1

The Role of Social Engineering in Network Intrusions and Cybertheft

Jonathan Avery
11/1/2015
 2

Table of Contents
Abstract………………………………………………………………………………………........3
Importance of Social Engineering………………………………………………………………...4
Methods…………………………………………………………………………………………...4
Rapid Expansion of Cybercrime………………………………………………………………….5
Preventative Measures & Solutions……………………………………………………………....6
Conclusion………………………………………………………………………………………...6
References…………………………………………………………………………………….…..7
 3

Abstract

Social engineering is one of the most important concepts in cybersecurity today. Social

engineering can be defined as a form of information gathering through psychological and social

manipulation or persuasion of people with access to sensitive data. The purpose of this paper is

to introduce the concepts and methods of social engineering, its role in network intrusion and

cybertheft, the recent rapid expansion in cybercrime incidents worldwide, and finally,

preventative measures and solutions relating to social engineering. This paper will provide real-

world case studies of events that involved social engineering, along with actual statistics from

companies that record hacking activity. The preventative measures and solutions provided will

come from respected sources that have proven themselves worthy of being called experts in the

field of cybersecurity.
 4

Importance of Social Engineering

Social engineering is important to the field of cybersecurity because as social networks and the

use of computers expand, so do the threats and people who are willing to attack others using

those channels. Social engineering has existed as long as electronics communications have been

around. Ricart, Soulis, and Nadeau (2013) tell us that in 2011, 48% of the biggest international

companies experienced over 25 social engineering attacks between 2009 and 2010.

As more and more banks and financial institutions are moving to the cloud, so are the hackers.

There are new e-billing companies sprouting up as well, such as Venmo, a direct competition to

Paypal. Android and Apple are also in a competition with their e-pay systems involving

cellphones, which are a whole new target to be exploited.

SC Magazine predicts an increase in social engineering attacks in 2015, citing newer, more

sophisticated technology available to the attackers. (DiBello, 2014) Retrieved from

http://www.scmagazine.com/social-engineering-will-ramp-up-in-2015/article/389169/

Methods
There are several methods of social engineering. The more common and effective methods being

used today are phishing, tailgating, baiting, and quid pro quo.

A phishing attack is when someone creates a fake website that mirrors a legitimate site. For

instance, a hacker might create an exact copy of Paypal’s website, with a functional login form.

Once the user enters their login info into the form, it is captured and sent to the hacker. An error

message might appear claiming that the password was entered incorrectly, and then forwards the

user (without them noticing) to the real Paypal site, where their second attempt to login is

successful.
 5

Tailgating is when someone follows closely behind another when entering a building with locked

doors. It uses human nature and the threat of guilt to get into the building. Most people wouldn’t

slam the door in someone else’s face, even a stranger, that’s why this method works most of the

time.

Baiting could be used by loading malware, password stealers, or keystroke recorders onto a

thumb drive, and then leaving that thumb drive in a parking lot, on the ground, or at a desk in a

library. The curious person who finds the “lost” USB drive then loads it onto their computer, in

hopes of finding something interesting or valuable, but instead become infected with the chosen

software. Baiting uses human curiosity as its vector.

Quid Pro Quo, or “something for something”, is when a benefit is offered to the information

holder in exchange for the data. For instance, someone could be pretending to be running a

survey in which the reward for completion is $5. Within the survey could be a question such as

“What is your password”, or “What is your mother’s maiden name”, “What is your birth date”,

etc. Any of this information could then be used to compromise the user’s account.

Rapid Expansion of Cybercrime

One reason cybercrime has exploded in popularity in recent years is due to the parallel equal rise

in social network popularity. Websites like Facebook, LinkedIn, Twitter, Instagram, and

SnapChat have all proven their popularity among the current generation. Hackers are very much

aware of the trends in social networks, because that is where all the people are spending their

time when online. Kerner tells us about someone on Twitter who was victimized because the

attacker was able to socially engineer a GoDaddy employee. First, the attacker was able to get

the last four digits of the victim’s credit card account number, then, he was able to talk the

GoDaddy employee into giving him enough hints to guess the first two digits of the credit card,
 6

with that, he was given access to the victim’s domain name and account, which he then used as

leverage to threaten the twitter user, and get his Twitter account.

Preventative Measures & Solutions

One way we can leverage prevention against social engineering is to study evidence and

footprints found in social networks. One great source of information can be found through

CERT, the registered service mark of Carnegie Mellon University. (2015, November 1) CERT

Division Frequently Asked Questions. Retrieved from http://www.cert.org/faq/index.cfm

According to Serban (2014), prevention measured are considered to be prevention, detection, or

response. Each category has its challenge, although the most important one is prevention. Most

people will agree that prevention is almost impossible, and therefore it is more cost-effective to

spend time and money on detection and response, or mitigation.

Conclusion
In conclusion, there are many reasons why social engineering is an important concept within

cybersecurity today. The four main attack methods of social engineering that were discussed in

this paper are phishing, tailgating, quid pro quo, and baiting. Although prevention cannot be

guaranteed, companies can still rely on effective ways to detect and respond to these types of

attacks. Employee training is the most important thing to consider when creating a security plan

that includes social engineering defense.

 7

References:
de Vasconcelos, L. G., Yoshimi Kusumoto, A., da Silva, P. L., Franco Rosa, F., & Otávio
Duarte, L. (2013). Social Network Analysis for Social Engineering Footprinting. CISTI (Iberian
Conference On Information Systems & Technologies / Conferência Ibérica De Sistemas E
Tecnologias De Informação) Proceedings, 2185-190.
GREAVU-ŞERBAN, V., & ŞERBAN, O. (2014). Social Engineering a General Approach.
Informatica Economica, 18(2), 5-14. doi:10.12948/issn14531305/18.2.2014.01
Tetri, P., & Vuorinen, J. (2013). Dissecting social engineering. Behaviour & Information
Technology, 32(10), 1014-1023 10p. doi:10.1080/0144929X.2013.763860
Social Engineering For Pentesters. (2013). SC Magazine: For IT Security Professionals
(15476693), 60.
Ricart, P., Soulis, F., & Nadeau, Y. (2013). Beware of social engineering. CA Magazine, 146(8),
41-42.
Kerner, S. M. (2014). Twitter Social Engineering Account Takeover Saga Continues. Eweek, 4.