Inspiration from a Social Engineering Attack
A few days ago, a colleague of mine announced via WhatsApp status that his Instagram account was hacked. Upon talking to him I realized the account wasn’t hacked but the attacker had gained access to the account by tricking him into changing his sign-in email address into an email address to which only the attacker had access. I attempted to help him recover the account but failed because the recovery methods in place were either outdated or unfunctional. Ultimately, he abandoned the account and created a new account. This post was inspired by that incident.
Note: Norton defines “Social Engineering” as “The manipulation of a person to divulge confidential information that can be used for fraudulent purposes. Therefore it’s also known as human hacking” – Social Engineering is a very common method employed by cybercriminals to gain access to confidential and privileged information because unlike phishing (a variant of social engineering) and hacking, social engineering requires less coding or no coding at all and antivirus software aren’t capable of thwarting cyber attacks that target humans.
An outdated sign-in Email Address
The attacker gained control of my colleague’s Instagram account by convincing him to change the sign-in email address to an email address which the attacker-controlled. Afterwards, the attacker used the lost password feature to reset the password and enabled Two Factor Authentication. My colleague should have received email alerts from Instagram for each change with instructions on how to undo them. Unfortunately, though, he had been using a Yahoo email address to sign-in to Instagram which Yahoo had deactivated due to inactivity which reduced the chances of recovering the account by half.
The lesson here is to confirm that all of your online accounts are associated with a valid email address. So that you have a fat chance of recovering them if they ever become compromised. I tested my own Instagram account against this and although the process was confusing, it worked because the sign-in email address is an email address that I use regularly. So take some time today to confirm that all of your online accounts are associated with a valid email address. It will help recover your accounts in no time in the event of an account takeover.
A non-functioning Phone Number
You can recover a hacked account using your phone number even if the sign-in email address is inaccessible. Online services such as Google allows us to associate a phone number with our accounts to make recovery easy in the event the account is compromised. In the case of my colleague, however, although he had a phone number linked to his Instagram account that number was inactive as well. Without access to the sign-in email address and the associated phone number, my colleague had to let go of his Instagram account.
There’s no such thing as perfect security but varying layers of security with which you can improve yours. Account recovery essentially circumvents the primary account security processes, hence it should be considered a different form of authentication. That makes a functioning phone number a varying layer of security. Therefore always see to it that your account is linked to a functioning phone number and that you have access to it. That way you have another method to recover your account if it ever gets compromised.
Enable Two Factor Authentication
Two Factor Authentication has been around for quite a long time now but most users still don’t take advantage of the technology. They don’t consider securing an account with Two Factor Authentication until they become the target of an attack. An attacker can’t disable Two Factor Authentication even if he resets the password for a given online account because a password reset doesn’t disable Two Factor Authentication (Unless there’s a bug). Two Factor Authentication can protect you from a range of attacks, (Including social engineering and phishing attacks.)
Secure your important online accounts with 2FA today (Don’t forget to secure the email accounts used for signing into those accounts also). Accounts such as iCloud, crypto wallets, social media, online banking, etc. You can use App based Authentication, SMS Authentication, or a Hardware Authentication device such as YubiKey. Regardless of the method, see to it that you download the backup codes and store them in a safe place just in case you lose the authentication app, the hardware device, or access to SMS.
Social Engineering & Common Sense
Most Sri Lankans are not familiar with techniques used by attackers such as social engineering and phishing. However, one can defend himself against these attacks by exercising common sense. On the other hand, if you have multiple layers of security but don’t have common sense all of those layers and layers of security are good for nothing because social engineering and phishing attacks trick you into disclosing sensitive information consensually. Unfortunately, No antivirus or firewall can prevent you from consensually disclosing such information.
The bottom line is my colleague could have thwarted the attack successfully had he exercised common sense and not changed his sign-in email address to the email address sent by the attacker posing as a friend. Remember, never provide confidential information whatever the circumstances may be to individuals who contact you out of the blue via email, text, or phone calls. Ask yourself: why am I being asked to give out this information? Do I know this person? Don’t disclose or modify your login information even if you know the person.
While writing this post I came to know that another colleague of mine had her Facebook account breached by an attacker using a fishing attack, a variant of social engineering. Both of these incidents indicate that Sri Lankan users are being targeted today more frequently than ever before. The good news is protecting yourself against a social engineering attack is not as difficult as it may appear to be. This article titled “Social Engineering and How to Prevent It” by Avast is a good place to start.
In conclusion, although my colleague abandoned his Instagram account after it fell prey to the social engineering attack the problem was far from over because the attacker began targeting his 800+ Instagram followers. Sounds familiar? Often social media users abandon compromised accounts and move on because the recovery information is not up to date. A responsible social media user has the recovery options properly set up. That way you can recover from an attack and stop the attacker from targeting other individuals connected to you on social media.
I seek to foster thoughtful and respectful dialogue. Toward that end, I require that you use your full name when commenting. Also, any comments with profanity, name-calling, and/or a nasty tone will be deleted.