Information Sharing: A Threat to Social Engineering

Society is the group of people interlinked to each other through some relation. Wikipedia defines society as “A society, is a group of people involved with each other through persistent relations, or a large  Social grouping sharing the same geographical or social territory, subject to the same political authority and dominant cultural expectations” [1]. Now if we look at the modern day definition of society we will notice that the Society has evolved drastically and now we can see an entirely new side of society i.e. the online society or the Social Media. Social media allows individuals to live a virtual life online and facilitating interpersonal communications in various forms. One of the major reasons why these online information systems became popular other than being fast, cheap, easy to use and readily available is their capability to hold data or what in technical terms we can call documenting data online. Also these serve as a tool where any individual can broadcast whatever he/she feels like without caring about the audience, because it doesn't matter if he/she requires the audiences or not, they are getting them.

A recent picture released by Facebook depicting the entire worlds interconnected friends network reveals the extent to which people are connected to each other through the online society which makes it easier for anyone to gather information about anyone online.

Sharing Information Online: Falling Prey to Social Engineering

Information forms the very basis of any criminal activity, the more intimate and personal it is, the more critical & the more potential it has to cause damage. While sharing information online it’s very much difficult to decide that what information you should choose to share and what not to, even if you chose not to share any of your information you will leave traces of information about yourself unknowingly while surfing through the internet. To cut the long story short when you go online you can control some of the information and some of it, you simply cannot. So the question that needs to be answered is “What information should be shared?” – I will say NO. Actually if you look at it from the security perspective sharing any type of information can put you in harm’s way, an incident happened in Nashua area of New Hampshire where three burglars robbed over a dozen houses based on the victims Facebook status who flagged it on Facebook that at what time they were not going to be at home [2]. This incident clearly emphasizes the fact that it’s up to the audiences that how they perceive the information that you share online. For example in this case for some it was just that the victims were going on a vacation and for some it was an invitation to rob their houses while they were not at home. Thus I believe that when one goes online sharing information they should know how much can be too much and what should be protected or in simple words what information must not be shared. Attackers use a variety of techniques to extract information from their victims and that too on selected victims. What makes a person prone to become a victim to such attacks, the answer is the fashion in which these individuals share their information online. Sometimes the attacker easily get the information that they require from blogs, social media etc. but sometimes they don’t get all of it or they get a part of the information and the remaining they need to acquire.

One of the common techniques used now a day by attackers to infiltrate the privacy of people and exploiting it for their personal gain, for causing damage to the victims falling prey to this technique is Social Engineering. Social Engineering usually refers to the technique of gaining access by manipulating the human behavior. It basically involves fooling the individual and gaining confidential information without letting the person know that he has been conned. This technique involves psychological manipulation for acquiring required information. Social Engineering is typically a technique that has not been evolved from computer crimes rather it is related to social sciences but due to its ability to gain information it has found its application in information related crimes as well.

A Social Engineering technique involves studying the target for weeks, analyzing his patterns, gathering relevant information and then conducting the attack. With social media rising and becoming a necessity with each passing day, gathering information about an individual is no big deal. The more people post online the easier it becomes for a social engineer to victimize them. A recent survey by Trend Micro [3] reveals six major risks that can occur to any individual due to the information they post online, Social Engineering being the top of them poses the biggest threat. Social media being the easiest and most effective way to share information becomes the major information repository for attackers. 

Social Engineering is one of those attack vectors which does not have any r

igid or in other words appropriate technical preventive or corrective solution. The USP of this attack is that it can bypass all the technical controls that were invested for ensuring security and sometimes non-technical ones also. To stay safe from such threats there is only one solution i.e. “Awareness”. In order be safe it is really essential to understand that how an attacker gathers the information and how he/she uses it against an individual, an organization or any social or corporate body. An attacker usually gathers all the necessary information about the victim, this information can come from different sources like social media, blogs, and forums being the top of them. In order to extract information the attacker might use various tactics like to begin with trying to get email or phone number of the victim from any social media website, blog, forum or he might create a rogue web page just to get this information based on the interest of the victim, after getting this information he might search for other relevant information using the pieces of information he already has. He might also use techniques like phishing to get more confidential information like username and password of the victim for some social networking sites etc. from where he can get a lot of information, also in this process the attacker utilizes the information that he has gathered from the online resources to the maximum. Once the attacker has gathered all the relevant information he now proceeds further on and gets into contact with the chosen victim. Now it’s up to him how he wants to exploit the victim. Social Engineering is such a sophisticated attack which when done correctly and properly has the capability to cause severe losses. The attacker can cause monetary loss, social loss, defamation, loss of confidential information and much more.

As mentioned earlier the only effective solution to be safe from Social Engineering attacks is Awareness. Everything that you post online remains on the web forever, no matter even if you delete it. The best practice to stay safe would be to post information which cannot be harmful to you, like you must not post real information about yourselves, family, and your social life on public domains. Also you must lock down your profile on Facebook, twitter and LinkedIn and other social platforms to the maximum and must not allow any unknown entities to view that information.

Separate email Id’s must be used for blogs and forums and for subscribing newsletters and updates from websites like YouTube, LinkedIn etc. Also if possible use a different mail ID for Facebook as if you are using your regular mail id for logging into face book then you might face severe repercussions if your mail Id is compromised which can also result in a compromised Facebook profile. Many apps and services also prompt users to allow them to share their photos, location information etc. and post on their profiles, such applications must be used with caution, also users must lay less social trust online while talking to strangers or even known ones if they sound or seem suspicious.

The bitter truth about the Social Engineering attacks is that, there is no technological solution available that can prevent these attacks effectively. The only solution available that can prevent you from falling prey to Social Engineering is awareness. If the user proceeds with caution while posting any information online and does not respond to malicious and suspicious looking invitations, mails, apps, links etc. he/she can stay safe from such attacks.