Con games: How do they do it?

Posted byAaron.Posted inCyber Security, Finance, Guides, Social EngineeringTags:, , , , ,

Hello World!

So, this is going to be a fun one. Lots to cover as we jump into what social engineering is and why it works.

Let us get started by listing the names that we give to these types of attacks. There are many terms used somewhat interchangeably, they include but are not limited to:

  • Social Engineering
  • Con(fidence) Games
  • Scamming
  • Fraud
  • Blackmail
  • Extortion
  • Phishing
  • Spoofing
  • Business email compromise (BEC)

Now, these terms don’t mean the same thing. However, they are important for understanding what exactly social engineering is. We can get a good idea what social engineering is from peering at these terms, other than con games which is an alternate name. The terms are all under social engineering, social engineering is the method by which these techniques succeed.

This does fall under the category of “hacking” however it involves very little technical know-how in some cases. Even phishing which we have discussed previously can be automated with tools, recently we have even seen new phishing chatbots.

So now we have gone over quickly what social engineering involves, lets try to understand why it seems to work for the attacker so much. Humans are humans, we simply have a subconscious desire to trust others. This is a massive vulnerability in human psychology, simply put it’s the reason we get conned, scammed, and deceived.

But it’s not as simple as someone blindly believing what they are told, again there’s a lot of victim-shaming when it comes to these things… the victim is never to blame, attackers are sophisticated. Let’s go even deeper in understanding the mechanisms used by these con artists.

  • Authority
  • Consensus
  • Scarcity
  • Urgency
  • Familiarity
  • Trust

If you want a quick guide to spotting phishing attempts, then check out my post here. But its example time… I would love to break down these techniques more, but this is a blog post, its supposed to be enjoyable to read and not feel like a report.

Authority is one of the most common methods, this could be something like pretending to be your nations tax authority (IRS, HMRC etc.). Threatening you with fines or even prison time. We can even look at example of an authority driven attack, whilst this isn’t the most sophisticated attack it allows us to understand the idea.

A scary text message! Fortunately it isn’t real. Source: https://www.worldprivacyforum.org/

Consensus is another common one, particularly common amongst cryptocurrency scams. Social media has become a cesspit full of these… to name names, its mostly Instagram. An example you can do is to make a tweet saying, “I’m locked out of my bitcoin wallet!” You will get a bunch of bots commenting how they had the same thing but @no1metamaskhackerbitcoinrecovery was able to help. I will include a typical Instagram scam so you can see what consensus looks like in action.

A very typical Instagram scheme designed to take your money. We call this an advance payment scam and it’s one of the most common methods. Source: https://finance.yahoo.com

Scarcity is probably the simplest method to use, but the easiest to spot. Think about visiting a website and getting a pop-up saying “You are the 1,000,000th customer, congratulations” which tells you that there’s a “free gift” you can select. Now a gift should be a red flag, sadly nothing comes free in life. But let us again look at an example. It’s not always out to hack you either, think about the scalpers that have been buying up devices like Playstations and re-selling, that’s the same type of idea.

A typical page telling you that you have won a FREE prize. Source: https://www.pcrisk.com/

Urgency is often used in conjunction with other methods, in our example for authority we can see that an arrest warrant has supposedly been issued. Firstly, the tax authorities don’t want you to go to prison… how would you pay your tax? But more importantly this is using the technique of urgency. Its difficult to find an explicit example of urgency, I would argue that urgency needs to piggyback off another technique to be effective. However, we will look at this later. Often multiple of these methods are chained in a single attack.

The same example as Authority but as we can see multiple techniques are chained together to be more effective.
Source: https://www.worldprivacyforum.org/

Finally familiarity and trust both complement each other more than anything else. No example for this but let’s have some fun and theorize our own attack. So, a family member has their account breached (Think about how bad Facebook used to be for this.) and they send you message about a class that you have together… let’s say you both do karate on Friday evenings!

Using this compromised (Or spoofed account) an attacker could send you a “new class schedule” in a Microsoft office document. Because you trust them and you do karate together you are incredibly likely to open this document. You can be compromised by an exploit like the recent Follina exploit that was found in Microsoft Windows Support Diagnostic Tool to run remote code on a target system with just a handful of clicks.

So, that was lots to cover. If this is something that interests you, or you want to strengthen your protection from such things… check out Hacking Humans, a free podcast provided by The CyberWire. Over there they expose scams and talk about how you can defend yourself or your family against the methods listed and more!

Remember, you are your own strongest password. If something doesn’t seem right, pause, and stop to have a think. Tell the person on the phone you will call them back, if they try to keep you on the phone… Red Flag!

If you’re still not sure after taking a moment, speak to a relative you can trust… even if they aren’t a tech pro.