October 26, 2020
Under reverse social engineering attack, the target reaches out to the attacker for assistance. Consider a scenario where a target receives a virus alert with a 'call for assistance' number. On contacting the number, the target can then be asked to share their credit card or debit card details, putting the target's confidential data at stake.
Reverse Social Engineering (RSE) is a form of social engineering attack. It has the same aim as a typical social engineering attack but with a completely different approach. It is a person-to-person attack where the attacker makes direct contact with the target for compell them into divulging sensitive information. In most cases, the hacker establishes contact with the target through emails and social media platforms, using multiple schemes and pretending to be a benefactor or skilled security personnel to convince them to provide access to their system/network. Though this technique may seem outdated and ridiculous, it has proved highly effective, especially when the victim's system/network shows signs of being compromised.
Usually in social engineering attacks, the attackers approach their targets. While in reverse social engineering attacks, the victim goes to the attacker unknowingly.
Let’s assume you have clicked on a phishing link (created by the hacker aiming to contact you) and have downloaded malicious software that may immediately infect your system. You are then contacted through an email by the hacker who advertises himself as a person of authority and tries to convince you that they are very well capable of fixing the issues on your system at a very reasonable price (or sometimes for free). Thus, gaining your trust and access to your system, the hacker fixes the so-called errors while simultaneously creating a back door to monitor your online activities and steal your data. In some cases, the attackers do not initiate contact with the target at the start. Instead, the target is tricked into contacting the hacker to establish a higher degree of trust between them. As the target is the one who contacts the hacker first, this minimizes the doubts of the legitimacy of the hacker's identity.
To increase the probability of being contacted by their targets, hackers create the need for assistance by sabotaging or deleting users’ important files or messing up with their system parameters during a physical intrusion. Proper advertisement or strategic placement of the offers to ensure that the target sees it without fail is an essential part of this entire process. The victims, who are now panicking, believe that their system has been compromised. Such an approach increases the contact probability tremendously. Social media is another place where the attacker could build trust with their target.
The success of reverse social engineering depends on the following -
The former cause is most common with individual systems and users, while the latter typically applies to small and medium business organizations that have an underdeveloped information security infrastructure or little emphasis on security awareness.
Lack of security awareness
Humans are generally known to be the weakest link in the security chain, with 94% of malware delivered through phishing and social engineering attacks. Though many organizations have basic security policies that state not to disclose sensitive information such as username, password, transaction details, OTP, account number, many users still fail to understand the importance of these security policies. Users generally avoid the implementation of key security elements such as multifactor authentication; scanning unknown devices; not opening anonymous emails, links, and attachments; and several other precautions. A recent survey found that nearly 26% of internet users have shared their OTP with others.
People give out information for multiple reasons, at times, for the sake of ease or shortening the process for which the information is required, or sometimes due to their helpful nature. In some cases, it was found that the compromised information was provided because the request was made by some authority (mistakenly assumed) such as bosses, superiors, government officials, law enforcement officials, etc. Thus, intimidating the victims into divulging sensitive information. In several other cases, users were unaware of how to deal or respond upon realizing that their system or data has been compromised and in panic, tend to fall for the predesigned lure of reverse social engineering. Hackers understand these psychological attributes very well and utilize them to their advantage.
Poor security plans
Although organizations understand the risk of a security breach, not many are ready to spend resources on advanced security solutions. Others assume that their current technology is sufficient and flawless. Even if organizations try to build and incorporate security technology and procedures into their operations, it is difficult to determine its efficacy without a proper test. Many organizations rely on internal identifiers (such as asking employees to check for issues) to test the performance of these procedures and defenses, which is considered a disaster recipe by cybersecurity experts.
Organizations that manage sensitive information run a more substantial risk of a security breach and need more robust security policies. Thus, proper authentication mechanisms and additional features that protect these mechanisms are essential. Apart from that, it's imperative to test the security plans and procedures periodically. A holistic approach to the testing of these procedures is a must. Many organizations establish security guidelines but fail to implement them effectively, as security experts assume that their employees understand the security risks and their implications, but these assumptions are unrealistic. Organizations run the risk of failing to establish or include realistic procedures for making employees aware of security procedures, risks, and mitigations.
The causes of social engineering and reverse social engineering are often due to poor security awareness and a lack of operational procedures. This causes the individual to panic and react to the problem inappropriately, such as contacting non-credible tech support (who turns out to be the preparator), leading to the success of reverse social engineering. Hence, the mitigations for reverse social engineering attacks are quite similar to that of social engineering attacks:
A. Social engineering attacks cannot be stopped, but you can limit their chances of success by being vigilant.
Malware installed via a technical flaw account for only 3% of instances, whereas social engineering attacks amount to a massive 97%.
A. Usually, social engineering methods prey upon the fear of urgency or similar emotions – the ones in which a person will be the most vulnerable to make mistakes. These mistakes include clicking on a malicious link, downloading an infected file, or sharing OTPs, among many others.