ЗАХИСТ ПРОГРАМ ТА ДАНИХ В КОМП’ЮТЕРНИХ СИСТЕМАХ І МЕРЕЖАХ
UDC 316.776:004.58
Sokolov V. Y., Korzhenko O. Y.
Borys Grinchenko Kyiv University
Analysis of Recent Attacks Based on Social
Engineering Techniques
Introduction. The history of attacks based on SE practices is a wave: the victims
changed, the different, new at their time, tricks were practiced and still are. The era of SE
attacks in the field of IT began in 2014 when the first mass attacks were carried out on
individuals, users of the banking payment system. People received calls from fake bank
operators who informed about innovations regarding the protection of their data and steps that
each and should every pass in order to become more secured. At their request, individuals in
conversation gave critical data such as CVV2/CVC2 (3 digits on the back of a bank card) and
4 to 6 digits codes that the operator sent on their smartphones to confirm changes applying
during the conversation, also in some cases even card pin-codes. The result of such
manipulations as can understood had not given an additional level of protection to users, but
rather deprived them of many decent sums of money (see fig. 1).
Figure 1 — Exploitation of human behavior
1. Classification and description of known attack methods. In 2015, European Central
Bank deputy head of Security and Information Protection admitted that cybercriminals had
switched to banks from their clients. The methods were not as advanced as can be seen now,
mailing Trojan emails. A bank employee, opening such infected attachment “allows” an
attacker to gain access to the account and send a payment order to or from the bank, so in that
time the hacker group “Anunak” once attacked more than fifty banks and five payment
systems in Ukraine and the countries of the former USSR and was able to steal about 1 billion
dollars. Hacker billionaires were found proved guilty and convicted. Banks, in turn, increased
protection [1].
Then the trend changed—cyber fraudsters became interested in small and medium-sized
businesses, as there was more money on their accounts than on individuals, and protection
might be weaker (if there is any) than in large organizations. An additional plus is that such
companies often do not have a dedicated information security (IS) unit. As a result, it is
enough for hackers to infect the accountant’s computer in order to gain access to the accounts.
This can be done in several ways that are analyzed further. Infection can occur through
resources popular with financial workers. If criminals manage to compromise these sites, they
Матеріали Всеукраїнської науково-практичної конференції здобувачів вищої освіти й молодих учених
“Комп’ютерна інженерія і кібербезпека: досягнення та інновації” (м. Кропивницький, 27–29 листопада 2018 р.)
361
ЗАХИСТ ПРОГРАМ ТА ДАНИХ В КОМП’ЮТЕРНИХ СИСТЕМАХ І МЕРЕЖАХ
turn into “hotbeds of infection”, as they may contain on their pages a malicious exploit code
(a subtype of malware). It uses an open browser vulnerability and establishes a “tunnel” with
the user's computer. Through it, a program is loaded into the PC that determines what
valuable information is stored on it. And then the “victim” is infected with a virus, specially
adapted for antivirus on PC [2].
In 2016, targeted recruitment of insiders began to gain popularity. IS experts have
declared the activity of intruders in this direction: more frequent attempts have been made to
recruit bank employees, especially those who are part of the economic unit and are able to
influence the adoption of certain decisions in the bank. A 2017 report by RedOwl and
IntSights confirms the growing demand for insiders on the Dark Web. Employees are
recruited purposefully, which greatly reduces the price of an attack: no need to guess how to
penetrate the company's network and how to take out the data. For the “percentage from
income” this information will provide an insider [3].
In 2017, silent ATM hacks began to gain popularity. When the device itself voluntarily
gives money. To carry out such a crime without the help of insiders is extremely difficult.
Criminals need information about the device ATM, the software built into it. And the test
ATM modules (parts) itself, for training (fig. 2).
Figure 2 — Attack vectors
Previously, SE techniques united a common goal: the attacker caused obvious damage
to the victim—obtaining information, financial damage, spoiled reputation, and demand for
ransom. Therefore, it was exactly as long as the world was not overwhelmed with the fever of
cryptocurrency mining. Mining promotes a simple idea for the masses: make money out of
nothing. All you need to do is take a computer and use its power to “calculate” virtual
currency. Currencies, by the way, are offered in abundance. In addition to replicated Bitcoin,
today you can “invest with iron” in a dozen alternatives: Monero, litecoin, Zcash and others.
But if everything was so simple, we would have been millionaires long ago. Using one
computer, mining is economically unprofitable. For simplicity, the situation looks like this:
earnings depend on how many hashes per second the processor or video card calculates (what
exactly will be used depends on the specific cryptocurrency). For example, Monero is
“calculated” by processors. With a performance of 863 kH/sec, you can earn $2,000
equivalent per day. That’s just the performance of an Intel Core i5-7400 mid-range processor
of about 0.165 kH/sec. This means that in a day at such capacities it will turn out to get as
much as 38.3 cents [4].
The new goal of the census (social) engineers is to parasitize on the victim’s technique.
Of course, this created difficulties and led to an interesting effect—the goal of social
engineers evolved. Now in 2018 the main task is not to cause obvious harm to the victim, but
to quiet and inconspicuous parasitism on her technique. After all, the longer the virus miner
will be on the car of an unsuspecting “donor”, the more it “counts”. Then revenues soar.
Figures in confirmation: in the beginning of 2018 a group of hackers installed malware for the
362
Матеріали Всеукраїнської науково-практичної конференції здобувачів вищої освіти й молодих учених
“Комп’ютерна інженерія і кібербезпека: досягнення та інновації” (м. Кропивницький, 27–29 листопада 2018 р.)
ЗАХИСТ ПРОГРАМ ТА ДАНИХ В КОМП’ЮТЕРНИХ СИСТЕМАХ І МЕРЕЖАХ
extraction of cryptocurrency on 9,000 computers via web-sites cookies and, according to
analysts, such a network brings its owners up to $30,000 per month [5].
2019th may become the beginning of the era of “friendly” SE. Economically, mining “in
the forehead” at its own expense is unprofitable (if not considering specialized devices and
farms). Therefore, a new field of activity opens up for social engineers. In theory, mine
cryptocurrency is possible on any device that has computing power and access to the Internet.
Moreover, this is not only smartphones but also the whole range of IoT devices (or “smart
devices”). In addition, for mining it is not necessary to install some kind of software, rather a
special script. I think that this is the beginning of a new era—“undisguised” and “friendly”
SE. And it is possible that soon, for example, banners will appear on torrent sites with a cat
from Shrek and the words: “Please mine form two minutes. This will help us continue
uploading pirated-movies for you.” Honestly and without cheating the user.
2. Pattern of changing SE threats. There is a general principle “every action has a
reaction” the more often attacks of the same type occur, the more identified companies and
individuals become in the methods of struggle, prevention and further protect against them,
the principle of SE implies that a person will always remain imperfect by creating, in certain
circumstances, even a very savvy methodically person can suffer from the proper level of a
trained attacker. The graph below shows that the society does not develop evenly known
threats and people know about them, people have become more cautious, security policies are
more strict and closed, but even now after almost 5 years from the first cases (fig. 3), even an
obviously suspicious email can be opened and skipped by spam filter and antivirus and
eventually opened by a computer user.
Figure 3 — Pattern of changing social engineering threats
Concluding and further studies. In this paper, there is only an attempt to outline the
problem of social engineering. In the future, a full-scale research is planned on the reaction of
people to phishing projects as part of the practice of ethical hacking.
References
1. Mugala Mwami. Social Engineering : Research Assignment [Electronic resource] / M. Mugala. –15 p. –
Access mode: https://www.academia.edu/7978172/Social_Engineering_Human_Hacking
2. Wilcox H. Social Engineering Through Social Media : An Investigation on Enterprise Security [Electronic
resource] / H. Wilcox, M. Bhattacharya, R. Islam // Communications in Computer and Information Science. –
2014. – P. 243–255. – DOI 10.1007/978-3-662-45670-5_23.
3. 2018 Data Breach Investigations Report. – 11th ed. – Verizon, 2018. – 68 p.
4. National Cyber Security Awareness Month: The Enterprise’s Safety Online Is Everyone’s Business
[Electronic
resource].
–
Trend
Micro,
2018.
–
Access
mode:
https://www.trendmicro.com/vinfo/us/security/news/social-engineering
5. Hulme George V. What is Social Engineering? How Criminals Take Advantage of Human Behavior
[Electronic resource] / G. V. Hulme, J. Goodchild. – CSO, IDG Communications, 2017. – Access mode:
https://www.csoonline.com/article/2124681/social-engineering/what-is-social-engineering.html
Матеріали Всеукраїнської науково-практичної конференції здобувачів вищої освіти й молодих учених
“Комп’ютерна інженерія і кібербезпека: досягнення та інновації” (м. Кропивницький, 27–29 листопада 2018 р.)
363