Author: Cristian Borghello, Technical & Educational Manager, ESET Latinoamérica As human beings, we are often guilty of the sin of vanity which prevents us from really seeing how easy it can be to deceive us. This sense of our own power hides the obvious fact that we know something that, for some reason, can be useful to others. Information security isclosely related to human life. In the computer world, we are usually told that the only safe computer is the one without power. Considering this, if a computer can be powered off, who is the target of malware? Users are. There is no computer that does not depend on human beings. This dependence leads to vulnerabilities that can be quite independent of the technological platform one has chosen.Given these vulnerabilities, Social Engineering (SE) continues to be one of the most commonly used methods for propagating malware attacks because its creators take advantage from the benefits of a particular mean of communication to deceive users and lure them into a trap that often leads to some type of financial loss. SE can be defined in general as any action or social conduct directed atobtaining information from other people and can be further described as
the art of applying social skills in acquiring information of specific interest to the attacker. The objective of social engineering in the informational world is to deceive the user into compromising his system and revealing valuable information. The simple act of clicking a mouse or answering a telephone call can lead to theloss of confidential information— both personal and corporative. At worst, this information can fall into the hands of malicious individuals bent on obtaining some financial gain. In the words of Kevin Mitnick, one of the most recognized personalities in the world for his cybercrime activities through Social Engineering “You can have the best technology, firewalls, intrusiondetection systems,biometric devices ... and somebody can call an unsuspecting employee. That's all she wrote, baby. They got everything." 1 Every person suffers from the same weaknesses both inside and outside a computer system or professional network. In a sense, the same fraudulent tactics known around the world and practiced since the dawn of humanity only need to be adapted to the new communication technologies inorder to allow malicious users to launch their attacks. The effectiveness of this procedure relies on the ability to exploit human qualities such as naiveté, innocence, curiosity, ambition, ignorance, trust, social practices and compulsiveness.
Abreu, Elinor. "Kevin Mitnick Bears All." Network World Fusion Sep. 2000
The individual with malicious intentions often proceeds to gain thetrust of a potential victim he wishes to deceive which then tends to allow him to simply ask for the desired information and achieve his deceitful goal. In an identical trend, social engineers focus on gaining the trust of others with the intention to later deceive and manipulate them for any economic purpose. Persuasion is a key component of SE because the trick not only consists in simply asking forthe desired information, but also in the manner in which the question is phrased. The “art of deceit” can be practiced by anyone—from a seller attempting to discern his buyers needs so that he may offer them a service to malware authors who seek to cause the user to reveal passwords. Despite these similarities with some professional practices, attempts to obtain confidential information for aninappropriate use are always of highly questionable ethics. In the world of computer security, the “art of deceit” is used for two specific purposes: 1. The user is tempted to carry out a necessary activity that will weaken or damage his computer: this occurs when the user receives a message directing him to open an attached file, open a recommended web page, or watch a video. 2. The user is led...