Social Hacking

Gareth Norris, Max Eiza, Oliver Buckley: Email scams are getting more personal – they even fool cybersecurity experts, The Conversation 11.07.2022 analysiert, wie Daten aus Social Media Einträgen zu Betrug eingesetzt werden:

“Fraudsters are using spam bots to engage with victims who respond to the initial hook email. The bot uses recent information from LinkedIn and other social media platforms to gain the victim’s trust and lure them into giving valuable information or transferring money. This started over the last two to three years with the addition of chatbots to websites to increase interactions with customers.

“Social media is making it easier for scammers to craft believable emails called spear phishing. The data we share every day gives fraudsters clues about our lives they can use against us. It could be something as simple as somewhere you recently visited or a website you use. Unlike general phishing (large numbers of spam emails) this nuanced approach exploits our tendency to attach significance to information that has some connection to us. When we check our full inbox, we often pick out something that strikes a chord. This is referred to in psychology as the illusory correlation: seeing things as related when they aren’t.”

Christina Lekati: Social Engineering Kill–Chain: Predicting, Minimizing & Disrupting Attack Verticals, ahead 02.06.2022 beschreibt die verschiedenen Phasen der Social-Engineering-Angriffe. 1. Phase Planung, Recherche und Vorbereitung: Erkundung und Identifizierung von Zielen, Pretexting (harmlose Fragen stellen). 2. Ausführung: Vertrauensbildung, Ausbeutung 3. Exfiltration: Ausführung wird abgeschlossen und beendet. Sie skizziert Elemente der Verteidigung und kommt zu dem Schluss:

“While we can (and should) mitigate certain risks, social engineers will find a way to reach an employee and attempt to manipulate them. Humans are and will remain an additional layer of defense for organizations. They need to be able to identify an attack, thwart it, and report it.”