Cybersecurity blog header

Digital mules, social engineering continues to do its thing

Pandemic has accelerated social engineering scams

Frauds that take advantage of social engineering techniques have not stopped growing in recent years and have even accelerated with the pandemic. Nine out of ten cyber-attacks are originated from something as simple as an email

The Internet is a universe as fascinating as it’s dangerous. An often inhospitable territory in which the bad guys run wild. And where frauds using social engineering techniques, far from diminishing, continue to grow.

Official statistics leave no room for doubt. Nine out of ten cyberattacks in the world today stem from something as simple, as prosaic in this era, as an e-mail.

And, contrary to what one might think, most of these attacks are not usually carried out by large cybercriminal groups with powerful structures at their service. Nor sophisticated hacking techniques.

Not at all. The attack only comes to life with an e-mail that frightens or decisively conditions the recipient, or the attack is carried out through environments in which the sender didn’t perform a KYC to validate his identity or his identity is impersonated.

Of course, the majority of these thousands and thousands of cyberattacks that are registered on the Net every day obtain a small booty. Usually cents or dollars, but this is pure capitalism.

The scalability of evil. Many small loots end up generating a very large one.

It’s on the remaining 10% that the major organizations are focusing the fight against cybercrime. Because of the economic dimension of the incursions and the socio-political repercussions they generate.

The latest ransomware attacks, for example, bear witness to this. Attacks that, in order to be countered, require powerful cybersecurity services.

Unlike these sophisticated incursions, social engineering makes it possible to obtain large profits with a small investment. And scale.

Attacking a high volume of Internet users and companies with limited means. More often than not, it’s not even necessary to bite a malicious code to trigger the attack.

Internet, a world of shadows

The fact is that, on the street, social engineering has become one of the police issues of the moment. A thorny issue because it’s immersed in the world of shadows that is the Internet. And because it has a global and sensitive impact on groups whose digital training is, to say the least, deficient.

José Lancharro, the director of BlackArrow (Tarlogic‘s offensive and defensive security division), argues that social engineering attacks often succeed by targeting elderly people. Very vulnerable to falling into these traps.

«It’s very easy to be fooled if you’re not sensitized. The best advice you can get is to have common sense and not assume that whoever is on the other end is who they say they are. Of course, never give out passwords, banking credentials…», he stresses.

The casuistry of attacks is very varied. People pretending to be technical service personnel or even a supervisor or boss… «In these cases, they exploit fear, that psychological pressure to attend to a superior and do what he orders», says Lancharro.

Anyway, the most frequent attack is probably the one that uses a threat to block an account or a computer to get the victim to do what the cybercriminal wants.

The director of BlackArrow alludes to another of the cyber pranks that are spreading like a plague. A sort of update of the classic stamp scam: that of digital mules.

In this case, the bad guys offer an Internet user the chance to earn supposedly easy money by acting as a middleman. All he would have to do is to make a transfer to a specific account in exchange for a commission.

Intermediation punishable

What the victim does not know, or doesn’t want to know, is that this money comes from illicit activities: drug trafficking, arms trafficking, human trafficking… And, by making the transfer, he acts as a necessary cooperator, «making his intermediation punishable».

In these incidents, the legal aphorism of ignorantia iuris non excusat comes into play. Therefore, if the authorities were to investigate these operations, ignorance of the origin of the money could be of little use.

In this case, as in the previous ones, the lack of experience and knowledge play a key role in the success of the fraud. This is something that Incibe insistently warns about when it refers to social engineering.

The proliferation of attacks using techniques such as hunting, farming…

This vulnerable profile of the victims is the subject of one of the stories of the fascinating Only the Animals (2019). In Dominik Moll’s disturbing film, one of the characters is the target of a social engineering fraud carried out by a teenager from Abidjan.

But although they are winning the game, in real life the bad guys don’t always get their way.

Last April, a cybersecurity expert laid bare the tactics of a group of cybercriminals who scammed individuals from a call center in India. They pretended to be Amazon’s technical service to get hold of their victims’ credentials.

What the attackers didn’t know was that they were being recorded at all times, even through their own laptop’s webcam. For once, the hunter was the hunted.
The following video perfectly portrays the modus operandi of these cybercriminals:

José Lancharro insists that the key to avoid an upset is to understand the true dimension of the Internet. Where not everything that happens is innocent or candid.

«The precautionary principle is perhaps the best companion for moving around the Net», he concludes.

Prudence. That priceless traveling companion.

Discover our work in