At one time the name Kevin Mitnick was synonymous with the term “hacker.” In his 2002 book, The Art of Deception, Mitnick claims he did not use software programs or hacking tools for cracking passwords or otherwise exploiting computer or phone security. Instead, he compromised computers solely by using passwords and codes that he gained using strategies to get people to unwittingly divulge information, or file-less attacks. In 2017, 77% of US businesses were compromised due to attacks and exploits which similarly do not involve the installation of malicious software but also through file-less attacks.
Social engineering is an act of psychological manipulation of an individual into performing an action or divulging confidential information. Cybercriminals leverage social engineering by stalking individuals in the social world and manipulate somewhat predictable levels of trust and gullibility [1]. The techniques used by cybercriminals are based on specific cognitive biases attributes of human decision-making. These biases are exploited in various combinations in the creation of almost all attack techniques. [2]
Cybercriminals use social engineering tactics because it can be easier to exploit an individual’s natural inclination to be trusting than to spend time building software tools to break through firewalls and system security. In short, it is much easier for a cybercriminal to get someone into giving up their password than it is to try and hack their password. By crawling though social information shared by the target in online profiles and social media posts the cybercriminals can craft a custom strategy to manipulate them into divulging confidential information or even into carrying out their malicious attacks through influence and persuasion.
Resources:
[1] Bosworth, Seymour, and Michel E. Kabay, eds. Computer security handbook. John Wiley & Sons, 2002. Chapter 19 “Social Engineering and Low-Tech Attacks” Karthik Raman, Susan Baumes, Kevin Beets, and Carl Ness.https://onlinelibrary.wiley.com/doi/abs/10.1002/9781118851678.ch19
[2] The Human Factors of Cyber Network Defense Robert S. Gutzwiller1 , Sunny Fugate1 , Benjamin D. Sawyer2 , & P. A. Hancock2 1 Space and Naval Warfare Systems Center Pacific 2 University of Central Florida 2015, Pages 113-122, https://doi.org/10.1016/j.jisa.2014.09.005.