CAPE CANAVERAL, FL - MAY 27: Elon Musk founder and CEO of SpaceX at the pre-launch of the SpaceX ... [+]
Social engineering is one of the most nefarious ploys in all of technology.
One reason it’s so effective is that it is ever-evolving and ever-changing — you never know what to expect. It works because it’s unpredictable and a little surprising.
Recently, Twitter representatives explained how social engineering was likely how hackers gained access to the Twitter back-end and compromised the accounts of high-profile figures, including Elon Musk, Bill Gates, and even presidential hopeful Joe Biden. Jeff Bezos, Michael Bloomberg, and Kim Kardashian West were also hacked.
You may have even used social engineering tactics yourself.
Let’s say you show up at the gas station to buy a pizza. You explain to the clerk — after taking a bite or two — that you forgot your wallet but you’ll come back in an hour to pay. You hop back in your car and disappear. (You just have to remember never to go back to that gas station.) You just used social engineering.
That’s a simple explanation, but you’d be surprised how similar it is to the tactics hackers use to break into accounts. I can imagine how this might have worked at Twitter. Suppose a hacker finds the name of a supervisor in a specific department. They call into the headquarters, say this is Bob Smith and that you need the password to an admin tool. With social engineering, a simple request is better than a complicated ruse. You have to catch people unaware.
The way it works is hard to pin down, but there are a few basic strategies. Usually there’s some smoke and mirrors — an email asking for information, a phone call from a supervisor, a quick text exchange. Once the hackers obtained the admin login they were able to start implementing their ploy — in this case, a trick to convince people to send them Bitcoin. My guess is that this has likely happened before but not to this extent and not with such high-profile verified accounts.
The question is what to do about it.
Social engineering is an ingenious tactic because it’s not one thing — and computers tend to like limits and barriers. If there is a security measure that blocks a certain type of attack, then you can trust it will work again and again. How do you stop something that is not well-defined and constantly changing? For most companies, this involves education. It works the same with phishing scams — if there’s a scam involved, the only way to combat it is to train employees about how they work.
How a company reacts is also important. Social engineering tactics are always shifting, but having a strategy in place to deal with a compromise can help.
Twitter responded in the best way possible — by apologizing and promising to do better, and also by addressing the leaks. In an unprecedented move, they made it impossible to tweet from some verified accounts. They wanted to make sure the hack was addressed fully and not cause any more chaos.
The next step? Make sure it never happens again.
