Have you ever received an email from one of your friends containing a link or a download (pictures, music, movie, and document) and because it is from your friend and you trust him/her you are curious to click it?
Or, an email from a company or bank you trust, for verifying the information by clicking on some form and filling it with your information? Or, an email claiming that you have won the lottery and in order to gain that money you have to provide them information about your bank routing, your phone number, and address?
If your answer to any one of the above questions is “Yes” then someone might have attempted to make you a victim of social engineering. Yes, it is called “Social Engineering.” Social engineering is sophisticated technique used by attackers to bypass all security parameters to gain access to information assets by exploiting human vulnerabilities (e.g. their ability to trust). These social engineers seek different types of information from the victim, but usually they try to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software, that will give them access to your passwords and bank information as well as giving them control over your computer system. Numerous techniques of social engineering like phishing, baiting, pretexting and diversion theft are available to exploit human vulnerabilities, but the most popular and successful one in Pakistan is phishing attack (examples mentioned above). Using this technique large numbers of users are deceived – and this attack is often so sophisticated that users fail to identify them.
Pakistan has a population of 196 million approximately according to July 2014 statistics. Internet users are about 15.8% of the total population and mobile phone users are about 65% of the total population. Our analysis revealed that social networking websites have the most popular usage pattern. Online shopping has also seen incremental increases and online banking increased about 32% from 2007 to 2008. Facebook is the social giant in Pakistan, having almost nearly 12 million users, and on average, users spend almost 40 minutes per day on the site.
These statistics are attractive for social engineers who want to launch simple social engineering attacks that are very difficult to recognize. Attackers want to gain the credentials of the accounts and after that full access. Phishing attacks and other key logging techniques are the best options for these purposes. Phishing attacks are difficult to recognize by non-IT users as they don’t have too much connection with IT terminologies. This is how users lose their credentials. In Pakistan, phishing attacks have compromised many users. These attacks have not only played roles in social networks but many online banking websites as well. Recently a phishing attack was launched against popular private bank i.e. Allied Bank Pakistan Limited.
Another reason for this social engineering playground availability is the lack of cybercrime law in the region. Whatever a person wants to do on the Internet, he/she is allowed to do, nobody can try them in any court of law. Another popular telecommunication company’s webpage was attacked using two different techniques, during this attack users were deprived of their secret credentials and their calling records, messages and personal information were leaked out. Social giant Facebook has seen numerous social engineering attacks in Pakistan and many users fail to recognize these attacks – even when they themselves have been compromised already. Phishing attacks on Facebook, e.g. making a clone Facebook page and asking users to login with their credentials, are common.
Finally, I can say that humans are the weakest link in security infrastructure and the only countermeasure for social engineering is user awareness, education and implementation of policies and procedures. Moreover, the Government of Pakistan has not implemented any cybercrime law yet, so no one can challenge this crime in any court of law. That’s why Pakistan has become a hacking playground for social engineers. To limit these attacks Pakistan needs a cybercrime law which can limit and challenge cybercrime activities in the court of law.
***
Image 1: Webmaster, Getty
Image 2: Angelo Arcadi, Getty
Image 3: Elhombredenegro, Flickr