The evolution of technology has produced great benefits such as improved efficiency, accuracy, productivity, and effectiveness. Nonetheless, these technologies have their downside. One of the negative effects of improved technologies is the growth in cybercrimes. However, cybercrimes are not always a case of exploiting technologies. In most cases, the users are to blame. Cyber security professionals consider the user as the weakest link to any system and network. This case study is an example of attackers exploiting a human weakness to get non-existing refunds and accessing a business network.
There are diverse ways of analysing cyber security breaches. The Social Engineering Attack Framework by Mouton et al. will be applied to analyse this case study. In this research paper, the authors explore the susceptibility of social engineering attacks. They investigate how personality traits influence this susceptibility. In the research, Mouton et al (2014) use Kevin Minick’s social engineering attack cycle by addressing its shortcomings from defining the attack’s goal to its successful conclusion. Besides, the authors utilize a social engineering ontological model when defining a social engineering attack.
All Things Fibre was a victim of several cyber-attacks. The business focuses on selling weaving and spinning equipment and supplies online. Besides, the business runs several training courses for groups and individuals. The business has created an online presence through its Facebook page, where they interact and communicate with their customers. The Covid pandemic created more opportunities for the business as more people took up hobbies during the lockdown. However, the company has ignored several measures to protect its business from cyber threats. Recently, the company has experienced several events that could compromise its security. Luckily, none of the events was by an insider.
Analysis of the Breach
In the first event, a middle-aged woman entered the shop and browsed the goods on display. Jill attends to the customer who needs more information on the workshops available. The customer complements the space, and Jill agrees. The interaction between Jill and the customer represents the first phase of Mitnick’s attack cycle. According to Mouton et al. (2014), social engineers must get most possible information from their potential victims (Mouton et al. 2014). However, Jill’s friendly nature pushes her to share more information than is required. Jills share sensitive information such as their increased profits. Social engineering involves the psychological manipulation of unsuspecting employees to share sensitive or confidential data (Lord, 2020). Jill’s friendly nature was her weakness in this case. Being friendly allows people to share information freely, assuming the other person is also friendly. In social engineering, the attacker has to create a relationship with the potential victim (Mouton et al. 2014). The customer’s complements were intended to create this relationship. Based on the psychology of persuasion, this is referred to as social proof. The social proof involves creating higher trust levels to people who share similar opinions and likes (Uebelacker and Quiel, 2014). Besides, the customer used complements to get information from Jill. The complements created a conducive environment for interaction. In the process, Jill shared confidential information.
In the second incidence, Maggie identifies the same customer on the business’s CCTV system interacting enthusiastically with Jill. In this scenario, the customer uses a different strategy to access information. While being booked for the workshop, the customer looks over Jill’s shoulder, a strategy is known as shoulder surfing. Shoulder surfing is a social engineering method used to gather information by looking over the shoulders of others (Long, 2011). The information obtained can be used for further attacks, such as logging in to secure systems. In such cases, the attacker memorises the information and uses it elsewhere. After the incident, Sam alerts Jill that she should be careful about letting customers look over her shoulder. Jill responds that she is a good judge of character. Social engineering depends on persuasion. According to the psychology of persuasion, Jill responded to a principle known as reciprocity, a social norm that obliges victims to repay others for what they have received from them (Mouton et al. 2014). In this case, Jill got a customer for their workshop and repaid with trust. She assumed the customer’s character based on their previous engagements, which involved complements. Jill was pleased the customer came back and believed that her good customer service brought her back.
The next incidence involved a phone call from a customer asking for a refund on the top-of-the-range spinning wheels. The customer specifically asked to talk to Jill. The customer had all the details right, including workshop details and the delivery date. This step involved exploitation using the information collected in the reconnaissance and engagement steps. Exploitation is the third phase of the Mitnick’s attack cycle, and it is achieved when the victim is an emotional state (Mouton et al. 2014). The goal, in this case, was to get £1000. However, this attack was not successful because Pat asked for a receipt, and there was no previous relationship between the attacker and the employee. The information used for this attack may have been collected through shoulder surfing.
A week later, Jill is excited to bring a new laptop to work. However, the laptop was previously used by a keen gamer who had installed several software. Jill required a password to access the business’s wireless network, written on a piece of paper and hidden under the till. Modern systems require usernames and passwords to enhance privacy and security. Most of the passwords are complex and difficult to remember. Nonetheless, writing a password on a piece of paper is risky. For example, if the piece of paper is misplaced, it may be in the wrong hands. Dumpster diving is one form of social engineering which involves investigating a business or person’s trash to get information (Applegate, 2009). The piece of paper may end up in the trash and end up in an attacker’s hands.
The laptop started blinking before Jill could enter the password, and lines of strange letters and numbers flashed across the screen. Then a message appeared asking Jill to provide her Minecraft account to gain access to her computer. This case is an example of a ransomware attack. Ransomware is malware or software that encrypts a victim’s files (Brewer, 2016). Once the files are encrypted, the attacker demands a ransom to provide a decryption key or restore access. One of the most common deliveries of this attack is downloading corrupted files and programs from the internet. In this scenario, the ransomware was probably from the games and software installed on the computer. Luckily, Jill had not connected to the Wi-Fi. If she had connected, the attackers would have accessed the entire network and compromised more resources. The impact of such attacks is the loss of data and disruption of the normal process. For example, if the ransomware was installed on other company devices, the business cannot access its customer database to check appointments and pending orders.
Two days later, the business received a text message with a link. The message referred to a parcel arriving. However, they were not expecting any parcel. This scenario is a phishing attempt. Phishing is a social engineering attack used to steal data such as credit card numbers and login credentials. In this attack, attackers masquerade as trusted entities and dupe victims into opening a text message or email. In this case, the attack was delivered through a text message. The victim is tricked into opening a malicious link which leads to the installation of malware. For businesses, such attacks can lead to loss of sensitive information such as customer credit card information and disruption of processes if malware is installed. Besides, it can lead to financial losses through litigation and loss of customer trust.
Although the attacks were not fatal to the organisation, some were successful. Social engineering is achieved through four steps: reconnaissance, engagement, exploitation, and closure (The Four Phases of Social Engineering, 2021). The reconnaissance stage involves collecting information to execute engagement. The attacker visited the shop and collected different information such as products, friendly employees, and working hours. The second step, engagement, involves building a rapport and gaining enough knowledge. The attacker interacted with Jill by sharing complements and, in return go financial information about the business. The attacker uses the information obtained in the first two stages to achieve a certain goal in the exploitation stage. The closure is the final stage which involves closing interactions without arousing any suspicions. In this case, the final stage was not achieved.
From this analysis, Jill is the weakest security link. First, her personality allows her to interact and share information with strangers. Jill appears extroverted and willing to interact with new people, share information, and be happy when customers return. According to Uebelacker and Quiel (2014), social engineering attacks through social proof and liking work with extraverted people because of sociability. The extraversion and sociability exhibited by Jill allow her to assume a stranger’s character, allowing her to shoulder surf as she uses her computer. Besides, Jill’s lack of awareness of technology contributed to the success of most of these attacks. She was not aware of the risks posed by using a foreign device on the company network.
In contrast, one of the employees, Sam, who runs a graphic design and web development company, was aware of the risks. Sam played a critical role in reducing the severity of the attacks. Additionally, Pat and Maggie took the time to analyse the phishing message before opening the link.
Nonetheless, Jill is not the only one to blame for the attacks on this business. The company lacks administrative controls to prevent or mitigate cyber-attacks. The business does not have a password management policy. The Wi-Fi password is written on a piece of paper which can end up in the hands compromising its network and systems. Besides, the company has not invested in training its employees on the different attack tactics. For example, Jill assumes the customer’s character and does not know the risks posed when customers read over her shoulder. Also, she does not know the risks of sharing confidential information. Additionally, the business does not have a bring-your-own-device policy. Jill can bring new devices and access the network without checking the risks, installing security software, and outlining what kind of resources she can access using the foreign device.
Applegate, S.D., 2009. Social engineering: hacking the wetware!. Information Security Journal: A Global Perspective, 18(1), pp.40-46.
Brewer, R., 2016. Ransomware attacks: detection, prevention, and cure. Network Security, 2016(9), pp.5-9.
Long, J., 2011. No tech hacking: A guide to social engineering, dumpster diving, and shoulder surfing. Syngress.
Lord, N., 2020. Social Engineering Attacks: Common Techniques & How to Prevent an Attack. [online] Digital Guardian. Available at:
Rangeforce.com. 2021. The Four Phases of Social Engineering. [online] Available at:
Uebelacker, S. and Quiel, S., 2014. The Social Engineering Personality Framework. 2014 Workshop on Socio-Technical Aspects in Security and Trust.
Mouton, F., Malan, M., Leenen, L. and Venter, H., 2014. Social engineering attack framework. 2014 Information Security for South Africa
Social Engineering Framework