We have seen rising cases of ‘social engineering’ where phone calls, messages or other mediums are being exploited to hand over an organization’s sensitive data.
The most recent is that of American ride-hailing giant, Uber. “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available” read Uber’s official tweet on the morning of 16th September 2022. What took the internet by storm was how a company as big as Uber became a victim of “social engineering”. There are numerous speculations and ideas going about the how and what happened, however, the officials at Uber have in their recent statement commented that “the investigation is still going on”.
Soon after, the security breach gathered headlines with several tweets and statements.
So what really happened?
Dale Vaz, CTO, Swiggy, in a series of tweets simplified the incident — It is believed that a 16-year-old hacker by the name “Tea Pot” sensed a loophole in Uber’s security system, and managed to crack into it. The hacker attacked an employee of Uber by posing as the IT team and sent him push notifications to log in. These notifications were designed to look like Uber’s official ones. The trick for this scam to work was to send multiple and continuous notifications. This sense of urgency caused a MFA Fatigue Attack; where an employee gets hassled by the number of notifications forcing them to take action. Now, that the employee did not respond to these notifications, the hacker sent a WhatsApp message asking him to take action giving the entire ruse a sense of validation.
The employee looking at the WhatsApp message responded to the request with the required details. The hacker then had access to all the sensitive information of Uber. He found the master key to all the information that is heavily secured and guarded by the company. Once, the hacker was able to get his hands on the admin password, he had sole control over every document and system of Uber.
A few days after the Uber incident, Rockstar Games too found itself in a similar situation of social engineering. Supposedly the same hacker of Uber hacked Rockstar Games. The details of the hacking remain unknown but it is rumoured that in this case as well, the hacker posed himself as an IT employee of the company to gain information and access to the data security systems.
What is social engineering?
Essentially, it is an online attack that relies primarily on human interaction. It often involves manipulating people to break security procedures and gain unauthorized access to various systems or networks for financial gain. These hackers usually hide their true identities to influence others and give away sensitive and valuable information.
It is easier to exploit people than it is to find a network or software vulnerability, which is why hackers use social engineering. Social engineering tactics are often used to infiltrate a system or network and steal sensitive data or disperse malware. In such cases, cybersecurity becomes essentially important for companies worldwide.
Types of social engineering attacks:
Phishing is the most common type of social engineering attack. Emails and text messages are aimed to create a sense of fear, curiosity and urgency in the mind of the victims. There are various types of phishing attacks, and phishers invest a lot of time in crafting and executing these attacks. Uber was a case of phishing, the hacker cleverly used the power of urgency when he sent multiple notifications to the victim to take an action. And when that did not work, he went for a more personalised touch. Dale Vaz, in his tweet, calls this an “interesting touch to add more trust to the push notification request.”
The Pretext is a fabricated scenario where hackers use the personal information of an imposter as bait to steal someone else’s personal data. These attacks usually involve the scammer impersonating a trusted entity/individual and asking for details to validate their identity.
In more advanced cases of pretexting, the victim is tricked to do something that threatens the security policies of the organization often leading to cybercrimes. What happened with Uber was partially also a case of pretexting when the hacker impersonated an IT service provider to steal sensitive data from Uber’s data storage.
While Phishing uses fear and urgency to take advantage, Pretexting counts on a false sense of trust in the eyes of the victim. This, however, means having a credible storyline that leaves less or no room for doubt.
When it comes to baiting, as the name suggests, the attack is carried on with a promise of an item to entice the victim. This is the easiest and the least suspicious way to attack. As humans, we believe that we may have willingly left our information in a grocery store or another place of transaction, baits help the attacker by leveraging the idea of a freebie. A classic example of bait is when a USB drive carrying a malicious payload is left in a lobby or a parking lot: the hacker hopes someone will plug the USB drive into a device, at which point the malware can be installed.
Quid Pro Quo
There is a fine line between Baiting and Quid Pro Quo, an attacker here promises something in exchange for the information. While Baiting is in the form of goods, Quid Pro Quo is usually in the form of service. As a caution, hackers can also use Quid Pro Quo offers that are even less sophisticated. These hackers do not have advanced tools at their disposal and do not research about their targets. These hackers keep calling people randomly claiming to be from technical support. Once in a while, they find people with legitimate technical problems and will “help” solve those problems.
In Tailgating, an attacker without authorization follows an authenticated employee into a restricted area. An attacker might pretend to be a delivery driver and wait outside a building to start the attack. Upon gaining security’s approval and opening the door, the attacker asks the employee to hold the door, thus gaining access to the building. In the presence of certain security measures, such as keycards and biometrics, tailgating is not easily possible. Organizations lacking these features, however, are vulnerable to hackers.
Can I be the victim of Social Engineering?
Of course, you are at as much risk as the CEO of Google or Microsoft. Your personal information, your company’s confidential data and that of the nation, are equally at risk when it comes to infiltrators. More often, a threat is posed by a known person or an attacker who imitates a known individual. It is seen that typically, you are asked by a ‘trusted’ individual to open an attachment, fill out a form, click on a link, or wire funds. You will be tricked into believing the message is legitimate by the personalized details in order to gain your trust.
In the case of Uber, the employee became the victim leading to a serious security breach. Not every time the attack is directly linked to the victim as Dale Vaz clearly tweets…
How do you protect yourself?
Prevention is the way forward. With digitalization and digital adoption, enterprises store sensitive data online, in the cloud in huge volumes. One can only be protective of the data to the extent of having control over it. When personal information is shared with a third party, the control of this data is minimalistic.
However, some security measures can be taken to curb the chances of social engineering:
- Refrain from opening emails received from untrusted sources
- Do not consider offers from strangers
- Purchase & install a good anti-virus software
- Keep the laptop/ computer locked when away from the workstation
- Delete any request for personal information or passwords
- Reject requests for help or offers of help
- Install and use a multi-factor authentication
- Have and implement policies for social media usage
- Set your spam filters to high
Although, these measures are not a 100% guarantee that social engineering will be curbed. They are a good start to reducing the chances of these attacks. While technology is to help us better our daily activities and our overall lives, its misuse cannot be ignored. One can only take necessary measures and look out for any unnatural/ suspicious activity.