Protecting the privacy & security of your patient’s health information.

BLOG POST: Hacking the Human - Why Phishing Still Works - A Social Engineering and Psychological Outlook on Ransomware

Maliha Charania is an Intern with our IT Risk Management division.

July 17,2017

Cybersecurity is a big concern with new threats and attacks happening daily.  Amid data breaches, fines, tightening of data regulations lies the most important element- the human element. Phishing, including ransomware, is probably the most popular attack method used to gain access to systems and sensitive information. As per Verizon’s 2017 Data Breach Investigations Report, 66% of malware was installed through malicious email attachments and a combination of social networks and malware “…occurred in 73% of the security breaches”. [1]. As a result, the emphasis on user awareness and training on ransomware has seen an increasing trend, however so has the success rate of phishing and ransomware attacks.

As Sun Tzu says in the Art of War, “All warfare is based on deception,” as is social engineering.  Let’s take a deep dive into understanding the phenomena of social engineering. [4] The attackers or “social engineers” try to lure users to perform an action which can grant them [attackers] access to their system. This is most commonly executed through a phishing email asking for sensitive information (such as passwords or bank account details) or requiring users to click on a malicious link (or attachment) which will download malware on their system. An analogy would be to keep a spare key to your home under the doormat, and let everyone in the neighborhood know – at that point, you will get your house broken into. Similarly, this malware will permanently open a ‘backdoor’ for the hackers into the system, who can thereafter access files or infect other systems in the network using the newly compromised system.

Hacking the Human: Social Engineering

Upgrading technology can be one of the easy answers; however, the difficult or nearly impossible task is changing human nature (Ever tried changing an already made up mind? – I assure you it’s an impossible task!)

Trust (along with greed) and fear are possibly the two most prominent human traits that lead to the success of social engineering attacks. It is in our nature to trust and be helpful.

1.Trust

In modern times, with exploitation at its finest, social engineering is defined as “the clever manipulation of the natural human tendency to trust.” Trust is one the major reasons why these attacks are successful. Most of us, easily trust without thinking that this email or phone call may be spam resulting in a quick revelation of information. The attackers ­­make email­­s appear legitimate by taking advantage of real-life events and deadlines such as tax returns or in some cases may appear as emails from the IT helpdesk for increasing the mailbox size. “Oh! More email storage. Let me click this.” I don’t know about you but I could definitely use more email storage for all those CC-ed emails or an extra day for filing those already procrastinated taxes. Another common example is emails coming from people offering a huge amount of money. Everyone wants money, and this greed leads them to trust the sender.

Time is of the essence here. Therefore, attackers make sure that the clock is perpetually ticking so that the victims have no time to question their authenticity. They stress on urgency and pry on vulnerability by sending emails when people are stressed, such as the end of the work day, work week, or month.

“We simply attempt to be fearful when others are greedy and to be greedy only when others are fearful.”- Warren Buffet

2.Fear

It is human nature to reflect on our perception of other people. Sometimes, that reflection leads us to make decisions we later regret. Hackers use this aspect of human nature and exploit it by sending fake emails appearing to look like they are coming from a higher authority, like upper management or even law enforcement. Most people when receiving such emails do not question and respond almost immediately because “if I don’t respond to this, I may sound rude,” or “it’s coming from the Vice President, I will get fired if I do not do as I am told. I must not question!”. Entry level staff is probably the easiest target due to their fear of getting fired, but they are not the only target.

Everyone is a target!

No matter how fearless or cautious we think we are, the reality is that each one of us has weaknesses which social engineers will find and try to exploit. In the profound words of Frank Underwood (House of Cards, genius villain) “Even Achilles was only as strong as his heel”- if hackers can “hack the human,” then they can skip all the hard work they would otherwise have to.

Hacked? – Let the blame game begin!

After being hacked, people most likely won’t be convinced that their action could have caused any serious consequence. Some still believe that security is not their responsibility. Cybersecurity professionals are working hard but so are the bad guys. Their techniques are getting more and more sophisticated and difficult to be caught by the advanced tools and technologies implemented. Therefore, it is very likely that phishing emails will pass through the security tools and it will be up to the user to decide if this email is legitimate or not.

Security is Everyone’s Responsibility

Understanding and accepting that security is, in fact, everyone’s responsibility is the first step to staying protected. Everything else comes later. A few tips to keep oneself secure include the following-

  • Be more vigilant. “Trust, but verify!”
  • Don’t be afraid to ask questions. If you find a “phishy” email coming from a known source, just pick up the phone and verify, even if it is coming from upper management. Asking questions may not get you into as much trouble as a phishing email leading to a potential ransomware and data breach.
  • If you are in doubt, call the IT Security team for advice. They are the experts, and they can help you.
  • Don’t feel shy attending a security awareness course, even if you are in the field of IT or IT Security. Hackers are becoming more sophisticated with their tactics. It is always good to be aware and be one step ahead of them.
  • Always think before you click! Remember, they cannot enter unless you click.

References

  1. http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
  2. https://cdn-images-1.medium.com/max/960/1*2OMQXi4yjGwcmLSnu08ilg.png
  3. http://www.thewindowsclub.com/methods-of-social-engineering  
  4. Sun-tzu and Samuel B. Griffith. The Art of War. Oxford: Clarendon Press, 1964. Print.
  5. https://sjenkinsblog.files.wordpress.com/2015/10/puppett.jpg
  6. http://csrc.nist.gov/organizations/fissea/200s6-conference/Tuesday300pm-OLeary.pdf
  7. http://www.idgconnect.com/abstract/18740/the-psychology-fall-social-engineering-attacks
  8. https://www.giac.org/paper/gsec/3547/psychological-based-social-engineering/105780
  9. http://www.merchantlink.com/top-7-psychological-triggers-behind-social-engineering/
  10. http://www.merchantlink.com/wp-content/uploads/2016/03/multi-level-defense-social-engineering-920.pdf
  11. https://www.itgovernance.co.uk/blog/the-psychology-behind-phishing-attacks/
  12. http://isbdc.org/wp-content/uploads/2012/05/Psychology-of-Phishing-Scams-4_17_12.pdf