What Has Happened with Social Engineering in the Last 8 Years?
When I actually started thinking about this issue of the newsletter, I was shocked… this is issue 100. Wait. This is ISSUE 100!!!!! That is 8.3 years of newsletters. I could literally reminisce for hours about all the topics, research, and people we’ve spoken with and read about for those issues.
So much has changed. The topics, style, and writing ability, as well as our maturity, professionalism, design, and so much more. Our team dynamic has changed, and we even said goodbye to Michele just this month.
However, one thing has never changed – the newsletter stuck to its roots. When I started it, I wanted a free resource that could be used by people and companies globally as a part of their security program. Over the last 8 years we have had fortune 500 and larger banks, insurance companies, manufacturing companies and others reach out and ask if they can use our newsletters in their internal training.
All this is well and good, but let’s not spend the one time I come out of my hole to write issue 100 talking about how awesome the newsletter is, right? What has changed over the years in the world of social engineering?
Change is everywhere
When I first started this, eight years ago, we would scrape the internet for stories about hacking involving social engineering. To help jog my memory, I went back to the early blogs on SEORG. It took a couple of pages before I found this story about how we can use a $26 piece of software to grab information from military drones. But, then I found this great post from Dec 2009 about how AOL was hacked using some new technique called “spear phishing” and pretexts over the phone.
Jump forward eight years, and we have dozens of stories collected daily about hacks involving phishing, vishing, SMiShing and impersonation. I would say that is the first major is two fold. First, we are noticing social engineering more thanks to the media and press it has received as a legit vector over the last eight years. But also it is being used so much than it was eight years ago, heck, even 2-3 years ago. With the prevalence of its use, it begs the question – why?
Why such an increase in social engineering?
This is a hard question to answer. When I look at social engineering as a whole, or the act of getting someone to agree to take an action that may or may not be in their best interest, attackers are manipulating the decision-making processes of their targets more so than before. Does this mean that attackers have all taken courses in psychology and become expert communicators? I do not believe so.
I think it is more about HOW we, as the human race, communicate. According to Internet World Stats, in June 2008 there were 1,463,000,000 internet users. That number represented 21.6% of the earth’s population.
Jump forward to June 2017, and we are at 3,885,000,000 or 51.7% of the earth’s population now on the Internet. Yes, a staggering 30.1% increase in just 9 years. Think about this too, in 2008:
LinkedIn was 8 years old
Facebook was only 4 years old
YouTube was only 3 years old
Twitter was only 1.5 years old
Instagram was not even born yet (for another 2 years)
Just to name a few
In 2008, Facebook had 145 million users. And, this year they hit 1.86 billion users.
The numbers are staggering. And all this points to one thing – we communicate over the web. We live on the Internet. We talk in memes and GIFs. We learned to say a lot in 140 characters. And, we became a culture of people who don’t care about our most intimate details being viewed by complete strangers.
With all of this, attackers saw the unique opportunity to utilize this new culture as a primo way to attack, and win.
Shikata Ga Nai
Not only is that the name of my favorite shellcode encoder (back in the day, when I used those things), it is also a Japanese phrase that can be translated to, “it cannot be helped” or, “there is no hope”.
Though this feels like it could apply to social engineering; I jest, there is hope. The answer, though, is not what you would expect. I am not going to tell you to unplug, run to the hills to make moonshine, and listen to Bruce Hornsby like Dave’s kin. No, as a civilized gentleman, I will give you just two tips to avoid being the next victim:
Stay informed. You cannot possibly defend an attack that you do not know exists. Yes, this sounds self-serving, but podcasts like the SEPodcast, newsletters like this one, our blogs and others like Security Weekly, the TrustedSec folks, etc. can help you stay in tune with what is going on. There are some really amazing people on Twitter that can help you stay attuned, too. People like:
@hacks4pancakes – Lesley is someone I trust and find to be reliable
@HackingDave – although he loves Hornsby, he is pretty awesome
Just to name a few
Make good decisions. Yes, just like your mom used to tell you, I am telling you the same. Make good decisions. Decide what you will put on social media, and what you won’t. If you decide to post everything, then realize it is now out there for anyone to see. Do NOT make the silly mistake of saying, “Well, no one would care about me.” Maybe that is true, but do you have good clients? Or a rich relative? Or an attractive mate? Well, all of these things can be what the attacker wants to know, and they may use you to get it.
While I cannot detail how, exactly, this will look in 8 years, I can tell you what is next in this coming year. Social engineering is not going away. We will see more vishing attacks and the return of SMS attacks again. The more vulnerabilities in mobile apps we see make this a prime field for attack, as will an increasing reliance on new technologies. We will keep you updated along the way!
Stay vigilant folks. Thank you for a great 8 years!
Till next time.
Written By: Chris ‘loganWHD’ Hadnagy