Question

There is a technique called “fabrication” constitutes one dimension of social engineering attack. Think of three (successful or unsuccessful) social engineering attack cases that you know from media or from your private life. Describe the cases in narrative form (what happened and how the course of each attack unfolded) and analyze the fabricating elements of the cases. Examine, in what ways the attackers sought to fool the victims. Moreover, in what ways they sought to build confidence and credibility (i.e. make the situation seem valid). What kind of frames was constituted?

Answer 1

Pretexting, as oppose to phishing (seek to obtain personal information, embed links to suspicious websites in URL, incorporates treats or fears or sense of urgency to act), attempts to extract sensitive information by building trust over time.

Pretexting is another social engineering attack where attackers focus on creating a good pretext or a fabricated scenario, that they can use to steal their victim's personal information. The attacker will create a believable, but a completely fabricated, pretext to lay some groundwork and break down a victim's defenses over time. Also, known as fabrication.

This kind of tactic is used to gain the victim's trust and increase the likelihood that they will divulge requested information without hesitation.

Few examples below of this cyber social engineering attack: -

1. Successful Attack
Narration : My Uncle who is a former State Bank of India (SBI) employee and of 70 years of age was a victim to this pretexting cyber attack. On Day1 - person makes a phone call stating he is an SBI employee and he wants KYC (Know Your Customer) information to verify account details. My uncle gives the required information asked like Name, DOB, Place where account is, Aadhar Number and mobile number. He is also asked, if he has any queries related to bank pension account. The fraudser takes this information and keeps the phone. On Day2 - same person calls again in the afternoon, says he has some more information to share regarding SBI pension with schemes and will require personal details. The fraudster convinces my uncle that he is from SBI bank and he will send messages to the mobile number, please read those messages and tell him the details which was the OTP information sent multiple times and he kept calling my uncle on phone and kept asking to share OTP numbers 4 to 5 times. Also, he kept calling at regular short intervals and kept him engrossed in talks. They were successfully able to transfer 40000 rupees from his account in 3 successful OTP sharing attempts. My uncle was able to know this only after half an hour when he say other SBI messages about money withdrawl from bank account in his mobile. Even after reporting to police the same day, even informed bank, but money was not recovered. The fraudster was calling from a far of state in UP, India.

2. Successful Attack - In an IT financial company, a senior financial consultant who is responsible for financial transaction of clients and his company, tries to transfer small amount of money (transaction fees in thousands of rupees) into his multiple accounts named under small companies over a period of time. This is shown as miscelleneous fees for clients and was not caught for many years in any financial audits. After few years this incident comes to light and the company fires the employee. He is asked to resign from his position and asked to leave but due to the reputation of company, this is not advertised.

3. Unsuccessful Attack - This incident was reported in newspaper. There were two old friends in a financial company. One friend (A) had resigned the company few months ago due to financial frauds committed. The other friend (B) is a senior level person in approving financial transactions in the same company and is a trusted old employee in the company. But this person incurs financial personal loss of crore of rupees in a lottery game. So, he is in deep financial crises and is in urgent need of quick money. Person B knows Person A was intelligent in committing financial fraud and knows how to transfer money to his personal accounts while doing Client's billing transaction. Person B approaches Person A for help in guiding how transactions can be done in the company and earn money. Also, promises to pay Person A for his guidance. Person A suggests pick a junior employee who is handling these transactions, go to him and asks him to get his transactions checked in his machine regularly and gain his trust. On some day, pretext to check his financial transactions, commit the financial money transfer transactions into your personal accounts quickly when that person is not around for sometime. Person B commits these financial transactions and is successful in transferring money to his accounts. But later in the month, a suspision is raised over approval of those crore rupees transaction by audit firm. The junior is picked up for doing these transactions, but he rechecks and recalls those dates information and reports that Person B had done those transactions from him machine. Later after police complaints are launched, Person B admits to this social engineering attack committed by him.

--------------

Thus, in all three attacks bank accounts / financial transactions are compromised in the pretext of gaining money by fraudsters. Pretexting attacks (fabrication) are commonly used to gain both sensitive and non-sensitive information. They use fear and urgency to their advantage, pretexting attacks rely on building a false sense of trust with the victim. This requires the attacker to build a fabricated, convincing story that leaves little room for doubt on the part of their target.