Spotify Social Listening was first spotted by reverse-engineering sorceress and frequent TechCrunch tipster Jane Manchun Wong. She discovered code for the feature buried in Spotify’s Android app.
Social engineering is the act of manipulating someone into divulging information or doing something that's not usually in their best interest. In this article, we will look at a few common ways Social Engineers try to manipulate you.
Disclaimer: My articles are purely educational. If you read them and cause damage to someone, that's on you. I don't encourage any malicious activity or black hat practices. Read the code of ethics here.
One common type of scam is the Spanish Prisoner, which dates back to the 18th century and has lots of modern incarnations.
It usually involves someone who's in trouble and needs your help to access their fortune. You just need to wire a few thousand dollars, then they'll pay you back ten times over. But you can guess how that ends.
There are similar scams that have circulated the internet: The IRS scam, Lottery scams, and so on. These are broadly classified as Advance offer scams. You have something waiting for you but you have to pay an advance to receive it.
To the average person, these will seem like poorly executed scam attacks. But these scams have caused thousands of people to lose their hard-earned money. In some cases, their life savings.
These are all examples of social engineering in action.
The idea behind social engineering is to take advantage of a potential victim’s natural tendencies and emotional reactions. Fear and greed are the most vulnerable emotions that are usually taken advantage of by Social Engineers.
Below is a great example of a real-world Social engineering attack.
Types of Social Engineering Attacks
Social engineering can be broadly classified into five types of attacks based on the type of approach used to manipulate a target. Let's go through each one of them.
Spamming (Email, Text, Whatsapp)
Spamming involves sending messages to large groups of people whose contact info is usually obtained through nefarious methods. Spamming is a general term used to define both malicious and non-malicious message broadcasting.
Non-malicious spamming is used by advertisers who try to promote their products to random strangers by emailing them in bulk. Their motive is not to cause damage, but to try and get people to buy their products or promote their services.
Malicious spamming includes messages that try to lure users to the attacker’s website to divulge personal information. This information is then used to craft targeted phishing/vishing attacks on the potential victim.
Phishing (and Vishing)
When the attacker uses text messaging, email, or voice calling (voice phishing = vishing), it is called Phishing.
Phishing is used to make the target believe they are being called by a legitimate institution or an entity in order to extract valuable information from the target.
If someone calls your company pretending to be your printer supplier, they might be able to gain specific information about the printer — the model, IP address (if connected to the internet), and so on.
And once this information is given, the printer might be attacked in order to gain access to your internal network.
Email-based phishing attacks are also common. An attacker can email someone in your company pretending to be Facebook. Once a team member clicks a link, they will end up on a page that looks like Facebook, asking them for their login information. This login information will be sent to the attacker’s server after which they have complete access to the victim’s Facebook account.
The major difference between Phishing and Scamming is that phishing attacks are highly targeted. The attacker knows whom they want to attack and what type of information they are looking for.
Baiting
Baiting involves designing a trap and waiting for the potential victim to walk into the trap. As a simple example, if an attacker drops a few USB drives in your company’s parking lot, chances are, one of your employees will try and plug it into their computer to check the contents of the USB drive.
This might sound silly but there have been numerous instances where simple tricks by Social Engineers have resulted in massive corporate data breaches. It is usually easy to bait people with scams such as the Advance offer scams that are still circulating the internet, feeding on gullible people.
Another common type of baiting is found in pirated software. The attacker will embed malicious software within a popular operating system or a movie for the victim to download. Once the victim downloads and runs the software, the malicious code executes on the victim’s system, and the attacker gains full access to the victim’s machine.
PiggyBacking
PiggyBacking means using someone else to attack a potential victim. The attacker will use a third-party (usually innocent) who has access to the victim in order to carry out a piggybacking attack.
There are many variations of Piggybacking. If an attacker follows your employee to your office using their access card, this is one form of piggybacking called tailgating.
There have been many cases of piggybacking attacks, especially for classified information. Vendor companies that supply hardware/software to government organizations are usually the target of piggybacking attacks.
Once these vendors are compromised, it is easy to attack the target institution since the vendor already has a level of access to the target.
Piggybacking is also associated with some forms of active Wiretapping. The attacker will use a legitimate connection of the victim in order to eavesdrop on the network.
Spotify Social Listening
Water Holing
Water Holing takes into account the routine actions of the target and using one of those actions to gain unauthorized access. For example, an attacker will find the websites that the target uses on a daily basis and tries to install malware on one of those websites.
The name “Water Holing” is derived from the fact that predators in the wild often wait for their prey near their common watering holes.
An example is the 2019 Holy Water Campaign, which targeted Asian religious and charity groups. The website was compromised after which the visitors were asked to install Adobe Flash on their browsers.
Since Adobe Flash has a number of vulnerabilities, it was easy for the attackers to then execute malicious code on the victim’s machines. Watering hole attacks are uncommon but they pose a considerable threat since they are very difficult to detect.
Protecting Yourself From Social Engineering
Now that we have seen the different types of approaches used by social engineers, let's look at how we can protect ourselves and our organization from social engineering attacks.
Install email & spam filters
Though spam filters cannot catch highly targeted attacks, they will prevent most of the spam and malicious emails from reaching your account.
Keep Antivirus and firewall updated
Similar to spam filters, an updated antivirus software will protect against most of the common viruses, trojans, and malware.
Ask for verification
Always ask for verification when someone calls you claiming to represent an organization, for example your bank. Never share confidential details such as credit card numbers or passwords over phone or email.
Create awareness
The best way to prevent your organization from getting exploited is to create security awareness programs. Educating your employees is a great long-term investment to keep your company secure.
If it seems too good to be true, it is
Finally, if something sounds too good to be true, it usually is. Never trust strangers promising to get you rich quick. As someone once said, “trying to get rich quick is the quickest way to lose all your money”.
Conclusion
Social Engineers are masters of manipulation. Unless a company’s employees are trained in social engineering awareness, it is very hard for them to avoid falling into a social engineer’s trap.
Social engineers work with people’s emotions, usually fear and greed. So whenever you are performing an action based on these two emotions, you might want to take a step back and see if you are being manipulated.
There is a famous TED talk where someone started a conversation with a spammer. Watch the full video here.
You can get a summary of my articles and videos sent to your email every Monday morning. You can also learn more about me here.
Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer.
Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak).
Phishing has evolved. Learn 11 ways hackers are angling for your data and how to protect yourself in this guide.
Security is all about knowing who and what to trust. It is important to know when and when not to take a person at their word and when the person you are communicating with is who they say they are. The same is true of online interactions and website usage: when do you trust that the website you are using is legitimate or is safe to provide your information?
Ask any security professional and they will tell you that the weakest link in the security chain is the human who accepts a person or scenario at face value. It doesn’t matter how many locks and deadbolts are on your doors and windows, or if have guard dogs, alarm systems, floodlights, fences with barbed wire, and armed security personnel; if you trust the person at the gate who says he is the pizza delivery guy and you let him in without first checking to see if he is legitimate you are completely exposed to whatever risk he represents.
Social Engineering Definition
What Does a Social Engineering Attack Look Like?
Email from a friend
If a criminal manages to hack or socially engineer one person’s email password they have access to that person’s contact list–and because most people use one password everywhere, they probably have access to that person’s social networking contacts as well.
Once the criminal has that email account under their control, they send emails to all the person’s contacts or leave messages on all their friend’s social pages, and possibly on the pages of the person’s friend’s friends.
Taking advantage of your trust and curiosity, these messages will:
Contain a link that you just have to check out–and because the link comes from a friend and you’re curious, you’ll trust the link and click–and be infected with malware so the criminal can take over your machine and collect your contacts info and deceive them just like you were deceived
Contain a download of pictures, music, movie, document, etc., that has malicious software embedded. If you download–which you are likely to do since you think it is from your friend–you become infected. Now, the criminal has access to your machine, email account, social network accounts and contacts, and the attack spreads to everyone you know. And on, and on.
Email from another trusted source
Phishing attacks are a subset of social engineering strategy that imitate a trusted source and concoct a seemingly logical scenario for handing over login credentials or other sensitive personal data. According to Webroot data, financial institutions represent the vast majority of impersonated companies and, according to Verizon's annual Data Breach Investigations Report, social engineering attacks including phishing and pretexting (see below) are responsible for 93% of successful data breaches.
Using a compelling story or pretext, these messages may:
Urgently ask for your help. Your ’friend’ is stuck in country X, has been robbed, beaten, and is in the hospital. They need you to send money so they can get home and they tell you how to send the money to the criminal.
Use phishing attempts with a legitimate-seeming background. Typically, a phisher sends an e-mail, IM, comment, or text message that appears to come from a legitimate, popular company, bank, school, or institution.
Ask you to donate to their charitable fundraiser, or some other cause. Likely with instructions on how to send the money to the criminal. Preying on kindness and generosity, these phishers ask for aid or support for whatever disaster, political campaign, or charity is momentarily top-of-mind.
Present a problem that requires you to 'verify' your information by clicking on the displayed link and providing information in their form. The link location may look very legitimate with all the right logos, and content (in fact, the criminals may have copied the exact format and content of the legitimate site). Because everything looks legitimate, you trust the email and the phony site and provide whatever information the crook is asking for. These types of phishing scams often include a warning of what will happen if you fail to act soon because criminals know that if they can get you to act before you think, you’re more likely to fall for their phishing attempt.
Notify you that you’re a ’winner.’ Maybe the email claims to be from a lottery, or a dead relative, or the millionth person to click on their site, etc. In order to give you your ’winnings’ you have to provide information about your bank routing so they know how to send it to you or give your address and phone number so they can send the prize, and you may also be asked to prove who you are often including your social security number. These are the ’greed phishes’ where even if the story pretext is thin, people want what is offered and fall for it by giving away their information, then having their bank account emptied, and identity stolen.
Pose as a boss or coworker. It may ask for an update on an important, proprietary project your company is currently working on, for payment information pertaining to a company credit card, or some other inquiry masquerading as day-to-day business.
Baiting scenarios
These social engineering schemes know that if you dangle something people want, many people will take the bait. These schemes are often found on Peer-to-Peer sites offering a download of something like a hot new movie, or music. But the schemes are also found on social networking sites, malicious websites you find through search results, and so on.
Or, the scheme may show up as an amazingly great deal on classified sites, auction sites, etc.. To allay your suspicion, you can see the seller has a good rating (all planned and crafted ahead of time).
People who take the bait may be infected with malicious software that can generate any number of new exploits against themselves and their contacts, may lose their money without receiving their purchased item, and, if they were foolish enough to pay with a check, may find their bank account empty.
Response to a question you never had
Criminals may pretend to be responding to your ’request for help’ from a company while also offering more help. They pick companies that millions of people use such as a software company or bank. If you don’t use the product or service, you will ignore the email, phone call, or message, but if you do happen to use the service, there is a good chance you will respond because you probably do want help with a problem.
For example, even though you know you didn’t originally ask a question you probably a problem with your computer’s operating system and you seize on this opportunity to get it fixed. For free! The moment you respond you have bought the crook’s story, given them your trust and opened yourself up for exploitation.
The representative, who is actually a criminal, will need to ’authenticate you’, have you log into ’their system’ or, have you log into your computer and either give them remote access to your computer so they can ’fix’ it for you, or tell you the commands so you can fix it yourself with their help–where some of the commands they tell you to enter will open a way for the criminal to get back into your computer later.
Social Engineering Toolkit
Creating distrust
Some social engineering, is all about creating distrust, or starting conflicts; these are often carried out by people you know and who are angry with you, but it is also done by nasty people just trying to wreak havoc, people who want to first create distrust in your mind about others so they can then step in as a hero and gain your trust, or by extortionists who want to manipulate information and then threaten you with disclosure.
This form of social engineering often begins by gaining access to an email account or another communication account on an IM client, social network, chat, forum, etc. They accomplish this either by hacking, social engineering, or simply guessing really weak passwords.
The malicious person may then alter sensitive or private communications (including images and audio) using basic editing techniques and forwards these to other people to create drama, distrust, embarrassment, etc. They may make it look like it was accidentally sent, or appear like they are letting you know what is ’really’ going on.
Alternatively, they may use the altered material to extort money either from the person they hacked or from the supposed recipient.
There are literally thousands of variations to social engineering attacks. The only limit to the number of ways they can socially engineer users through this kind of exploit is the criminal’s imagination. And you may experience multiple forms of exploits in a single attack. Then the criminal is likely to sell your information to others so they too can run their exploits against you, your friends, your friends’ friends, and so on as criminals leverage people’s misplaced trust.
Don’t become a victim
While phishing attacks are rampant, short-lived, and need only a few users to take the bait for a successful campaign, there are methods for protecting yourself. Most don't require much more than simply paying attention to the details in front of you. Keep the following in mind to avoid being phished yourself.
Tips to Remember:
Slow down. Spammers want you to act first and think later. If the message conveys a sense of urgency or uses high-pressure sales tactics be skeptical; never let their urgency influence your careful review.
Research the facts. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number.
Don’t let a link be in control of where you land. Stay in control by finding the website yourself using a search engine to be sure you land where you intend to land. Hovering over links in email will show the actual URL at the bottom, but a good fake can still steer you wrong.
Email hijacking is rampant. Hackers, spammers, and social engineers taking over control of people’s email accounts (and other communication accounts) has become rampant. Once they control an email account, they prey on the trust of the person’s contacts. Even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment check with your friend before opening links or downloading.
Beware of any download. If you don’t know the sender personally AND expect a file from them, downloading anything is a mistake.
Foreign offers are fake. If you receive an email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country for a share of the money it is guaranteed to be a scam.
Ways to Protect Yourself:
Delete any request for financial information or passwords. If you get asked to reply to a message with personal information, it’s a scam.
Reject requests for help or offers of help. Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, etc., a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizations on your own to avoid falling for a scam.
Set your spam filters to high. Every email program has spam filters. To find yours, look at your settings options, and set these to high–just remember to check your spam folder periodically to see if legitimate email has been accidentally trapped there. You can also search for a step-by-step guide to setting your spam filters by searching on the name of your email provider plus the phrase ’spam filters’.
Secure your computing devices. Install anti-virus software, firewalls, email filters and keep these up-to-date. Set your operating system to automatically update, and if your smartphone doesn’t automatically update, manually update it whenever you receive a notice to do so. Use an anti-phishing tool offered by your web browser or third party to alert you to risks.
Free Spotify Social Engineering Programs
Webroot's threat database has more than 600 million domains and 27 billion URLs categorized to protect users against web-based threats. The threat intelligence backing all of our products helps you use the web securely, and our mobile security solutions offer secure web browsing to prevent successful phishing attacks.