• Skip to primary sidebar
  • Skip to content
  • Skip to footer
  • Home
  • Subscription
  • The Magazine
  • Podcast
  • Contribute
  • Advertise
  • Contact Us

Circuit Magazine

For Security & Protection Specialists

Social Engineering and Cybersecurity

Welcome to the second article in this series looking at cybersecurity and its interaction with the protective and wider security world.

This time we’ll be looking at a collection of tactics used by attackers to bypass security technology by targeting the weakest link – the human in the chain.

Social engineering is really just an overly technical term for knowing how to persuade people to do something against their best interests or against their better judgment. An example is talking someone into handing over the password to their e-mail account, whether that’s in person, via e-mail, through text messaging, or simply watching over their shoulder as they type it out. Another might be persuading a mobile provider’s service centre to shut down someone’s account, through impersonation.

Broadly there are only a few methods in social engineering, and different ways to apply them. The most commonly seen these days due to its anonymity, effectiveness, and the ability to automate the process, is various forms of phishing. Just for some brief history, as I get asked this, the misspelling of phishing to mean this type of attack comes from the 1990s and followed the use of phreak to refer to people who exploited phone systems.

 

Phishing, Vishing, SMishing, Spear Phishing, Whaling

The only differences, really, between the different forms of phishing are the targeting and the method. Phishing, spear phishing, and whaling all rely generally on e-mails, whether they’re spoofing, stealing genuine e-mail addresses, or simply casting a wide net and using a disposable. Spear phishing and whaling take a little more effort and often involve researching the target.

You can see a genuine example of a spear phish below, with some details hidden to protect the target. The attacker used an e-mail domain with one character difference from the genuine one – an i replaced with a j. They also researched the target company, impersonating the CFO to an employee in finance.

Generic phishing and SMishing tend to cast a wider net, relying on large numbers to catch a victim to exploit, while Vishing uses a phone call. All of them rely on a tactic referred to as pretexting, or impersonation, to persuade people to do what the attacker wants.

Watering hole attacks are another variant of phishing where instead of asking a victim to disclose information, or to download malware, an attacker will ask them to visit a website. This may end with a compromised machine, a compromised password, or a compromised user, but never well.

Whaling is similar to other phishing tactics but deserves separate mention for the sophistication of the attacks. Those who whale, targeting high profile executives, are organised and will do significant research and preparation, using open source intelligence such as LinkedIn profiles and company filings to construct organisational charts of a company’s internals. Reconnaissance will be performed by vishing at low levels to understand how the company words, and possibly to gain access, before an attack is executed. One particularly well-executed attack involved company registrations to match existing suppliers, and is known to have cost several top technology firms at least £77 million.

For a good example of some of the most common tactics Google have provided a quick quiz at https://phishingquiz.withgoogle.com

Phishing is not just used for quick financial gain, but has been used for particularly vicious blackmail campaigns – usually in a form called catfishing. In catfishing an attacker will create a profile on a dating site, designed to be appealing to a particular group of people. Sometimes it will be entirely false, others true enough to allow them to arrange video calls. Once a relationship has developed the catfish may go either for a scam, saying they need money for a plane ticket for example, or may descend into particularly vicious blackmail using previous intimate messages, images, and video exchanged. Often these scams are not detected, as victims are too ashamed to report them.

I have no idea why catfishing isn’t referred to as catphishing.

 

Pretexting, Tailgating, Baiting, and Quid Pro Quo

While phishing does make use of pretexting, it is generally given its own category in any attack frameworks. Phishing is electronic, and in a way simpler. Pretexting might be done via the phone, where it crosses over with vishing, or in person. There are long texts written on how to pretext, getting uniforms from different commercial companies, how to walk right to avoid too much attention, hi-vis jackets, clipboards, the right sort of conversation to make to be forgettable, and a lot of work and theory on influence and persuasion.

Tailgating sometimes falls under pretexting, with an attacker simply following people through what should be a secure door – often by carrying a ‘heavy’ box, rushing for the door, or spending ten minutes in the smoking area with a group and a fake badge.

Baiting is usually used to gain greater access or information once an attacker has performed some basic compromise. The classic example here is dressing as ‘the IT guy’ for a large office, yanking the network cable for someone’s machine, waiting for them to ask for help, and then simply suggesting they get a coffee as this will take a while. It is a method of setting up an opportunity to further compromise a target, and closely related to quid pro quo.

Quid pro quo can follow a baiting attack, or be entirely separate. It is a method that works on the basic human need to reciprocate help that we receive – whether that’s fixing a computer, or being given a gift.

Some penetration testing companies will offer physical pen testing, and red teaming, where they will try to exploit all of these tactics (and more) to gain access to a designated target, before reporting exactly how they have done so and where to improve in future.

I have very rarely heard of them failing to get access to a target area, and they are always pleased to have an attack effectively shut down before it completes.

Whole books have been written on social engineering tactics, some of them well worth reading, so here I’m only trying to give a basic overview. Hopefully you’re now better informed on some of the methods, and how these relate to both cybersecurity and wider security. Next time I’ll be digging into man-in-the-middle attacks, a less common but devastatingly effective method of compromising information and people.

 


Intro to Cybersecurity Part 2 –  Social Engineering and Cybersecurity
By: James Bore

James Bore is a cybersecurity ‘Jack of all trades’ by vocation and choice. In over a decade he has gathered experience meandering across a range of industry sectors, organizations, and disciplines in IT, always with a focus on championing and improving security. Currently, he works for an entertainment and hospitality company, and in rare spare time runs a blog on cybersecurity https://coffeefueled.org

Tweet
Share
Pin
Share
0 Shares

Buy The Latest Issue

Sign Up For News and Updates

We respect your privacy and will not share your information with anyone.
We will only message you when we have something relevant and of value to share with you.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Latest Issue

Circuit Magazine - Issue 66 - AI Armageddon

Issue 66

Buy Now

Latest Newsletter

Newsletter Sign Up

What you don't know CAN hurt you!

SUBSCRIBE

Latest Industry News

Ugandan Minister Killed by Bodyguard in Apparent Wage Dispute

A Ugandan government minister, Charles Engola, was shot and killed by his bodyguard early Tuesday in an apparent private dispute over wages, according to the army and local media. Engola, a retired army colonel, served as the junior minister in charge of labor in President Yoweri Museveni’s government.

Event

News - Circuit Magazine

Zelenskiy Denies Ukraine’s Involvement in Alleged Kremlin Drone Attack

Ukrainian President Volodymyr Zelenskiy has refuted Russia’s claims that Ukraine was involved in a drone attack on the Kremlin, which was allegedly aimed at killing Russian President Vladimir Putin. Zelenskiy stated that Ukraine fights and defends its territory, not attacking Putin or Moscow. The Kremlin reported that two drones were used in the attack but were disabled by Russian defenses.

News taken from Issue 65 of the Circuit Magazine

Bodyguard Saves Japanese PM from Pipe Bomb Attack

A bodyguard has been hailed as a hero for his quick-thinking actions during a suspected pipe-bomb attack on Japanese Prime Minister Fumio Kishida. Video footage captured the bodyguard kicking away a metal object as it landed near Kishida
before positioning himself between the Prime Minister and the device, shielding him with a collapsible, handheld ballistics shield.

News from Issue 65 of the Circuit Magazine

AlertEnterprise Reveals First-Ever Guardian AI Chatbot Powered by OpenAI ChatGPT

AlertEnterprise has unveiled its first-ever Guardian AI Chatbot powered by OpenAI ChatGPT. The chatbot will make its global debut at the ASIS Europe and ISC West trade events. Built on OpenAI’s GPT-3 platform, the Guardian AI Chatbot aims to provide security operators with instant access to critical physical access and security insights through quick questions and prompts.

Executive Protection/Secured Transportation Profession

COVID-19 and the Executive Protection

As practitioners, our responsibilities are many: protection of the client from physical harm, protection of the client from self-embarrassment, etc. Now, that the restrictions in the post COVID-19 era are starting to be lifted in some areas, Clients, and other high-net-worth individuals will be more aware of the area in which they are located, lodging, and traveling to.

James Bore's Cyber Security

Ways to See the Threat Before it Happens

Threat modelling is widely in use, whether knowingly or not, across every walk of life – and has been used since time immemorial to prioritise security defences. The only difference between the well-known risk assessments carried out by everyone and threat modelling in cyber security is the attempt to document and systemise it. I am hoping that this idea of formal threat modelling will be a useful tool for you to use in your future arsenal of available resources as a CP operator.

Close Protection advice

Keeping Your Edge: Building a Solid Foundation

Longevity, consistency and remaining relevant are some primary goals of all protectors. These factors are important when establishing a new contract and providing services for a new client. But what is equally important is the mindset that goes into those first days and weeks on the assignment. As such, I wanted to get the personal perspective of Vantrell Wilson, a close protection agent who I have trained with and worked alongside of for years now.

Global Risk Updates

Global Situation Report - November 2021

Global Situation Report – November 2021

Each issue our global geopolitical partner, Stratfor, provides an in-depth analysis of global incidents via in-house experts, cutting edge technology and through a comprehensive globally sourced network. Here is your summary from the last 30 days.

Popular Tags

armed attack Bodyguard business Celebrity client clients Close Protection Communication cp Crime Elijah Shaw EP Executive Executive Protection firearm firearms government gun Intelligence Law Enforcement Media Medical military News online police Prevention professional protect protection Risk Safety Security SIA Social Media Surveillance Technology terror Terrorism terrorist Threat Training VIP weapon

On The Frontline

Whether it is us or our clients, securing our online footprint is becoming increasingly important for us all.

Online Health Check for Protectors

As security professionals you may be an attack vector to your client if you do not maintain basic online security controls. At the very least you should be in a position to provide basic advice to your clients in order to help them stay secure.

The Problem with Selfies

We have all heard the old saying, “Pictures are worth a thousand words,” so who wants an autograph, when a photo with your favorite celebrity conveys much more perceived authenticity? This also has value in the arena of SOCIAL capital.

Mexico Risk Factors

What was I doing hanging outside a Mexican prison riot waiting for it to kick-off in the blaring sun surrounded by heavily armed, ill-tempered Policeman and armed only with some sunscreen and a smile?

Follow us

  • Email
  • Facebook
  • Twitter

From The Archives

Industry News

French medics need bodyguards for 300 metre commute after spike in violent attacks 04 April Paris, …

Continue Reading about Industry News

Training, Why Is It So Important?

Training is a familiar concept and one that should be embraced by all security professionals. …

Continue Reading about Training, Why Is It So Important?

INTELLIGENCE GATHERING: PART 1

HUMAN INTELLIGENCE

Intelligence is the information we obtain on a target or threat in order to locate them, gain …

Continue Reading about HUMAN INTELLIGENCE

Starting Out

After a hard training session, I was having a well earned pint of Guinness with my Jujitsu …

Continue Reading about Starting Out

Promoted Event

International Security Expo

Latest Podcast Episode

Latest Issue

Circuit Magazine - Issue 66 - AI Armageddon

Issue 66

As AI armageddon comes closer, the global challenge is discerning the line between innovation and oversight, particularly concerning decision-making biases and security implications.

Buy Now

Follow us

  • Email
  • Facebook
  • Instagram
  • LinkedIn
  • Twitter
  • Home
  • Subscription
  • The Magazine
  • Podcast
  • Contribute
  • Advertise
  • Contact Us

© 2023 Circuit Magazine · Rainmaker Platform

This website or its third-party tools use cookies which are necessary to its functioning and required to improve your experience. By clicking the consent button, you agree to allow the site to use, collect and/or store cookies.
I accept