A study of 127 hackers at the Black Hat USA conference was conducted by a cybersecurity firm a few years back. As per the research, over 50 percent said that their primary motivation to hack was to ‘search for emotions’.
A study of 127 hackers at the Black Hat USA conference was conducted by a cybersecurity firm a few years back. As per the research, over 50 per cent said that their primary motivation to hack was to ‘search for emotions’. This was clear evidence that modern-day cybercriminals are usually curious and intelligent and want to know more about the human mind. They are never really satisfied by just breaking into others’ systems. They also like to control things and take advantage of fear and biases in the human mind. Thus, often, they try and work on the psychology of humans to become successful.
Today, cybercriminals prefer social engineering. They carry out a cyberattack by exploiting human errors and behaviours wherein the victim is tricked into divulging sensitive data, which the criminal uses for fraudulent purposes. They also use tactics that involve manipulation and fear-mongering and work so that the victim loses all control over his network system(s) and is, after that, forced to give in to ransom demands.
Humans like to be flattered, helped, find fellows who can be trusted, be showered with tempting gifts, etc. Cybercriminals exploit these weaknesses to their benefit. After all, who would not want to click on a link that promises free gifts – sometimes, we do it even when we know that the link is an unverified one, thus exposing ourselves to cybercrime. The same goes for fear. Once our minds are put under pressure, we give into almost anything. This is why having greater control over one’s mind and good sense is very important in avoiding hacking episodes.
Here is how cybercriminals are carrying out social engineering these days.
Nowadays, cybercriminals have begun using deepfakes to enhance social engineering. It is a technology where Artificial Intelligence (AI) is being used to create synthetic media (images, audio, video). One appears to be doing or saying something that has not happened or been said in reality. Even though examples of this scam are not many as yet, there are dark web forums where the expertise of this technology is being discussed.
For instance, using deepfake audio, impersonations, like that of bank officials, are being done to transfer money to fraudulent accounts. Impersonating people to get login details is also gaining in popularity. Cybercriminals call people on behalf of a company, point out errors and setal data on the pretence of solving the problem. The deepfake trend can cause a lot of havoc as it is slowly being designed to be so powerful that it can bypass even biometric verification. Hence, one needs to be extremely careful.
To avoid being scammed, the following precautions can be taken.
A watering hole is where jungle animals go to drink water. Instead of tracking an animal over a long distance, the hunter can kill the animal more easily if he finds the watering hole. Not just that, but he can find more animals to kill if he waits at the watering hole. The term watering hole attack, thus, implies a form of attack where the attacker finds out the website(s) that potential victims visit most often and infects those websites to compromise their security.
For such attacks, the cybercriminal profiles his victims first and then targets the websites. Usually, the targets belong to large organisations, religious groups or government departments. For instance, in 2017, the websites of the Ukrainian Government was compromised to spread the ExPetr malware. In 2016, the Canada-based International Civil Aviation Organization (ICAO) infected the United Nations (UN) network by spreading malware. As these attacks breach numerous layers of security, they can be quite destructive. Also, the websites that the attackers infect are usually legitimate websites that cannot be blacklisted.
Although these attacks are just gaining momentum, one needs to be well prepared. For this, the following tips can be helpful.
Many security researchers in recent years have revealed that QR codes pose security risks, especially to mobile devices. Since humans cannot decipher QR codes, free tools that are readily available on the Internet can be used to modify the pixilated dots. In this manner, criminals can embed malicious or even phishing URLs in them to get money, use it to gain access to the personal information of the user or get the user’s real-time location.
The pandemic has increased the use of QR codes. Today, whether you are accessing a restaurant menu or sending payment across the globe, QR codes are in full use. Thus, breaches have seen a significant spike.
It is possible to prevent such crimes by doing the following.
Scareware is malicious software that appears like a pop-up message from a software company warning about the computer having gotten infected with a virus. Sometimes the fraudsters also send spam mail to distribute scareware.
These messages/emails frighten the potential victim who, intending to protect his data and fix the problem, pays a fee to download such software. What he downloads, however, is malware that intends to steal the confidential personal data of the individual. Also, when he is buying the software, he gives out credit card information used for cyber thefts. It is, thus, a well-planned cyberattack that exploits the emotion of fear.
To protect yourself against scareware, the following tactics can be used.
Typosquatting is used by cybercriminals as a form of social engineering attack. Sometimes users incorrectly type a URL into their web browser rather than using a search engine. Scamsters use such commonly made spelling errors to direct users into a fraudulent website. Sometimes it is also known as URL hijacking or domain mimicry. Unfortunately, the look and feel of these sites are the same as the original one. Hence, one often remains unsuspecting.
In the run-up to the 2020 US presidential election, typosquatting domains of some candidates were extensively created by hackers with fraudulent motivations. Visitors can arrive at such malicious sites through a spelling error on their own part or be lured into it by fraudsters. Once this happens, the users are likely to enter sensitive data, which puts them at risk. Cybercriminals achieve typosquatting by registering domains that contain:
Such a form of attack can be avoided by individuals by not clicking on unexpected messages and emails, using updated antivirus software, inspecting the links carefully, bookmarking the favourite sites, using search engines to reach the website, leaving the sites you visit regularly opened on the browser tab.
Organisations can also prevent it by registering typo versions of the domains before the criminals can, using SSL certificates to show that the website is legitimate, and notifying clients and staff if they feel that someone is impersonating the website.
Social engineering uses psychological manipulation to access confidential data and cause cyber thefts. The criminals get the potential victim to trust and then provide enough stimuli to make the breach happen. Social engineering is dangerous because it plays on the human mind and human fallacies rather than on software and operating system glitches. Thus, it is only with good cybersecurity and cyber hygiene practices and remaining cautious and intelligent that we can prevent social engineering practices from harming us.
Cryptocurrency is a form of digital currency that one can buy, sell, and invest in like traditional currencies. It uses blockchain technology to function as a digital asset. Cryptography helps in creating a coded network that connects each node in the blockchain.