Social Engineering: It All Started With A Game!

Imagine you are scrolling through Facebook and your friend has posted a quiz that asks for personal details such as your birthday or star sign for the app to determine your personality traits. That's social engineering at work ...

Having read your friend's results you think it is pretty accurate. So, you decide to 'click the link' to see what your personality is accurate according to the details you type in. After all, what harm can it do? It's only a simple quiz and it's not like you are entering a whole bunch of personal or sensitive data?

"Or are you?"

In a very brief discussion this week, after a lapse of concentration, I clicked on a social media game, where I had to choose an animal, based on my birth year. Each animal had 4 or 5 random years assigned to it and when inside the game, the, button became live.

Once the personality statement came up, the game asked me to share my personalised results in my social media feed. This is one thing I never do as it would share a live link for someone else to follow.

In this instance, I did find the answer fascinating so I took a screenshot (so no live link was posted/shared), but it did show the selection of birth years under the Rooster (symbolic of four or five different birth years).

A concerned friend, who also happens to be a top network infrastructure and IT security specialist, reached out and told me that by entering the game and choosing the Rooster symbol, cybercriminals had been able to narrow down the possibilities of which year I was born.

"It's a stealthy way to gain your credentials!"

This is one aspect of social engineering that I had not considered in much depth before. I have seen many of these games, all similar, but slightly different, and it never occurred to me that all the games may be devised by the same person, each time asking for slightly different personal information, collating all the pieces like a jigsaw puzzle, eventually gaining enough information to guess your passwords and account login details.

I regularly write about blatant cyberattacks; systems being hacked through connected equipment or phishing emails, but never looked at games and quizzes as a threat. Doing some quick research from bonified academic studies and industry white papers put a new light on the different manipulative methods of gaining trust and information ... all because our curiosity gets the better of us.

Playing multiplayer online video games and receiving a friend request or private message from someone claiming that they will help you win the game is a way of getting you to potentially download an app that then installs malware into your systems.

"This is the very definition of Social Engineering!"

I am not a gamer and never really seen their appeal, but this method of cyberattack is not the norm in the business-to-business world. It was a chance comment from a trusted friend that led me to today's blog topic.

Could your bank balance survive willingly clinking a link to a harmless-looking game?

If you feel inspired to find out more then do call me on 07555 807700 or leave a comment below and I'll be in touch as soon as I can.