Manners and helpfulness are usually admirable traits.
But they can turn into a problem online, where criminals take advantage of the good humour and fears of others.
Indeed, the stereotype of a hacker who sits in a basement eschewing all social contact couldn’t be more off base. A good hacker will be able to warm right up to possible targets, a practice experts have dubbed social engineering.
“Normal hackers rely on technical weaknesses,” says Melanie Volkamer, a professor at Germany’s Centre for Advanced Security Research. “Social engineering relies on human weaknesses instead.”
That means taking advantage of curiosity and greed. But the days when people fell for offers of riches from Nigerian businessmen are long gone. Nowadays, scams appear more respectable at first glance: free credit for coupon programs or online shops, for example.
Others disguise themselves as photos or videos of celebrities or current events. When the curious click on them, a virus or Trojan is allowed onto the computer.
Of course, not every social engineering trick relies on human weakness. Many appeal to positive traits, like good manners, willingness to help or respect for authority. For example, respect for authority is tremendously useful for people who employ phishing emails or websites.
“Victims see a mail that looks like it comes from their bank and think ‘That should all be in order’,” says Volkamer. But that’s a mistake, as the access code a person reveals usually ends up with a swindler.
The Working Group on Identity Protection in the Internet, a German-based group, has tips for protecting oneself from phishing.
Always check the security certificate when following links to a site by clicking on the padlock icon in the address list.
But new social engineering tactics make it hard for even experienced users to avoid those with bad intentions.
“Many phishing mails have become personalised in the meantime,” says Volkamer. Crooks use personal information floating around online, which make the initial contact more believable, since they’ll include the target’s proper name.
Hackers can also use knowledge about the names of one’s parents or pets to figure out passwords or correctly answer security questions.
There are even programs that analyse eBay auctions, says Tobias Scheffer, of the Institute of Computer Science at the University of Potsdam. “People then get spam with their proper name that makes new offers about the object currently being auctioned.”
Such attacks are based on classic phishing, coming with a link that, when clicked, helps to download malware and upload personal data.
Another trick is using fake accounts on social networks. Hackers will check a target’s list of friends on one network and then see if the target has the same group of friends on a second. If that’s not the case, the hacker will pose as an existing friend not yet on the second site and try to pry information out of the target.
Anyone can be the target of such an attack, says Volkamer. “People make false assumptions about who would attack and who wouldn’t.”
A major target of social engineering attacks are companies and their workers. That’s because a lot of social engineering is now focused on industrial espionage, says Volkamer.
“This means an IT trainee might get a call from someone posing as a colleague,” she says. “He’s on vacation and can’t get his emails and would the colleague mind resetting his password for a few minutes?”
Social engineers also rely on impatience. “We always want things to move immediately on the internet,” says Volkamer. That means warning messages are routinely ignored, mails not read properly and links simply clicked on.
Hackers also know how to stress out targets and create a sense of urgency. “Don’t let yourself get put under pressure,” advises Volkamer, noting that there’s nothing so urgent that people shouldn’t be able to think about it for a few seconds.