Social hacking

Last updated

Social hacking describes the act of attempting to manipulate outcomes of social behaviour through orchestrated actions. The general function of social hacking is to gain access to restricted information or to a physical space without proper permission. Most often, social hacking attacks are achieved by impersonating an individual or group who is directly or indirectly known to the victims or by representing an individual or group in a position of authority. [1] This is done through pre-meditated research and planning to gain victims’ confidence. Social hackers take great measures to present overtones of familiarity and trustworthiness to elicit confidential or personal information. [2] Social hacking is most commonly associated as a component of “social engineering”.

Contents

Although the practice involves exercising control over human behaviour rather than computers, the term "social hacking" is also used in reference to online behaviour and increasingly, social media activity. The technique can be used in multiple ways that affect public perception and conversely, increase public awareness of social hacking activity. However, while awareness helps reduce the volume of hacks being carried out, technology has allowed for attack tools to become more sophisticated call details

Social Hacking Techniques

Carrying out a social hacking attack involves looking for weaknesses in user behaviour that can be exploited through seemingly legitimate means. [3] Three popular methods of attack include dumpster diving, role playing, and spear-phishing.

Dumpster Diving

Sifting through garbage is a popular tactic for social hackers to recover information about the habits, activities, and interactions of organizations and individuals. Information retrieved from discarded property allows social hackers to create effective profiles of their targets. Personal contact information such as employee titles and phone numbers can be appropriated from discarded phone books or directories and used to gain further technical information such as login data and security passwords. Another advantageous find for social hackers is discarded hardware, especially hard drives that have not properly been scrubbed clean and still contain private and accurate information about corporations or individuals. [1] Since surfing through people's curbside garbage is not a criminal offence and does not require a warrant, it is a rich resource for social hackers, as well as a legally accessible one. Dumpster diving can yield fruitful, results for information seekers such as private investigators, stalkers, nosy neighbours, and the police.

Roleplaying

Establishing trust by fooling people into believing in the legitimacy of a false character is one of the main tenets of social hacking. Adopting a false personality or impersonating a known figure to trick victims into sharing personal details can be done in person or via phone conversation.

In person

By posing as third party maintenance workers in an office building, medical practitioners in a hospital, or one of many other forms, social hackers can get past security personnel and other employees undetected. In both examples, uniform apparel is associated with specific job functions, giving people reason to trust impersonators. A more complicated manoeuver would involve a longer planning cycle, such as taking up employment inside an organization that is being targeted for an attack.

In the movie Ocean's Eleven, a sophisticated crew of con artists plot an elaborate heist to rob three popular Las Vegas casinos by assimilating themselves in the everyday activities of the casinos' operations. Although the heist is executed in less than a day, the planning cycle is long and notably fastidious. An imperative function of the attack is to present credibility in the roles being impersonated, to which attention to detail is inevitably required.

Tailgating

Tailgating is the act of following someone into a restricted space, such as an office building or an academic institution. Third party maintenance workers, or medical personnel, as mentioned above, often have limited cause to justify their credibility because of their appearances. Similar to role playing, tailgating functions around the assumption of familiarity and trust. [4] People are less likely to react suspiciously to anyone who appears to fit into the surrounding environment, and will be even less liable to question individuals who don't call attention to themselves. Following behind someone in an unassuming fashion may even eliminate the need to establish a rapport with authorized personnel.

Spear Phishing

Online social hacks include “spear phishing” in which hackers scam their victims into releasing sensitive information about themselves or their organization. Hackers will target individuals within specific organizations by sending emails that appear to come from trusted sources including senior officials within the organization who hold positions of authority. To appear convincing, a social hacker's email message has to establish a tone of familiarity that forestalls any suspicion on the part of its recipient. The email is designed to put forth a request for information that ties logically to the person sending it. [5] Often, company employees will fall prey to these emails and share personal information such as phone numbers or passwords, thinking that the information transfer is taking place in a secure environment. In more sinister scenarios, the emails from hackers may be embedded with malware that infects victims’ computers without their knowledge and secretly transfers private data directly to hackers. [6] From October 2013 to December 2016, the FBI investigated just over 22,000 of these incidents involving American businesses. In total, they saw losses approaching $1.6 billion. [7]

A successful example of spear phishing was highly publicized in the news media in January 2014, when Target, a U.S.-based retailer, experienced a security breach that allowed hackers to steal customers’ credit card and personal data information. [8] Later, it was revealed that the cyber criminals were able to access Target's financial and personal data files by targeting a third party mechanical company that had access to Target's network credentials. The social implications of such a high-profile social hack affect Target's popularity as a retailer, but also consumers’ trust and loyalty towards the brand.

Another example of Spear Phishing happened in June 2015 to Ubiquiti Networks Inc, a network technology company based in the United States. During this act of Spear Phishing Ubiquiti Networks reportedly lost over 46.7 million dollars. The hacking group sent Spear Phishing emails to employees in the finance department. These hackers sent spear phishing emails directly to the finance department's employees posing as company executives. The hackers managed to trick the employees into transferring funds to third party groups overseas. [9] Fortunately for Ubiquiti Networks, 8.1 million dollars were recovered from the hackers. [10]

Security

Although Target may not have been slacking in its security, the hackers were able to infiltrate Target's network indirectly, by identifying a third-party company with by access to Target's credentials. The social hack was in defrauding employees of the third party to divulge sensitive information, while the cybercrime was conducted by means of a malware infected email phishing attack. [11] The need for vigilant online security is highlighted by cyber-attacks against corporations like Target as well as other global businesses and high-traffic websites. Even small websites are vulnerable to attacks, specifically because their security protection is presumed to be low. [12] In Target's case, the third party mechanical company had inadequate security software which left them open to a malware attack. [11]

In a similar incident, Yahoo Mail also announced in January 2014 that their system had been hacked and a number of user email accounts had been accessed. [13] While the origin of the cause was unclear, poor security was again at the centre of the trouble. In both cases, large corporations with assumed understanding of security policies were compromised. Also in both cases, consumer data was stolen. [14]

In a study by Orgill et al., an observation is made that “it is important that each person responsible for computer security ask if their system is vulnerable to attacks by social engineers, and if so, how can the effect of a social engineering attack be mitigated.” [15] Using strong passwords [16] is one simple and easy method that assists in such mitigation, as is using reliable and effective anti-virus software. Other preventative measures include using different logins for services used, frequently monitoring accounts and personal data, as well as being alert to the difference between a request for help and a phishing attempt from strangers. [17]

Ethical Hacking

To counter security breaches at the hands of social hackers as well as technical hackers, companies employ security professionals, known as ethical hackers, or more popularly, white hat hackers, to attempt to break into their systems in the same manner that social hackers would employ. Ethical hackers will leverage the same tools methods as hackers with criminal intent but with legitimate objectives. Ethical hackers evaluate security strengths and weaknesses and provide corrective options. Ethical hacking is also known as penetration testing, intrusion testing and red teaming. [18]

Impacting Social Media

The internet affords social hackers the ability to populate content spaces without detection of suspicious behaviour. Social hacking can also occur in environments where user-generated content is prevalent. This includes the opportunity to influence opinion polls and even to skew data beyond a point of validity. Social hacking can also be used to provide favourable reviews e.g. on product websites. It can also be used to counter negative feedback with an influx of positive responses ("like button") e.g. on blog or news article comment sections. Social hacking can cause damage to the online profile of a person or a brand by the simple act of accessing information that is openly available through social media channels. [19]

Technology Appropriation

Technology appropriation can be perceived as a type of social hacking in that it involves social manipulation of a technology. It describes the effort of users to make sense of a technology within their own contexts beyond adopting its intended use. When this happens, the use of the technology can change. Adaptation of a technology can incorporate reinterpretation of its function and meaning, to the effect that the technology itself can take on a new role. Appropriation accentuates that the user adjusts the technology for his own best practice, while adaptation advises that the use sometimes changes in general. For example, advances in today's technology make it easier than ever to portray another person. This method is known as creating a "deepfake". A deep fake is where someone can recreate somebody else's face and voice with a computer program. It is used to fake people saying and doing things they have never done or said before. [20] "Public figures may be more “fakeable” through this method than private ones. Visually routine situations, like a press conference, are more likely to be faked than entirely novel ones." [21] Deepfakes can be very dangerous in the sense that they can be used to fake what people with high authority have said such as, the president and politicians. There have been many articles and discussions over the new discovery of deepfakes such as Youtuber Shane Dawson's video, "Conspiracy Theories with Shane Dawson" where he talks about the conspiracy of deepfakes and what they could mean for the world today. [22]

Social hacking is also affiliated with social enterprise. Social enterprise can be represented in the form of for-profit or non-profit organizations that encourage socially responsible business strategies for long-term environmental and human well-being. The concept of socially hacking new enterprises within the existing capitalist structure is a human endeavour that encourages people to re-evaluate the social systems that we are accustomed to, in order to identify the problems that are not being addressed. [23] New enterprises can then be created to replace the old with systems that reinforce sustainability and regenerative growth.[ citation needed ]

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Phishing</span> Form of social engineering

Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of computer crime.

<span class="mw-page-title-main">Social engineering (security)</span> Psychological manipulation of people into performing actions or divulging confidential information

In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme. It has also been defined as "any act that influences a person to take an action that may or may not be in their best interests."

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

A white hat is an ethical security hacker. Ethical hacking is a term meant to imply a broader category than just penetration testing. Under the owner's consent, white-hat hackers aim to identify any vulnerabilities or security issues the current system has. The white hat is contrasted with the black hat, a malicious hacker; this definitional dichotomy comes from Western films, where heroic and antagonistic cowboys might traditionally wear a white and a black hat, respectively. There is a third kind of hacker known as a grey hat who hacks with good intentions but at times without permission.

Crimeware is a class of malware designed specifically to automate cybercrime.

A security hacker is someone who explores methods for breaching defenses and exploiting weaknesses in a computer system or network. Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge, recreation, or evaluation of a system weaknesses to assist in formulating defenses against potential hackers.

A spoofed URL involves one website masquerading as another, often leveraging vulnerabilities in web browser technology to facilitate a malicious computer attack. These attacks are particularly effective against computers that lack up-to- security patches. Alternatively, some spoofed URLs are crafted for satirical purposes.

Email spoofing is the creation of email messages with a forged sender address. The term applies to email purporting to be from an address which is not actually the sender's; mail sent in reply to that address may bounce or be delivered to an unrelated party whose identity has been faked. Disposable email address or "masked" email is a different topic, providing a masked email address that is not the user's normal address, which is not disclosed, but forwards mail sent to it to the user's real address.

Voice phishing, or vishing, is the use of telephony to conduct phishing attacks.

A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web. They benefit cybercriminals by stealing information for subsequent sale and help absorb infected PCs into botnets.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

<span class="mw-page-title-main">Internet Security Awareness Training</span>

Internet Security Awareness Training (ISAT) is the training given to members of an organization regarding the protection of various information assets of that organization. ISAT is a subset of general security awareness training (SAT).

<span class="mw-page-title-main">Email hacking</span> Unauthorized access to, or manipulation of, an email account or email correspondence

Email hacking is the unauthorized access to, or manipulation of, an account or email correspondence.

Fancy Bear, also known as APT28, Pawn Storm, Sofacy Group, Sednit, Tsar Team and STRONTIUM or Forest Blizzard, is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Office as well as security firms SecureWorks, ThreatConnect, and Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 26165. This refers to its unified Military Unit Number of the Russian army regiments. The headquarters of Fancy Bear and the entire military unit, which reportedly specializes in state-sponsored cyberattacks and decryption of hacked data, were targeted by Ukrainian drones on July 24, 2023, the rooftop on one of the buildings collapsed as a result of the explosion.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

In cybersecurity, cyber self-defense refers to self-defense against cyberattack. While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole, such as corporate entities or entire nations. Surveillance self-defense is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

Identity replacement technology is any technology that is used to cover up all or parts of a person's identity, either in real life or virtually. This can include face masks, face authentication technology, and deepfakes on the Internet that spread fake editing of videos and images. Face replacement and identity masking are used by either criminals or law-abiding citizens. Identity replacement tech, when operated on by criminals, leads to heists or robbery activities. Law-abiding citizens utilize identity replacement technology to prevent government or various entities from tracking private information such as locations, social connections, and daily behaviors.

References

  1. 1 2 "Archived copy" (PDF). Archived from the original (PDF) on April 14, 2014. Retrieved April 3, 2014.{{cite web}}: CS1 maint: archived copy as title (link)
  2. Hodson, Steve (August 15, 2022). "Never Mind Social Media, How About Social Hacking?". Mashable.
  3. Peter Wood. "Social hacking: The easy way to breach network security". Computerweekly.com. Retrieved 2016-07-05.
  4. Heary, Jamey. "Top 5 Social Engineering Exploit Techniques". PCWorld. Retrieved 2016-07-05.
  5. Kalwa, Jason (18 February 2014). "Phishing just got personal – avoiding the social media trap". TechRadar. Retrieved 2016-07-05.
  6. Rouse, Margaret. "What is spear phishing? - Definition from WhatIs.com". Searchsecurity.techtarget.com. Retrieved 2016-07-05.
  7. Mathews, Lee. "Phishing Scams Cost American Businesses Half A Billion Dollars A Year". Forbes. Retrieved 2019-03-25.
  8. "Massive Target Hack Traced Back To Phishing Email". Huffingtonpost.com. 2014-02-12. Retrieved 2016-07-05.
  9. Honan, Brian (2015-08-06). "Ubiquiti Networks victim of $39 million social engineering attack". CSO Online. Retrieved 2019-03-25.
  10. White, Mr (16 August 2015). "Tech Firm Ubiquiti Suffers $46M Cyberheist — Krebs on Security" . Retrieved 2019-03-25.
  11. 1 2 "Email Attack on Vendor Set Up Breach at Target — Krebs on Security". Krebsonsecurity.com. 2014-02-12. Retrieved 2016-07-05.
  12. Mackensie Graham (2014-04-02). "How to Stop Social Hackers Before they Attack". Thenextweb.com. Retrieved 2016-07-05.
  13. "Yahoo Hacked And How To Protect Your Passwords". Forbes.com. Retrieved 2016-07-05.
  14. Ribeiro, Ricky (2014-01-07). "Snapchat's Data Breach Should Be a Wake-Up Call for Startups — BizTech". Biztechmagazine.com. Retrieved 2016-07-05.
  15. + flyoverContents[0] + (2004-10-28). "The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems". Proceedings of the 5th conference on Information technology education - CITC5 '04. Dl.acm.org. pp. 177–181. doi:10.1145/1029533.1029577. ISBN   978-1581139365. S2CID   7239602 . Retrieved 2016-07-05.{{cite book}}: CS1 maint: numeric names: authors list (link)
  16. "Analysis of a social site hack: Do feds need a 'higher standard' for social networking?". GCN. 2012-05-23. Retrieved 2016-07-05.
  17. Melanie Pinola (9 August 2012). "How Can I Protect Against Social Engineering Hacks?". Lifehacker.com. Retrieved 2016-07-05.
  18. Farsole, Ajinkya A.; Kashikar, Amruta G.; Zunzunwala, Apurva (2010). "Ethical Hacking". International Journal of Computer Applications. 1 (10): 14–20. Bibcode:2010IJCA....1j..14F. doi:10.5120/229-380.
  19. John Shinal, Special for USA TODAY (2014-01-03). "Snapchat hack should be wake-up call". Usatoday.com. Retrieved 2016-07-05.
  20. "The future of the deepfake — and what it means for fact-checkers". Poynter. 2018-12-17. Retrieved 2019-03-25.
  21. "The future of the deepfake — and what it means for fact-checkers". 17 December 2018.
  22. shane (2019-01-30), Conspiracy Theories with Shane Dawson , retrieved 2019-03-25
  23. Claudia Cahalane (21 February 2014). "Simple ideas, big impact – in pictures | Social Enterprise Network". The Guardian. Retrieved 2016-07-05.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.