When Barack Obama, Bill Gates, Elon Musk, and many other celebrities, as well as some companies on Twitter, throw around Bitcoin spam at the same time, the alarm lights go on in the SOC of the intelligence service. This is no longer a conventional account take-over, but a data leak on Twitter itself. As the social media company reports in a support statement, hackers apparently used social engineering to gain access to internal systems and overcome existing security precautions. The attack is currently being investigated by Twitter security experts, but the example shows how explosive the threat is even for modern tech companies.
What is social engineering?
Social engineering is the psychological manipulation of people into performing certain actions or divulging confidential information. In most cases, a social engineering attack is preceded by a careful research of the target. The better prepared hackers are, the more likely it is that the attack on the specific person will succeed.
Virtually any communications channel and technology can be employed for social engineering – from telephone conversations, e-mails, and text messages to personal entertainment, anything is possible. The principle of the attack is always the same: An action should be undertaken based on a sound and convincing argument. Hackers usually impersonate someone else or a company in order to lend legitimacy to their claim.
Social engineering in practice
In addition to the communication channels employed, social engineering also differentiates among individual types of attack, which differ primarily in the specific approach taken by the hackers and the effort involved. The most common methods include:
Phishing & spear phishing
Phishing by e-mail is one of the most widely used vectors of attack on the internet. Using fake e-mails, hackers attempt to persuade the victim to provide sensitive data, such as login information. To do this, users are usually lured via a link to a modified or fake website, from where the data is collected. Unlike traditional phishing, which is designed for a broad target group, spear phishing tailors the messages to the specific victim. Although this form of social engineering is more complex, the chances of success increase considerably.
Business E-Mail Compromise (BEC)
The Business E-Mail Compromise (BEC) attack type, in which hackers target individual employees of a company and impersonate decision-makers in convincing e-mail conversations in order to obtain valuable data or transfer large sums of money, also falls into the phishing category.
Social engineering can also be performed via software or scareware. In this automated form of social engineering, the victim is manipulated by fear. In practice, ads and animations on websites are used to trick the user into believing that his PC is infected with malware. But the real malware lurks behind the “antivirus” tool being offered for download at the same time – in reality hiding a Trojan horse targeting sensitive data.
Using awareness to combat social engineering
Technical measures are only suitable to a limited extent to ward off social engineering. Although multi-tier login procedures make it harder to compromise, experienced hackers can find a way to get to the data they want. If you want to protect your company against social engineering, you have to ensure that your employees are aware of this. Because, with the necessary digital care and a bit of mistrust, many social engineering attacks can be exposed early and successfully warded off.