There are two types of hacking or unauthorized access to accounts. The first involves password cracking tools, but most organizations have cyber security features in place to prevent these attacks. However, it’s the second type of attack that can cripple any organization or person’s accounts and databases, and that is a social engineering attack.
〈 “ Social engineers are criminals who take advantage of human behaviour to pull off an online scam or hacking attack. Successful social engineers are confident and in complete control of the situation “ 〉
Social engineers generally use two techniques – one is by simple observation while the other is the proactive effort.
In the first case, the social engineer simply observes a person’s social networking profiles such as Linkedin profiles etc., and all other data available about him. Most people have passwords that they can easily remember, and for that they use the words that are closely related to them. People share every detail of their lives on social networking sites including their date of birth, favourite colour, pet’s name and everything possibly related to them. This information is freely available. This makes it pretty easy for the hackers/ social engineers to guess passwords in such a scenario and fix it. It’s always advisable to be discrete with respect to the data shared on social media. Such data is also collected by the online questionnaires and market research forms that people request to fill in public places.
In the second case, the attack is pre-planned and a complete checklist is made of the person or companies including likes and dislikes, passions, hobbies and professional credentials etc. The second stage of physical access now comes into the picture. For example, three income tax officials turn up at your office for an inspection along with relevant badges and check all the office computers and documents. In the process they lodge key loggers into your computers, whereby they will receive an email of every key stroke made on the computers, thereby giving out your passwords and confidential data.
An example of this kind of attack would be where a social engineer researches about a person let’s say Mr. A, and collects that the person is fond of foreign holidays. The social engineer calls up this person as the authorized representative from a reputed travel agency and offers a mind-blowing holiday package. He asks Mr. A the version of PDF reader he is using on his laptop. The conversation is very friendly and inspires trust in the mind of Mr. A. The social engineer sends the holiday proposal in a PDF format which is not compatible with the PDF reader installed by Mr. A, and along with the proposal sends a compatible PDF reader for Mr. A to download and read the proposal. The PDF reader has malware attached that gives the social engineer access into Mr. A’s computer
Another example of this type of social engineering attack is where a very pretty woman, who is a journalist, goes to meet the system administrator of a big company, to get his opinion on cyber security. She goes easy and flirts with him and after taking his opinion pushes off. In the course she ‘accidently’ leaves her pen drive behind with him. The ensuing impact of the girl would make him curious to know more about her and hence he accesses her pen drive. The pen drive is infected with key logger and Trojan malware, which make the company’s networks very vulnerable.
The 4 basic principles which most social engineers follow are:
- They project confidence: They do not sneak around, they proactively approach people and draw attention towards themselves.
- They give you something: Probably just a small favor which creates trust and a perception of indebtedness.
- They use humor as that is one tool which is endearing and disarming.
- They make a request and offer a reason and research shows people are likely to respond to any reasoned request.
Attacks by social engineers are offences in India under Section 43 of the Information Technology Act, 2000. This section reads as under:
Penalty and compensation for damage to computer, computer system etc. If any person without the permission of the owner or any other person who is in-charge;
- Accesses or secures access to such computer, computer system or computer network or computer resource;
- Downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
- Introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
- Damages or causes to be damaged any computer, computer system or computer network, data, computer database or any other programmes residing in such computer, computer system or computer network;
- Disrupts or causes disruption of any computer, computer system or computer network;]
- Denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means;
- Provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder;
- Charges the services availed by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network,
- Destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;
he shall be liable to pay damages by way of compensation to the person so affected.
〈 “A victim is required to make a Complaint in the prescribed format along with the applicable fees to The Adjudicating Officer, Information Technology Act, 2000. Under the provisions of the Rules for the conduct of Adjudicating Proceedings, the Adjudicating officer shall decide every application in 4 months and the whole matter in 6 months “ 〉
The biggest weakness lies not in computer systems, but lies in human nature. Cyber criminals using social engineering techniques are experts in manipulation of the mind and know very well the weaknesses of human nature being greedy, lusty, gullible etc.
It is extremely important to educate employees about these kinds of attacks as the weak link may not be your cyber security, but an unknowing employee himself.
Advocate Puneet Bhasin is one of the leading Cyber-law experts in India, specialized in laws related to technology, blockchain, cyber-crime, data theft, corporate data espionage, GDPR compliance, artificial intelligence & IoT. She is the Founder of Cyberjure Legal Consulting. She has been Awarded the Best Cyber Lawyer in India.