Stories of social engineering

Maybe you act in them too…

 

DEAR READER,

welcome to our overview of techniques of social engineering. What to expect from the following pages? We will introduce you to the types of security attacks, which unfortunately use one of the most sensitive methods – psychological manipulation, through our natural human Achilles' heels, such as curiosity, fear, or inattention. Through this type of manipulation, the attacker can completely deceive his victim, who cant then make a security mistake and provide the attacker with information in the form of sensitive data and access rights, or even monetary amounts.

Sounds like a horror? Maybe, but unlike classic horror stories, we always have a solution for you to avoid these scary scenarios. In ten compelling stories, we will show you how insidious the attacker can be and what they can use to achieve their goal. Unlike the world of movies and literature, anyone can be a model for the next story in these scenarios, and it's easier than it might seem. Whether you are studying, teaching, or working as an accountant…​​

CHAPTERS

Why did Pavlína almost lose a thousand Czech crowns for an alleged ticket for a colleague?

What problems could Erica have caused by a seemingly ordinary flash drive?

Tibor could have lost his login details instead of taking an English course. What happened?

How could Martin lose his internet banking data due to his inattention?

Roman behaved gallantly, but there was not much missing, and he caused real problems in the workplace.

How did Věrka unintentionally cause trouble to her colleague with a casual slip-up?

Pavel is familiar with the types of cyberattacks. But what did hr not expect?

Andrej had no clue that he had found himself in the attacker's search. He could have lost his O365 data.

How resourceful can the attackers be, will Martina experience firsthand…

What can cause a sudden phone call long after the working time?

BLAGGING

"Hi, Laura! Please, I'm in big trouble! I was on a business trip, and my wallet was stolen. I have no way to get back home now. Can you please send me money for a ticket via this link? Please, help me! Mirek. "

This e-mail was received by the protagonist of a story about a technique called Bagging. Laura read the message in a hurry. She understood that her friend was in trouble, and of course, she wanted to help him immediately – Mirek would do the same thing for her, wouldn't he? However, in response to the urgent situation, she didn't notice that the e-mail came from a completely different address, which did not correspond to Mirek's work or personal address. At the moment that Laura would send the money, she would become a victim of techniques of social engineering. Methods in which the attacker tries to manipulate the victim with a usually immensely engaging and urgent story.

Laura, 32
Marketing specialist

In the case of Blagging, a request for a certain amount of money is very common. The attack from our story was so sophisticated that the attacker used the real identity of Laura's colleague. How did he know that Mirek went on a business trip? After all, there are many other social engineering techniques to choose from to obtain similar information! What if Mirek, for example, publicly shared a photo from abroad on social networks? The attacker only has to develop an engaging story and falsify an e-mail address. But how to defend against Blagging (not only) in the environment of Masaryk University? If you receive a message similar to Laura's:

Try to verify the sender's e-mail address first. If the sender's address doesn't match the format of your workplace addresses, it's time to pay attention. In the environment of Masaryk University, you can verify the e-mail addresses of people here.

If you become suspicious, contact the person through a different communication channel, for example, through a personal e-mail address social networks, or try to call the person.

If it appears that it is a scam, or the person doesn't respond for a long time, it is better to report the whole incident to competent persons (IT technicians, managers). In the case of MUNI, do not hesitate to report the situation to the cybersecurity team.

Erika, 52 let
Head of the study department

BAITING

Her colleagues consider Erika to be the responsible head of the study department. Hard not to. She has been in this position for ten years. One day, on the way to work, she finds a bright pink USB drive with the sign "Teambuilding photos "on the parking lot. Erika looked at it for a while, then decided to take it. She thinks: "It lies in front of the building where she works, and someone might be missing it. I will take it to the reception, and the owner will certainly claim it. ". But when she arrives at the office, she keeps thinking. About what teambuilding is it? And which interesting photos could she find there? She will return the USB driver, but until after she looks at the content. After all, they are her colleagues, and if they don't, she will at least know that there is no point in returning it to the reception, and she will come up with another solution. So she plugs the medium into her work computer and opens the folder. However, she won't find any photos, just some nonsensical files. Someone must have deleted the pictures, she thinks. Pity. She pulls out the USB drive and takes it to the reception to report the finding.

At that moment, Erika had no idea that she became a victim of so-called Baiting – a method of social engineering that uses our natural curiosity. In this case, the attacker's goal was to motivate one of the workers to plug the medium into his/hers workstation using an inciting label on the drive. While Erika was looking for photos, malicious software had long been running behind her back, which may now have control over her computer. What will she do with it?

Erika is lucky – she has an antivirus program installed and fully updated on her work computer to deal with the malicious software. However, it doesn't always end like this.

Never connect or insert media (USB drives, SD cards, etc.) into your work or personal devices when you are unsure about their origin and content. We also recommend securing your devices.

PHISHING

Tibor is coming face-to-face with the most common type of social engineering attack in his story – pishing. Phishing usually takes the form of sending fraudulent e-mails. These fraudulent e-mails try to get all sorts of data from the user. It can be a login name and password for a bank account in your personal life or access to work applications and systems in your work. In the environment of Masaryk University, it is most often the access to the Information system of Masaryk University. But what if the attackers change tactics and start angling for your O365 account? It was Tibor who encountered such an attempt…

Tibor received an e-mail on Friday afternoon offering excellent language courses with good discounts in the attached document. He rejoices over it and clicks on the attached file. Suddenly, a window pops up asking him for permission to access Tibor's O365 account data. It requires access to a calendar, contacts, and more. Tibor would give the attackers full access to his O365 account by agreeing to these requirements. What should be suspicious to Tibor and you, the reader, at first glance?

Tibor, 34 let
English teacher

When accessing any file, the O365 will never want to confirm access to your account from you (whether it is a contact list, changes in a calendar, or something else).

Every application should always request access only to items related to its primary activity. If Tibor opens a link to a Word document from O365, why should the application want to access its calendar or read all his files?

Always read what approvals you give to the app, even if you think you "know it like the back of your hand." Report it if you find the requests suspicious or succumb to pishing (which will always reveal itself sooner or later).

Martin, 19 let
Student

SHOULDER SURFING

There was not much missing, and Martin became a victim of Shoulder Surfing, a method of social engineering that can happen to you practically anywhere and anytime. Shoulder surfing, as the name suggests, is based on espying essential data and information (such as a PIN) from the user's device display. So it is enough for the attacker to look over your shoulder and wait for the right moment. Even that can begin a cyber attack, and the Shoulder Surfing can be just one piece of the mosaic.

One day, Martin took public transportation to school, as he did almost every day. He decided to check if he had received brigade pay. As usual, the tram was crowded, but he managed to take a seat. When he signed up, he didn't notice the strange man behind him, who had a direct opportunity to look at his internet banking application form. What may have saved Martin's paycheck, and how to prevent a similar situation?

Martin was lucky that he chose a strong enough password for his internet banking so that the attacker couldn't espy it. Next time, however, he should also pay attention to the surroundings and, for example, stand with his back against the wall of the tram.

However, we recommend minimizing the manipulation of your sensitive data in public places. You should check your internet banking at home, and responding to your work e-mails will undoubtedly wait until you are back in the office.

You can apply all these recommendations not only to Shoulder Surfing but also to the protection of your privacy in general - also outside cyberspace. We should all protect our privacy carefully.

TAILGATING

Today, the researcher Roaman will learn through personal experience that social engineering and cyber attacks not only concern our devices, e-mail boxes, or servers. On a busy Monday morning, Roman is entering the department of his workplace, and as soon as he beeps with his card at the entrance, beautiful young women call to him. "Will you let me in, please? I left my card at home. "As a gentleman, Roman complies with the request of the young lady. He even holds the door for her as she enters. Roman has only been working for two months at Masaryk University. Therefore, he doesn't have a complete overview of all his colleagues yet. He has no idea that he will never see the young lady again…
Also, he certainly has no clue that he just became a victim of so-called Tailgating, which can have far-reaching consequences. How could this happen?

Roman, 46 let
Researcher

Tailgating is a method of social engineering that takes advantage of the situation, especially in large organizations. These workplaces are often characterized by not all employees knowing each other. It makes it harder for them to distinguish who works there. And that's what the attackers are betting on. It is enough for a successful attack like this to act self-confidently and, ideally, distract the victim. Once an attacker gets into the workplace with restricted access, he can cause a whole lot of trouble. From stealing data from unencrypted drives to deploying malicious code to the manager's device. How can Roman and you defend against Tailgating?

If you meet someone you don't recognize who claims to have forgotten their ID card or keys, try to check the person at the reception, for example. But never let strangers into your workplace.

Always use only your identification cards and keys when entering a restricted area. At the same time, never lend them to other people, not even to your colleagues. And one final thought at the end – Haven't you let someone you didn't know to your workplace lately?

Mia, 26 let
Accountant

TRASHING

Mia started working in a personnel-payroll department at the office of a larger city three months ago. Last week, she received a task on her daily schedule – to issue a rate sheet to a leaving employee. So Mia prepared everything, but he noticed a small typo in his surname when handing it to the employee. Therefore Mia prepared a new rate sheet and threw the old one in a trash can in a hurry. A copy of this rate sheet appeared on the internet in a few days. It turned out that the rate sheet a sensitive data that none of us would like to share publicly. For example, if any court-ordered deductions were made from the salary.

So what happened? Mia immediately got suspicious about malicious software on her computer. However, the explanation is much more straightforward. The so-called Trashing is a technique of social engineering, where the attacker tries to obtain the information out of the trash from the office. Yes, you are reading right. That is how the rate sheet got to the internet, from where probably no one will ever delete it. So how do you defend yourself against Trashing?

The most effective method is prevention. The attackers can be very agile in obtaining sensitive data and information, especially if the target is a selected victim.

So, let's remember that the trash cans are not black holes. Even if you tear or cut the document by hand, a skilled attacker can handle it. Therefore, put the unnecessary documents in the shredder.nty raději skartovačce.

SMISHING

Paul has been working as a librarian at Masaryk University for more than 17 years. He has learned well that messages with nefarious intentions sometimes land in his e-mail box during that time. That's why he is careful and reports them exemplary. But Paul doesn't know that the attackers are evolving, and their attacks can also target another device. This morning, Paul received an SMS message on his business phone. It stated that the university traffic light was turning red; therefore, he needed to immediately log in to the mu Information system via the attached link and inform all his colleagues at the workplace about the situation without delay. And what happens in such a situation? The same thing as with the fraudulent phishing e-mail. Paul voluntarily handed over his data to the attackers and at the same time spread the alarm message among his colleagues.

This type of attack is called Smishing. As the name suggests, this method involves pishing done via SMS. And it can come in much more attractive form, for example, a delivery SMS from a food delivery or a mobile phone win. How to defend against this method of social engineering?

Paul, 45 let
Librarian

Do not share your phone number publicly if it is not necessary. Don't reply to the received message, and in any case, don't call the number back.

Don't click on the attached link in SMS messages before checking the sender's identity. You can verify the phone number through social networks or try typing it in a browser and reading the reviews.

If you suspect that the message you received doesn't have the purest intentions, don't hesitate to report it to your employer and, in the case of Masaryk University, to the Cybersecurity Team.

Andrew, 25 let
Economist​

SPEAR-PHISHING

Spear-pishing is more sophisticated pishing. What is its insidiousness? That will know Andrew, the junior economist…
Each of us belongs to a particular working group with specific rights and accesses. The most frequently attacked employees are those who manipulate funds and sensitive data. Andrew belongs to the group mentioned first. He receives dozens of messages in his business e-mail box daily. Today a message entitled "Wage plan calendar November "appeared among them. The e-mail contained a brief report urging Andrew to open the file available at the attached link. After clicking on the link, a textbook pishing page appeared on Andrew's screen, which tried to imitate the login page of Masaryk University. The moment Andrew would fill in this form, he would send his login details directly to the attacker, who can then freely misuse them.

Why did Andrew tend to open this e-mail? That's because it was directly related to his job, and that's what the attackers bet on. In addition, the fraudulent e-mail disguised itself quite well among other business e-mails. What could Andrew do to ensure that something wasn't just right? And what rules can you follow?

Despite a credible visual identity, always check the address bar carefully. Does everything seem right? There is not much time left to check every detail in the e-mail or web in a daily fast work routine. However, checking the address bar always pays off.

Unified MUNI login will always be in the form id.muni.cz. Every, even the slightest change in the web address indicates a fake web. And don't forget – always report received fraudulent e-mails and already filled pishing forms.

WATERING-HOLE

Have you ever seen a scene where a herd of antelope comes to the water flow to freshen up in the savannah on a hot day, and suddenly an alligator shows up from the water and pulls some of the animals under the water? It is a phenomenon that belongs to the food chain in the local conditions. And according to this phenomenon, one of the most sophisticated social engineering methods is called – Watering Hole. We will introduce you to such an attack in the story of the developer Martina, who a predator also targeted. However, he did not lurk under the water but in cyberspace.

Before the attack itself, the attacker had to collect the data about his victim very carefully to make his attack as effective as possible. In our case, the attacker found out that the delivery service in the city, from which Martina orders her food at home most often. He was able to do this, for example, by using the Trashing technique. The attacker subsequently found a weakness that the delivery service operator had not addressed and compromised the website for his interest. Then all he had to do was to wait for Martina to visit the website so that the malicious code could get to her device. This type of attack is highly targeted and not commonly encountered by users. But it is good to know what else the attackers have in their pocket.

Martina, 30 let
Developer

Eva, 38 let
Členka Komory akademických pracovníků

VISHING

After an exhausting day at work, Eva was finally looking forward to a quiet reading session before bedtime. However, her phone began to buzz with an unknown number on display at that moment. Eva accepted the call in anger, but before explaining that it is rude to call anyone at such a late hour, a professional-sounding voice introduced itself and quickly began to urge Eva. The person claimed that the bank account of the endowment fund, which Eva manages, had been attacked. He added that it is a crucial security problem and that they need close cooperation from Eva to secure the account. The person demanded that she immediately provide her banking login details, including a PIN.

Eva was naturally confused and frightened for a while, but she quickly realized it must be a fraudulent phone call. We shouldn't share our login detail with anyone, let alone the PIN. She was right. She became a victim of Vishing – voice-pishing is a technique similar to pishing, but using a fraudulent call instead of an e-mail to lure sensitive data from the victim.

As soon as she realized her situation, she did not disclose any information to the fraudster and hastily ended the call. But what should you or Eva do next in a similar situation?

Ideally, you should write down the number that was calling you, the time of the call, and the details the attacker was interested in. In summary, collect as much information about the call as possible.

It is good to contact the police with the collected information – it can significantly help catch the perpetrator and prevent other similar attempts, which may not end as well as in Eva's case.

Similar phone calls may not be limited to bank accounts. The voice from the other side of the phone may be pretending to be a Microsoft support with intent to gain access to your computer using an insidious story...

IN CONCLUSION

Social engineering techniques can be a daily threat to everyone in cyberspace – and partly beyond. We have introduced you to some possible scenarios, but their primary purpose is to show how creative the attackers can be and not spare anyone. Let's sum it up. Here are the basic steps to prevent social engineering techniques that can be easily applied to our everyday lives:

Always verify the sender's address and the address bar in the web browser.

Do not open e-mail and attachments from suspicious sources.

Have an antivirus program installed and keep it up to date.

Never connect or insert external media in your work or personal devices when you are unsure about their origin and content.

Minimize the manipulation of your sensitive data in public places.​

Never lend your identification cards or keys to other people, not even to your colleagues.

Unfortunately, social engineering isn't the only threat in cyberspace. It is just a few techniques, usually narrowly focused on specific people. But you don't need to be afraid. You will find preventive measures and options for solving other possible threats in our next course – Cybercompass. And what to do when things get tough? The Cybersecurity Team of Masaryk University is always there for you!

AUTHORS

Barča has long been dedicated to designing and implementing websites, including graphic elements, service design, and copywriting. She combined her experience to turn all the stories into a readable and engaging educational activity.

Peťa has been involved in cyber education for a long time, and in the course, she focused on professional content. Above all, she ensured that no insidious technique was left unexplained in a way that was adequate to the needs of the course's readers.

You are running an old browser version. We recommend updating your browser to its latest version.

More info