Govind Rammurthy
Why online scammers play on your emotions and mostly succeed in defrauding you.
We have read and heard about Social Engineering Attacks, an art of manipulating in order to convince people to reveal their confidential information. Hackers and scammers indulge in such acts to wince-out information from unsuspecting users. However, have we ever thought on how they are able to achieve such a high success rate?
We all are aware of the fact that human can never be devoid of emotions. It is the driving force behind all our inventions and innovations that sometimes also leads to our very downfall. Social Engineering is not a technology like any other kind of cyber crime technique, but is an art of exploiting human tendency to trust using psychological methods. The methods used for this art include involvement of some or the other form of emotional pressure in order to obtain what is wanted by making victims do things which they would not ordinarily do.
Hence, while contemplating on the methods being used by hackers, we felt it was necessary to coin a new word – emotioneering -- an art of exploiting basic human emotions.
It was not very difficult to summarise the list of mental states which are actively being targeted by cyber criminals. These mental states are sometimes referred to as 'sins' by some and 'vices' or 'bad habits' by others. They could be greed, lust, anger, fear, etc. No matter, whichever words are used to describe these mental states, their core meaning has never been lost in translation.
In this world, instincts play an important role. One such basic instinct which rules over the mind and matter is 'curiosity'. Whether animals, or humans, all are subjected to curiosity in some form or the other. Curiosity is overwhelming in certain scenarios, especially when it is coupled with one of the vices.
A researcher or a scientist is curious and hence to satisfy his hunger for knowledge, he investigates to get into the deep roots of the cause or a particular subject. However, in order to safeguard themselves from accidents, they take necessary precautions. Though, in case of computing environment, not everyone will necessarily follow the recommended methods. Many IT users might be even unaware of the perceived threats that would be lurking in the internet.
At one end, there are cyber criminals who aim to obtain confidential information that will allow them to gain unauthorised access. While on the other end stands humans, who are born curious and would never miss on the opportunity that would satisfy their urge to delve into the unknown and mysterious. Hence sometimes, this human nature becomes the root cause for the downfall of all the security measures that have been deployed. Once the fraudsters get hold of the desired information, they can use it for unauthorised access to information or systems, to commit frauds such as identity theft, industrial espionage, and other criminal activities or can also be used to simply disrupt normal business processes.
Cyber criminals exploit humans very easily with their in-depth art of deception that targets nothing but the basic human vices or instincts which make up a human being. All they do is first try to analyse a person's behaviour by observing his/ her actions. Later, they tactfully try to alter their feelings by changing what they say and do accordingly, and gradually make the victim want to give them the information they need. Though, we as humans can try to control our emotions / vices / instincts; however, there is no replacement for curiosity.
Fraudster can play with victim's curiosity in many ways. For example in case of Facebook, many users must have come across the app which says, 'See who viewed your profile'. Any Facebook user may be curious to know how many people have viewed his/ her profile. Rather in most cases, users would even want to know who viewed the profile page specifically.
The fact is that the social networking site does not provide any such feature. However, there are some third-party applications that claim to facilitate Facebook users to view how many people have viewed their profile. To take benefit of this facility, Facebook users must allow the app to access their profile information along with friend's list. Many apps also encourage Facebook users to enter more detailed information. All such apps violate the terms of service of social networking site and hence, it encourages the users to report about it.
One of the most popular social networking sites, Twitter too has users who out of curiosity fall prey of cyber crime. Many a times Twitter users receive a direct message from someone they follow that says something like "Hello somebody is saying horrible things about you..." or "There is a rumour/blog going around about you [LINK] might want to read it." or "lol...OMG I'm laughing so hard at this picture of me someone found..." and in each such case, these mails are accompanied with a malicious URL that is just waiting to be clicked on.
There may be various versions of such links being circulated. Out of curiosity, once you click on it to know what it is all about, all your followers will be spammed with the same message and the nightmare continues.
There are two things which need to be understood. First, Twitter allows you to protect your tweets and only your followers can read them and second, when this setting is not enabled, there is an option for the twitter-user to auto-follow. The moment your twitter account receives the 'Follow' request, if auto-follow setting is enabled, then you will also start following the account automatically.
The Direct Message or DM feature allows twitter users to send DM without the messages getting reflected in their time-line. Hence, by taking advantage of this scenario, bad guys will send a 'Follow' request with a hope that you have not yet disabled Auto-follow.
Many a times we have received an e-mail from a courier company about the status update of the delivery of your package with subject as 'Postal notification' or 'Delivery status is changed' or 'Failure to deliver' or 'Delivery limit is exceeded' or 'Delivery address needs to be confirmed' or something similar to this. When we receive such e-mails, many of us do not even give it a thought if we really are expecting any couriers. Thirst to know about the delivery leads many of us to trouble.
Bad guys also use another trick of sending e-mails that not only invoke curiosity but also give rise to fear. These e-mails seem to be legitimate though are sent with an intention of gaining unauthorised access of our bank accounts. With increasing use of mobile phones, now have another option of Smishing, i.e. initiating phishing scams through text messages.
In addition, Baiting is another technique in the list that is used by fraudsters. It involves deliberately leaving physical device such as USB/ CD/ DVD somewhere from where it can easily be discovered. Many computers 'autorun' USB/ CD / DVD, so when malware such as Trojans or keyloggers are bundled with such devices, victim's system can be easily infected, while the fraudster simply sits back and waits until someone makes use of the device.
Techniques for conducting social engineering attacks are not limited to what has been mentioned in this article. Many new scams and tricks are designed by fraudsters regularly. Hence, the only way to stay safe is when curious, question everything!
No comments:
Post a Comment