Understanding the art of manipulation

Social engineering is the art of manipulating users to perform actions or divulge confidential information for the benefit of the attacker.

Examples of those actions can be as follows:

• Install a given software (which may contain malware)
• Remove some security settings or applications (disable the antivirus, firewall, etc.)
• Execute an unknown command that may impact the confidentiality, integrity, or availability of data (for example, delete a table using SQL commands)
• Create or edit an active user (that will provide access to the attacker)
• Change system configurations (to facilitate access to data)

Additionally, examples of the types of information that the attacker may want to gather from the victims are as follows:

• User credentials (usernames, passwords, etc.)
• Trade secrets
• Organizational information (which can be used later for whaling attacks)
• Financial information
• Corporate sensitive information (clients, price lists, etc.)
• Sensitive personal information (used for impersonation attacks)

While most people believe they will never fall victim to this type of attack, the truth is that we are all susceptible to a social engineering attack.

In fact, social engineering attacks have evolved into well-fabricated scenarios that are carefully crafted to leverage a series of physiology paradigms to effectively trick and manipulate the victim without them even noticing that they are under attack.

Therefore, organizations must invest time and resources to include social engineering awareness campaigns as part of their cybersecurity strategy to reduce the risks of employees falling into these types of attacks.

A common mistake is to focus social engineering awareness campaigns on IT people, while in reality, attackers prefer to attack other employee profiles, as follows:

• Non-IT employees: Attackers assume that non-IT personnel are less aware of the consequences of executing a given command. The following figure shows a typical example of how an attacker can manipulate an employee into executing a command to delete hundreds and even thousands of records in a database:

Figure 1.1 – Manipulating non-IT employees

• Overwhelmed users: We all know that some companies are happy to assign overwhelming workloads and job responsibilities to some employees. This is, of course, a terrible business practice, but it can also become a vulnerability that attackers may want to exploit. For example, as shown in the following figure, an attacker can manipulate an overwhelmed employee to gather access to a restricted location (which will enable the attacker to perform a super dangerous physical attack):

Figure 1.2 – Manipulating overwhelmed users

• Sales teams: Sales teams are normally overstretched to achieve sales quotas at the end of the quarter. Attackers can leverage that stress to manipulate the victim to perform a restricted action, as highlighted in the following figure:

Figure 1.3 – Manipulating sales teams

• Executive assistants: Executive assistants handle a lot of sensitive information that is a potential target for attackers. Therefore, executive assistants are a common target that attackers may try to manipulate to gain access to that information. The following figure shows an example of how an attacker can impersonate an IT manager to obtain a password reset code to gain access to the senior manager’s account:

Figure 1.4 – Manipulating executive assistants

Of course, those are only a few examples of groups that are more prone to be attacked by a social engineering attack, but in the end, what we want to highlight is the importance of ensuring that the organization is well-trained and aware of the threats of social engineering attacks.

The bottom line is that users are the biggest layer of defense to prevent those attacks in your organization, therefore, ensuring that everyone is well-trained to recognize those attacks should be a key component in your cybersecurity strategy.

Now, while manipulation is the art used by attackers, there are a lot of psychological principles behind this that enable the attacker to successfully manipulate users not only to perform those actions but to do it without doubting the intention of the attacker. Now, let’s review them in detail.