Social hacking describes the act of attempting to manipulate outcomes of social behaviour through orchestrated actions. The general function of social hacking is to gain access to restricted information or to a physical space without proper permission. Most often, social hacking attacks are achieved by impersonating an individual or group who is directly or indirectly known to the victims or by representing an individual or group in a position of authority. [1] This is done through pre-meditated research and planning to gain victims’ confidence. Social hackers take great measures to present overtones of familiarity and trustworthiness to elicit confidential or personal information. [2] Social hacking is most commonly associated as a component of “social engineering”.
Although the practice involves exercising control over human behaviour rather than computers, the term "social hacking" is also used in reference to online behaviour and increasingly, social media activity. The technique can be used in multiple ways that affect public perception and conversely, increase public awareness of social hacking activity. However, while awareness helps reduce the volume of hacks being carried out, technology has allowed for attack tools to become more sophisticated call details
Carrying out a social hacking attack involves looking for weaknesses in user behaviour that can be exploited through seemingly legitimate means. [3] Three popular methods of attack include dumpster diving, role playing, and spear-phishing.
Sifting through garbage is a popular tactic for social hackers to recover information about the habits, activities, and interactions of organizations and individuals. Information retrieved from discarded property allows social hackers to create effective profiles of their targets. Personal contact information such as employee titles and phone numbers can be appropriated from discarded phone books or directories and used to gain further technical information such as login data and security passwords. Another advantageous find for social hackers is discarded hardware, especially hard drives that have not properly been scrubbed clean and still contain private and accurate information about corporations or individuals. [1] Since surfing through people's curbside garbage is not a criminal offence and does not require a warrant, it is a rich resource for social hackers, as well as a legally accessible one. Dumpster diving can yield fruitful results for information seekers such as private investigators, stalkers, nosy neighbours, and the police.
Establishing trust by fooling people into believing in the legitimacy of a false character is one of the main tenets of social hacking. Adopting a false personality or impersonating a known figure to trick victims into sharing personal details can be done in person or via phone conversation.
By posing as third party maintenance workers in an office building, medical practitioners in a hospital, or one of many other forms, social hackers can get past security personnel and other employees undetected. In both examples, uniform apparel is associated with specific job functions, giving people reason to trust impersonators. A more complicated manoeuver would involve a longer planning cycle, such as taking up employment inside an organization that is being targeted for an attack.
In the movie Ocean's Eleven, a sophisticated crew of con artists plot an elaborate heist to rob three popular Las Vegas casinos by assimilating themselves in the everyday activities of the casinos' operations. Although the heist is executed in less than a day, the planning cycle is long and notably fastidious. An imperative function of the attack is to present credibility in the roles being impersonated, to which attention to detail is inevitably required.
Tailgating is the act of following someone into a restricted space, such as an office building or an academic institution. Third party maintenance workers, or medical personnel, as mentioned above, often have limited cause to justify their credibility because of their appearances. Similar to role playing, tailgating functions around the assumption of familiarity and trust. [4] People are less likely to react suspiciously to anyone who appears to fit into the surrounding environment, and will be even less liable to question individuals who don't call attention to themselves. Following behind someone in an unassuming fashion may even eliminate the need to establish a rapport with authorized personnel.
Online social hacks include “spear phishing” in which hackers scam their victims into releasing sensitive information about themselves or their organization. Hackers will target individuals within specific organizations by sending emails that appear to come from trusted sources including senior officials within the organization who hold positions of authority. To appear convincing, a social hacker's email message has to establish a tone of familiarity that forestalls any suspicion on the part of its recipient. The email is designed to put forth a request for information that ties logically to the person sending it. [5] Often, company employees will fall prey to these emails and share personal information such as phone numbers or passwords, thinking that the information transfer is taking place in a secure environment. In more sinister scenarios, the emails from hackers may be embedded with malware that infects victims’ computers without their knowledge and secretly transfers private data directly to hackers. [6] From October 2013 to December 2016, the FBI investigated just over 22,000 of these incidents involving American businesses. In total, they saw losses approaching $1.6 billion. [7]
A successful example of spear phishing was highly publicized in the news media in January 2014, when Target, a U.S.-based retailer, experienced a security breach that allowed hackers to steal customers’ credit card and personal data information. [8] Later, it was revealed that the cyber criminals were able to access Target's financial and personal data files by targeting a third party mechanical company that had access to Target's network credentials. The social implications of such a high-profile social hack affect Target's popularity as a retailer, but also consumers’ trust and loyalty towards the brand.
Another example of Spear Phishing happened in June 2015 to Ubiquiti Networks Inc, a network technology company based in the United States. During this act of Spear Phishing Ubiquiti Networks reportedly lost over 46.7 million dollars. The hacking group sent Spear Phishing emails to employees in the finance department. These hackers sent spear phishing emails directly to the finance department's employees posing as company executives. The hackers managed to trick the employees into transferring funds to third party groups overseas. [9] Fortunately for Ubiquiti Networks, 8.1 million dollars were recovered from the hackers. [10]
Although Target may not have been slacking in its security, the hackers were able to infiltrate Target's network indirectly, by identifying a third-party company with by access to Target's credentials. The social hack was in defrauding employees of the third party to divulge sensitive information, while the cybercrime was conducted by means of a malware infected email phishing attack. [11] The need for vigilant online security is highlighted by cyber-attacks against corporations like Target as well as other global businesses and high-traffic websites. Even small websites are vulnerable to attacks, specifically because their security protection is presumed to be low. [12] In Target's case, the third party mechanical company had inadequate security software which left them open to a malware attack. [11]
In a similar incident, Yahoo Mail also announced in January 2014 that their system had been hacked and a number of user email accounts had been accessed. [13] While the origin of the cause was unclear, poor security was again at the centre of the trouble. In both cases, large corporations with assumed understanding of security policies were compromised. Also in both cases, consumer data was stolen. [14]
In a study by Orgill et al., an observation is made that “it is important that each person responsible for computer security ask if their system is vulnerable to attacks by social engineers, and if so, how can the effect of a social engineering attack be mitigated.” [15] Using strong passwords [16] is one simple and easy method that assists in such mitigation, as is using reliable and effective anti-virus software. Other preventative measures include using different logins for services used, frequently monitoring accounts and personal data, as well as being alert to the difference between a request for help and a phishing attempt from strangers. [17]
To counter security breaches at the hands of social hackers as well as technical hackers, companies employ security professionals, known as ethical hackers, or more popularly, white hat hackers, to attempt to break into their systems in the same manner that social hackers would employ. Ethical hackers will leverage the same tools methods as hackers with criminal intent but with legitimate objectives. Ethical hackers evaluate security strengths and weaknesses and provide corrective options. Ethical hacking is also known as penetration testing, intrusion testing and red teaming. [18]
The internet affords social hackers the ability to populate content spaces without detection of suspicious behaviour. Social hacking can also occur in environments where user-generated content is prevalent. This includes the opportunity to influence opinion polls and even to skew data beyond a point of validity. Social hacking can also be used to provide favourable reviews e.g. on product websites. It can also be used to counter negative feedback with an influx of positive responses ("like button") e.g. on blog or news article comment sections. Social hacking can cause damage to the online profile of a person or a brand by the simple act of accessing information that is openly available through social media channels. [19]
Technology appropriation can be perceived as a type of social hacking in that it involves social manipulation of a technology. It describes the effort of users to make sense of a technology within their own contexts beyond adopting its intended use. When this happens, the use of the technology can change. Adaptation of a technology can incorporate reinterpretation of its function and meaning, to the effect that the technology itself can take on a new role. Appropriation accentuates that the user adjusts the technology for his own best practice, while adaptation advises that the use sometimes changes in general. For example, advances in today's technology make it easier than ever to portray another person. This method is known as creating a "deepfake". A deep fake is where someone can recreate somebody else's face and voice with a computer program. It is used to fake people saying and doing things they have never done or said before. [20] "Public figures may be more “fakeable” through this method than private ones. Visually routine situations, like a press conference, are more likely to be faked than entirely novel ones." [21] Deepfakes can be very dangerous in the sense that they can be used to fake what people with high authority have said such as, the president and politicians. There have been many articles and discussions over the new discovery of deepfakes such as Youtuber Shane Dawson's video, "Conspiracy Theories with Shane Dawson" where he talks about the conspiracy of deepfakes and what they could mean for the world today. [22]
Social hacking is also affiliated with social enterprise. Social enterprise can be represented in the form of for-profit or non-profit organizations that encourage socially responsible business strategies for long-term environmental and human well-being. The concept of socially hacking new enterprises within the existing capitalist structure is a human endeavour that encourages people to re-evaluate the social systems that we are accustomed to, in order to identify the problems that are not being addressed. [23] New enterprises can then be created to replace the old with systems that reinforce sustainability and regenerative growth.[ citation needed ]
Computer security is the protection of computer software, systems and networks from threats that may result in unauthorized information disclosure, theft of hardware, software, or data, as well as from the disruption or misdirection of the services they provide.
Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim navigates the site, and transverses any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of cybercrime.
Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs: conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: it secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.
In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in the sense that it is often one of the many steps in a more complex fraud scheme. It has also been defined as "any act that influences a person to take an action that may or may not be in their best interests."
Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.
A white hat is an ethical security hacker. Ethical hacking is a term meant to imply a broader category than just penetration testing. Under the owner's consent, white-hat hackers aim to identify any vulnerabilities or security issues the current system has. The white hat is contrasted with the black hat, a malicious hacker; this definitional dichotomy comes from Western films, where heroic and antagonistic cowboys might traditionally wear a white and a black hat, respectively. There is a third kind of hacker known as a grey hat who hacks with good intentions but at times without permission.
Crimeware is a class of malware designed specifically to automate cybercrime.
A security hacker or security researcher is someone who explores methods for breaching defenses and exploiting weaknesses in a computer system or network. Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge, recreation, or evaluation of a system weaknesses to assist in formulating defenses against potential hackers.
A spoofed URL involves one website masquerading as another, often leveraging vulnerabilities in web browser technology to facilitate a malicious computer attack. These attacks are particularly effective against computers that lack up-to- security patches. Alternatively, some spoofed URLs are crafted for satirical purposes.
Email spoofing is the creation of email messages with a forged sender address. The term applies to email purporting to be from an address which is not actually the sender's; mail sent in reply to that address may bounce or be delivered to an unrelated party whose identity has been faked. Disposable email address or "masked" email is a different topic, providing a masked email address that is not the user's normal address, which is not disclosed, but forwards mail sent to it to the user's real address.
Voice phishing, or vishing, is the use of telephony to conduct phishing attacks.
Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.
Internet Security Awareness Training (ISAT) is the training given to members of an organization regarding the protection of various information assets of that organization. ISAT is a subset of general security awareness training (SAT).
Email hacking is the unauthorized access to, or manipulation of, an account or email correspondence.
Fancy Bear is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Office as well as security firms SecureWorks, ThreatConnect, and Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 26165. This refers to its unified Military Unit Number of the Russian army regiments. The headquarters of Fancy Bear and the entire military unit, which reportedly specializes in state-sponsored cyberattacks and decryption of hacked data, were targeted by Ukrainian drones on July 24, 2023, the rooftop on an adjacent building collapsed as a result of the explosion.
Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.
In cybersecurity, cyber self-defense refers to self-defense against cyberattack. While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole, such as corporate entities or entire nations. Surveillance self-defense is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.
Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.
Identity replacement technology is any technology that is used to cover up all or parts of a person's identity, either in real life or virtually. This can include face masks, face authentication technology, and deepfakes on the Internet that spread fake editing of videos and images. Face replacement and identity masking are used by either criminals or law-abiding citizens. Identity replacement tech, when operated on by criminals, leads to heists or robbery activities. Law-abiding citizens utilize identity replacement technology to prevent government or various entities from tracking private information such as locations, social connections, and daily behaviors.
{{cite web}}
: CS1 maint: archived copy as title (link){{cite book}}
: CS1 maint: numeric names: authors list (link)