When it comes to how best to extort information, hackers have plenty of choice.
That’s a key finding of a report entitled “Hacking the Human Operating System” released by Intel Security, in which the company details the variety of tools in a hacker’s arsenal, their weapons of choice, and attack patterns when doing said extortion.
By now, it’s well known that hackers seeking to extract information have increasingly sophisticated techniques, but it may be surprising to know just how many approaches have developed in their arsenal.
While the most widespread technique, commonly known as phishing (described as “social engineering” in the report) is commonly known, according to the report, it comes in two varieties. This includes “hunting”, which aims to extract information using “minimal interaction with the target” and “farming”, which sees a relationship established with a target who is then “milked” for information over an extended period.
While the farming technique is less common, it’s more damaging not only for the larger volume of information obtained, but also because relationship between the target and the social engineer may change over time.
“For example, the target may catch on to the attempt and possibly seek remuneration, or the social engineer may attempt to use blackmail, thus moving the interaction from social engineering to traditional criminal behaviour,” the report said.
Furthermore, the report identified four steps in the life cycle of a social engineering attack. This includes “Research,” where information is gathered on a person or organization, “Hook” which engages the target with the story, “Play” during which the extraction takes place, and “Exit” which takes place ideally without arousing suspicion.
As before, the message here is that choice is available to a sophisticated hacker.
“The attacker may perform one hunting attack, retrieve the information, and disappear,” said the report. “Or an attacker may perform numerous hunting attacks, and with that collected information initiate a farming attack. Social engineering attempts may be … part of a much larger campaign to gather multiple bits of related information.”