook and Snapchat themselves provide the tools that allow users to do so.
Expect to see social engineering-as-a-service, where people can avail all of the above methods as and when required from external agencies. Additionally, as governments around the world move to unified identification systems, mostly with poor security implementations, expect to see a lot more of your demographic data online. This data could be anything from your address to your contact numbers and more. Here, even though you’re not directly revealing anything, your data will, in turn, eventually be used for social engineering techniques. Such techniques could either rely on getting you to reveal something or using your personal information to directly break into your accounts.
The best way to counter social engineering is to think before you click. While there could be a super efficient antivirus in place, or you could be running a Mac, but if you’re gullible enough to click that suspicious link, it won’t matter if you’re on a PC or a Mac. Before clicking any link on a critical system, or entering any data on a suspicious link, check the credentials, security certificates and also the actual domain of the organisation by a simple web search. In fact, if you’re part of an organisation, it might be a good idea to carry out periodic social engineering scams internally through authorised channels just to keep people aware and alert.