A simple social engineering experiment
A lot of people today often live under the illusion of safety and privacy online. We check our emails, sign in to our accounts, message each other, make bank payments or simply browse the web, at home or at a public WiFi at the coffee store, thinking our online actions are only seen by us.
To a tech professional or a computer science student this illusion may simply not exist, it may rather seem like something obvious that everyone is and should be aware of.
Unfortunately, despite the rapid growth of our technology and its extensive use, the corresponding knowledge that the public has on such matters is not proportionate.
Is it really that strange that people are unaware of the dangers that the internet poses? I would say no!! How can a person understand how dangerous something is when they don’t know some fundamental facts about how it works? How can they realize that privacy violations and hacking can happen to them and that it is not something distant we only hear on the news?
Here is a list that tells a lot about the modern technological education:
To back my opinion I carried out a simple experiment on my dad, brother and girlfriend.
For the experiment I used phishing, a form of social engineering.
Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. (https://en.wikipedia.org/wiki/Social_engineering_(security))
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. (https://en.wikipedia.org/wiki/Phishing)
So the experiment was quite simple:
I made three different fake websites, each one according to my victim’s interests and sent them an email trying to convince them to follow a link to the made up websites and leave their credentials.
This story’s purpose is not to demonstrate the way the phishing technique was implemented. On the contrary phishing is actually one of the least technical methods that could be used to accomplish our goal.
I also already new the credentials of each “victim”, so I avoided any cases of misunderstanding.
- Dad
Age: 50 years old
Targeted site: ISP service account
Result: Took the bait! Although the email account in which he received the email wasn’t the one he was given by the ISP while signing up and although both the email sender and the given link (shortened URL and not HTTPS) were suspicious he gave all his credentials.
- Brother
Age: 12 years old
Targeted site: Social network account
Result: Took the bait! Unfortunately, exactly as with my dad, my brother also didn’t see all the red flags and gave up his username and password without a fight.
- Girlfriend
Age: 20 years old
Targeted site: Social network account
Result: Didn’t take the bait!! My girlfriend noticed that the email account in which she received the email prompting her to change password was not the one she had used while signing up to her social network account. She chose just to ignore the email.
However she wasn’t concerned by the weird link, the email’s sender or the fact that she was supposedly being asked to give her credentials in such way, via email.
She might have not taken the bait, but it was a close one…
Conlusion:
It is very important for institutions like schools to start educating young people about technology. This should be done in practice and not only theoretically.
Young people have always seemed to have a better relationship and more friction with new technologies and it is important that this encounter is a safe one. Training the new generation to spot and avoid cyber-threats could also have a positive effect to older people.
In the past it was our parents that told us not to talk to strangers while on the streets and shared their experiences and advice with us growing up. Maybe it is now time for younger people to tell their parents not to talk to strangers on the web…
Learned something? Hold down the 👏 to support and help others find this article. Thanks for reading!!
Follow me on Twitter @konpap1996