4 Classic Social Engineering Attacks

Classic Social Engineering Attacks

Social engineering can be summed up as hacking the human.

Simply put it is the action of leveraging human frailty – our reaction to urgency, to compliance with perceived figures of authority, to taking information at face value – and using it against us as a way of eliciting information or performing unauthorised actions. Social Engineering attacks are constant with many and varied vectors. As demonstrated in this post, all entities fall foul, from a single individual through to multi-national conglomerates. But some are more unforgettable than others:

Google & Facebook Pay Piper

When in 2019, two of the world’s goliaths in online presence became victims of a social engineering attack, it’s hard not to sit up and take notice. To add insult to injury both have teams with huge resources dedicated to improving security AND even have a bug bounty program to encourage others to find security holes. These are the companies that you think are going to be on top of things, but somehow fraudulent invoices slipped through their collective nets.

The cumulative net cost is said to be in the region of a whopping US $122 million and was essentially instigated by simply sending a chain of fake invoices, purporting to be from staff for various items of IT kit. The malicious actor responsible, set up a business which made it look like he was employed by Quanta Computer – one of the largest manufacturers of computer hardware, that you likely haven’t even heard of. They crafted and sent targeted and believable phishing emails to specific victims within Google and Facebook and coerced them into paying the attached fraudulent invoices in full. A good example of a simple attack executed with impressive attention to detail, one that shows that no one is safe from social engineering attacks. Would you fall victim to this type of attack?

Kissing Frogs to find a Nigerian Prince

Most people with access to the internet have seen or heard of the Nigerian Prince type of phishing email. I have seen a few and although the content varies, the attack itself is simple and usually easy to spot. In short, it consists of an attacker emailing you with some fantastical situation that boils down to you handing over a relatively small in comparison (but still sizable) sum of money to them, in order so that they can release a much bigger amount back to you. Of course, those that sent the initial sum never received the larger one in return.

It was reported in 2019 that these types of attacks bring in over $700,000 a year, despite their perceived widespread notoriety as one of the most well-known and perennial phishing attacks. Thus demonstrating how a lack of security awareness can mean even simple and well-known attacks can work on the right target. What makes this attack so unforgettable is how most are aware of it and yet the attacks persist to this day, like Sacha Baron Cohen still managing to find marks to have one over on. How many of your employees would spot this attack?

Ponzi 101

Not all social engineering attacks are instigated via an email. For instance, how about the larger-than-life fraudulent investor who promises to make you a fortune overnight but instead disappears into the night once you’ve given him funds?

The most notable of these was one Charles Ponzi, somewhat unsurprisingly the namesake of the infamous Ponzi Scheme. His ‘scheme’ involved convincing investors to purchase international reply coupons – ostensibly postage stamp currency, on the basis that postage rates varied from country to country, so you could buy them in one country and then sell for a profit in another – which he convinced victims would make them a lot of money.

In reality, money from new investors was used to convince old investors that they were making money so they would invest even more. At its peak, he was reportedly generating revenue of $250,000 a day. This attack is memorable due to the amount of money investors were scammed out of, which is still a lot by today’s standards. If someone approached you with a high reward, low-risk offer, would you believe it too?

Sony Pictures fall for phishing

Executives are high-value targets to social engineers and their lack of attention-to-detail to perceive less exciting aspects such as information security can make them easy and rich pickings for malicious actors. In 2014, top executives from Sony Pictures were targeted by a phishing email for Apple I.D. credentials which combined with some clever OSINT (Open Source Intelligence), led to a compromise of their Sony accounts.

This attack was successful, partly due to the same passwords being used on multiple accounts, and due to lack of security awareness the executives had. One of the core aspects of this attack that makes it unforgettable is that it was State-sponsored: North Korea claimed responsibility for the attack due to a film Sony Pictures were releasing that poked fun at North Korea. Are you reusing the same password for multiple accounts like these executives?

There have been a variety of social engineering attacks that are classic and memorable for different reasons.

An underlying trend is a lack of awareness and vigilance on the victims’ part. This post has highlighted only 4 of these; if you have a social engineering story that you think is unforgettable, do get in touch and let us know!


CREST Penetration Testing

Risk Crew