Since the hacking of Twitter, the technique used by cyber criminals to either steal information or access one of the terminals is again on the select.
Social engineering was defined by Kevin Mitnick in 2006 as "the art of using deception and lies to achieve its ends." It makes it possible, in all its simplicity, to use human weakness to succeed in a computer hack. The consequences can have negative effects on businesses. Information theft, terminal takeovers and scams can easily result.
This article will also interest you: Twitter: The social network finally has proof that its employees participated in its hacking
The question in cybersecurity and cybercrime is whether social engineering can be equated with hacking today. If possible, will it be defined in which area of hacking? The question of its origin and how to prevent it is also relevant.
"Social engineering is something that has existed for a long time, long before computer science, since trade has even existed, since espionage was created, except that according to times and worlds, it has different names," Fred Raynal, the founder of Quarkslab, explained in an interview, (…) The individual will establish a relationship of trust and stress to try to abuse the person on the other end of the phone, so that he can access internal networks and private data. adds the expert.
In a sense, this technique has been known since the 1970s. "In computer science, it was popularized in the late 1970s and early 1980s by Kevin Mitnick, a hacker who was followed by the FBI for several years and who would search the garbage cans of public agencies to gather information that allowed him to enter the internal network," says Quarkslab's boss. When cybercriminals are able to establish the relationship of trust between the victim and them, they can then easily gather the information necessary to either access internal corporate networks or to collect sensitive information.
According to security experts, social engineering cannot truly be defined as a cyberattack. It is just a way used by cyber criminals to gather information, on a system or a network, in order to initiate a computer attack.
"Social engineering is fostered by the presence of people targeted on social networks or on community sites, which facilitates phishing," explains Stéphane Gill, a teacher and specialist who has been with the it department of Ahuntsic College in Montreal for more than 20 years. "It's all about pretending to be someone you're not (usually one of the server administrators you want to hack) and asking for personal information (login, passwords, access, numbers, data…) by inventing some motive (planting the network, modifying it…). It is done either by phone or email," he adds.
Nowadays with the explosion of social networks, this practice of cyber malice is favored even facilitated even. Because it is now very easy to collect information on one of the most used social networks such as Facebook, Twitter or even TikTok. This in some ways facilitates certain practices such as phishing. Because as has been observed for some time, social engineering usually comes as a reinforcement to phishing. However, there is a distinction to be made between these two practices. "Social engineering is not based on computer technology. Phishing is something else: you create something that is a decoy, that is well done, and that traps someone who will not pay attention. Social engineering is a little more advanced," notes Fred Raynal.
Moreover, with the explosion of telework, it is not unthinkable that during this period of confinement, the practice of social engineering is also known a boom like several other acts of cyber malice. It was in this context that Anu Bourgeois, an information professor at Georgia State, noted: "Everyone became vulnerable at that time."
In addition, several forms have been observed in the practice of social engineering. The most famous and so-called "President Fraud", a situation that has been faced by a very large part of the companies over the past 10 years, and which continues to exist. It is simply for the cyber criminal to pretend to be a manager of the company he is targeting in order to mislead employees and to push them to commit acts that could have negative consequences for the company. "Individuals collect data for sale on the dark web or on social networks. Once they have the information, on the day the president is on vacation, or absent, or unreachable, they call a member of the company, an accountant or other person, accounting or otherwise, pretending that it is him at the end of the line and ordering a transfer to countries or accounts from which the money obviously never comes back." explains Fred Raynal, who highlights the proliferation of this kind of practice over the past 6 years. Social engineering: inexpensive, does not require large material means, relies on psychology and cognitive springs," he adds.
Now access an unlimited number of passwords: