A few weeks ago, a 17-year-old young man was arrested by the police for being behind the hacking of more than 130 Twitter accounts, including that of celebrities such as Bill Gates, Jeff Bezos or Elon Musk. This unprecedented hacking created a stir in public opinion and highlighted, once again, the danger we face: cyber fraud.
In this case, the hackers tweeted from the hacked accounts with messages offering 2,000 dollars for every 1,000 dollars sent to an anonymous bitcoin address.
These messages came from financially successful and well-known celebrities, which made the deception even more credible. I'll only be doing this for 30 minutes, some of the messages said.
Although the messages were quickly deleted, in just a few hours the hackers had scammed than $100,000. That's how easy, fast and lucrative cyber fraud can be.
By analyzing the messages, we are able to come to the conclusion that the hackers are very familiar with "social engineering" techniques.
These messages allude to various principles of persuasion:
- Authority: In this case, we are more predisposed to be influenced by a person of recognized prestige, success or authority. Obama, Gates or Bezos are all people who generate that feeling of authority that "pushes" users to believe what they're saying.
- Liking: In some cases, these celebrities add the effect of likeability to their authority, by which we feel attracted to them, that we like them or identify with them, which leads to us letting ourselves by guided by their requests.
- Scarcity: We're always drawn to things that are scarce or difficult to access. We place great value on what we consider to be unique or exclusive, something the hackers achieved with the message "I'll only be doing this for 30 minutes".
The investigation has revealed that the attack occurred through the coordinated use of social engineering strategies on several Twitter employees with access to internal systems and tools.
After deceiving several chains of employees with persuasion techniques, the passwords of the users' accounts were reset and ended up in the hands of the hackers.
We're once again facing a case of cyber fraud in which social engineering becomes the star tool.
When the decision is made to attack a system, hackers encounter two types of elements they have to overcome, the machine and the human being, the technical system and the cognitive system.
As we've already talked about in another post the human being is the most fragile link in the cybersecurity chain.
It's easier and faster to hack into a person's brain than to hack into a computer system, which is why deploying a range of deception and persuasion strategies is more effective than trying to defeat computer programming mechanisms.
We can define social engineering as any strategy that causes a person to perform an action or behavior that they wouldn't do on their own. This is precisely the definition of the term "persuasion", whose techniques are used in this type of attack in one way or another.
Social engineering has a number of characteristics:
- It's based on deception, it's necessary to lie to the victim to achieve the objective.
- The victim does something that, in theory, they wouldn't necessarily do, and therefore that persuasive effect is necessary.
- The victim's action may go against their own interests.
An attack based on social engineering follows a series of phases:
As much information as possible about the victim and their context needs to be collected in order to be able to credibly and effectively prepare the rest of the attack.
This phase is very important and can last weeks or months, since it requires having in-depth knowledge of the data that allows an effective bait to be designed.
For example, in the case of an attack on a Twitter employee, we'll need to know their personal data, their system privileges, the tasks they usually perform, their communication systems and the characteristics of their interactions.
To this we must add information about the technical and security processes needed to carry out the attack we're planning. In this case, for example, we would need to know how to reset user accounts.
Establish a bond with the victim
Once we have all the information, we create the bait with which we earn the trust of the victim. This phase allows us to make the first contact with the victim and continue collecting information, this time going even deeper with information related to the objective of our attack.
We can, for example, contact the victim through social networks or messaging services so that we become someone from their environment, from their "tribe", alluding to a term that we'll use later on.
In this phase, the persuasion strategies that we've discussed above are put into motion and it ends when the victim is willing to generate the action we need from them.
For example, we can contact a Twitter employee, pretending that we're a colleague of theirs, establishing a virtual friendship relationship to later use different persuasion techniques such as reciprocity or authority to make them provide us with information or grant us privileges to carry out a process in the system.
Exploit the bond
As we've seen, once the victim's trust has been gained or the persuasion effect has been generated, we need to make the person act and carry out the action that we require of them.
For example, this victim is going to help us to reset passwords by skipping some of the security steps to get it done quickly and thus avoid a problem for their supposed "co-worker/friend". The trick in this phase and the entire attack is to know how and when to carry it out without arousing suspicion in the victim.
After the objective of the attack is achieved, an exit strategy must be designed to avoid leaving a trace and to hide the identity of the scammer. In most cases, we need some time to pass before the victim realizes what has happened, which gives the attacker time to flee and erase their footprints.
In some cases, it's even possible to maintain the bond with the victim to allow for a second or successive attacks. Only when the victim realizes they have been scammed will the scammer disappear like the wind, stealthily and silently.
Social engineering is based on the knowledge of how the human brain operates, it uses what we know about human memory, the way we process information or make decisions.
These elements aren't very complex and are, in fact, based precisely on our basic way of functioning, that which has kept us alive as a species as we've evolved over time.
On a simple level, we can highlight several of these elements:
It's hard for us to say "NO"
We are social animals that need others and in turn we feel good helping others. This makes it difficult for us to ignore a request.
When someone asks us for something, asks us for help, or asks us to do something, we feel better giving in than having to say "NO".
This request has to be highly problematic in order for us to prefer coming up with an excuse to avoid helping them out.
We are trusting
Being sociable animals forces us to see others as friends, as colleagues and as members of our team. This makes us tend to trust what other people say and do.
We spread news or messages on Facebook or WhatsApp because we think that what they tell us is true, we don't question or review what others tell us because we believe that nobody wants to deceive us, we think that we're all good people, that others want the best for us and that they're our friends.
We like to be taken into consideration
Just as we like others, we also feel happy when other people like us. We love to be flattered, recognized or complimented. When someone flatters us, it gives our ego a boost, it raises our self-esteem and lowers our level of alertness.
When we are with someone who rewards us, we feel good and safe with that person, which means that we don't pay attention to the details and ignore warning signs that, with other people, could generate distrust.
We are empathetic
To be sociable, we need to be empathetic, we need to be able to put ourselves in the shoes of the other person, feel and think like them. This ability allows us to have the selflessness that makes us feel good, subordinating the common good to our own personal benefit. This is related to all of the previous elements and is what makes us feel the fear, pain or worry of another person as if it were our own.
In short, we feel part of a group, part of our tribe, with which we keep moving forward and are able to survive. Family, friends, co-workers, soccer team fans... we create different tribes around us and in different contexts.
When we are with a member of our tribe, it's easier for us to attend to their needs, to trust them, to like them even more and to be more empathetic. Therefore, if we receive an email from a co-worker or if a friend invites us to download a game, this puts us in "tribe mode" and it will be easier for us to give in to their requests.
We can't stop being the way we are, and we can't stop functioning the way we do. It seems that we're more complex now than a thousand years ago, but just as we used to be tricked in the jungle to take away our prey, now we're tricked with a Twitter message to take away our money.