People have become increasingly skittish about cybersecurity in recent months. High profile hacking cases such as Target and GoDaddy prove that even market leaders can be victims of hackers. Most people feel that the solution is to use more advanced security tool and carefully monitor their applications for problems such as the Heartbleed Bug. However, few people realize the dangers posed by many social engineering scams. GoDaddy recently admitted that hackers used social engineering to trick one of their employees to gain access to a number of accounts.
Social Engineering Led to GoDaddy Breach
Earlier this year, TechCrunch reported that a hacker called up GoDaddy and Paypal to get information that allowed them to hack Naoki Hiroshima’s account. GoDaddy confirmed that the attack used a clever strategy to gain access to his information. The hackers convinced the people at the account to reset the account settings. This allowed the hackers to create their own permissions and take over.
It is very concerning that employees at GoDaddy weren’t more vigilant about protecting customer security. Unfortunately, these problems seem to be much more common than we would like to think. It is very important to understand the role that social engineering plays in cybercrime so that we can guard against it. You may want to read about some new social engineering scams to learn more.
Understanding the Psychological Elements at Work
Many people think that hackers are a bunch of socially inept crooks with Asperger’s Syndrome that rely solely on their tech skills to exploit their victims. This stereotype has often caused people to let down their guard when talking to one on the phone. Many hackers are clever psychopaths have studied the intricacies of human behavior. Here are some of the tactics that they use:
Absolving of Responsibility
Most employees are on their guard when they are asked to provide sensitive information. They realize that giving confidential information to the wrong person could cost them their job or possibly lead to legal charges.
Hackers try to set people at ease by giving them an out. They may impersonate a police officer, security professional or someone else that has a legitimate reason to request the information. The employee is subconsciously realizing that they have an excuse if they face blame, which makes them feel more comfortable turning the information over.
As shown above, impersonation is a key way that hackers try to solicit information. For a group that works on computers, they have developed surprisingly sophisticated ways to go about it. A. Bernz is a well-known hacker that has written extensively on social engineering tactics criminals employ. He has said that many of them study voice patterns and use recordings to make their statements sound more believable.
Play to Target’s Motives
Clever hackers will also learn as much as possible about the employees that they intend to speak with. Here are some of the things that they may want to learn about the person:
- Tensions with specific coworkers
- Aspirations for advancement
- Bitterness towards employer
- Romantic interest in coworker
They can play to these desires and encourage employees to share information that may help them achieve their goals. For example, a hacker may pretend to be a law enforcement official looking for dirt on a professional enemy or someone competing for the same promotion. The employee may overlook their better judgment and share that information if it helps them get rid of the competitor or embarrass the despised coworker.