How Cybercriminals Use Manipulation
By Robert Blake
Cybercrime occurs when computers are used to gain unauthorized access. Typically, it's done for financial gain although motives vary. Cybercriminals use their technical skills but also employ manipulation techniques to make the job easier.
Information needed in cybercrime can be obtained by walking into a business, glancing around, and speaking to employees via casual conversation -- effectively, the perpetrator hides in plain sight. This is a type of infiltration. Names, job titles, phone numbers, and anything else that can be used to imitate an employee are used as the next step in a cyberattack.
Information can be gathered in other ways, however. Phishing is a technique used for gathering private information and occurs when an attacker pretends to be a legitimate entity. Tricked into believing the attacker is trustworthy, people are coerced into disclosing private information. Phishing can be initiated via emails, telephone calls, private messages, or text messages.
The following are examples of attacks after sufficient, private information is obtained -- demonstrating further the depth of manipulation used. Infiltration could be enough to obtain illegal access without phishing, and vice versa. Other times, combos are used. They are not cut and dried, although they can be executed as such.
Armed with various information, a cybercriminal calls into a business, imitates an employee, and asks the help-desk clerk to change a login password. The criminal obtains the password and gains access to the desired system.
The help-desk clerk might even get tricked into changing and giving away an administrator password while the perpetrator imitates an administrator. With administrative access, privilege escalation on a number of user accounts can be attained. Why get access to a single computer when an opportunity exists to change access controls across the board -- obtaining access to all users' data?
It could also go the other way -- a perpetrator could call in imitating help-desk support. An employee can be tricked into downloading and installing a malicious software program, for example. After persuading the employee to install it -- creating the illusion of a fixed problem -- unauthorized access is obtained.
It's worth noting that malicious software doesn't have to be designed by the attacker using it. Computer programmers design malicious software and sell it via the black market. It could be designed to exploit a known vulnerability or be customized to a buyer's needs. The bar for carrying out cybercrime has been lowered.
Sometimes phishing attacks are aimed at specific people. A spear-phishing attack is exactly that and can be done using information obtained via infiltration or prior info-gathering campaigns. Depending on the goal of the cybercriminal, targeting specific people can be advantageous.
As an example, obtaining login credentials for an employee higher up the chain could yield a broader database for gleaning. With access to such data, a cybercriminal might have reached their goal or could use it to proceed with lateral movement -- accessing other resources on the network.
Tips for Moving Forward
Education is most helpful for reducing the risk of phishing attacks -- and should not limited to the tips listed below. The best antivirus software or password policies are not going to protect a company from employees being tricked into giving away sensitive information.
The following are common routines for reducing phishing attack risk:
1) Use care when handling the contents of an email spam directory. Email providers always include a spaminbox for detected phishing attempts.
2) Don't use links in unexpected emails for resetting passwords or verifying private information.
3) Don't open attachments in unexpected e-mails.
4) Don't click links received in unexpected texts or private messages
5) Don't give away private information when receiving unexpected phone calls.