So, a few days ago I got to see in Full HD the effectiveness of social engineering when pulled off correctly, though not a very humane use case, it still is a good watch as threat actors rarely think of how morally fulfilling their work is. As much as I enjoyed the movie, I think a lot of people have glossed over the message that was intended to be passed on. So here are three key takeaways from the movie. A cyber-security aware perspective
- Social media: The whole theme of the movie revolved around one guy (Simon Leviev) using social media, in this case Tinder to sell an image of a wealthy and well-traveled business tycoon. You had no way to confirm whether the pictures you are seeing are genuine or not and thus you fall into the first trap – “Attraction/Interest”.
- SEO poisoning: Search Engine Optimization poisoning is a tactic used by ill-intentioned people to create malicious and often times fake websites and make them rank highly in search results so that you are more likely to believe the site is genuine. We can see how this played out in the movie where the victims all did their research and got positive results from Google. 'Seeing isn’t always believing'.
- Emotional exploit/social engineering: Why hack a computer system when you can do the same to humans and with less work. This movie is a prime example of how emotional hack and social engineers work, they first create feelings of trust or love or whatever emotion they can hope to exploit and then use the feeling against you. It can also be seen how he (Leviev) used urgency and fear to manipulate some of his victims and got them to part with their money. Love is blind?
And so, what are the things you could do to better be prepared for such a wholesome made attack. Here’s a few tips
a. Do not believe everything you see on the internet and not just while you’re surfing but your social media feeds and even some news articles you might read online. And once again, if it looks too good to be true, it probably isn’t.
b. Simple google searches are no longer enough, if you really want to find out about a person or business, then you can take the extra minutes to do a proper research. For businesses, you can always check with your country’s equivalent of the Corporate Affairs Commission (A Business registration and licensing commission) to gather more info on the alleged company. For persons, you can be sure you should see their names or faces in more than just one publication or site online. in other words, ‘Dig Deep’.
c. When you find out or think that you’ve already been ‘hacked’, then it’s a good idea to stop and tell friends or family about it, call relevant authorities even. Do not fall prey to the sense of danger/life threat or urgency that the attacker will portray. 'Two good heads are better than one'. Your main objective at this point is stopping the threat actor from exploiting you or the information you've already given out even more.
d. Pay attention to the little voice in the back of your mind telling you that something here doesn’t feel right. ‘Trust your gut feeling’. Do not let emotions lead you blindly to financial or social crisis.
In general, having a skeptical approach/mindset to things will do more good than harm to you, especially if you become a target for social engineering attacks. Remember, your physical and emotional safety is more important than any kind of protection online, because if you're compromised physically, then there isn't much your online safety tools and mechanisms can do about it. And yes, the movie I'm referencing is 'The Tinder Swindler'.
Thanks for reading, au revoir et à bientôt. Stay Safe