I found a copy of "Ghost in the Wires: My Adventures as the World's Most Wanted Hacker" by Kevin Mitnick with William L. Simon for sale on the Friends of the Library shelf at my local library recently. For a buck or two, it made for an exciting read on the early days of hacking.
Mitnick started out as a phone phreaker when he was a teenager, which reminded me of how intertwined phones and computers are. Phone phreakers were people who figured out how to reconfigure phone systems and their switching equipment in order to make free long distance calls. From there, Mitnick progressed to hacking into computer systems. He served prison time for his activities, though he stressed in the book that he never used the information he gathered for financial gain. It was all about the challenge of figuring out the tech and the systems.
What struck me about Mitnick's hacking was how often he used social engineering to gain access to systems and passwords. Social engineering is about exploiting trusting humans into providing the information needed for hacking.
I started tracking how often he mentioned social engineering tactics by marking the pages with yellow sticky notes and soon gave up because he did it constantly.
Here's how Mitnick explained what's behind successful social engineering:
"The basic tactic is simple. Before you start social engineering for some particular goal, you do your reconnaissance. You piece together information about the company, including how that department or business unit operates, what its function is, what information the employees have access to, the standard operating procedure for making requests, whom they routinely get requests from, under what conditions they release the desired information, and the lingo and terminology used in the company.
"The social-engineering techniques work simply because people are very trusting of anyone who establishes credibility, such as an authorized employee of the company." (pg. 10)
Using this research, Mitnick would often pose as an employee from another branch or department of a company in order to get the access or information he needed. In some cases, he was able to convince employees to make adjustments to equipment for him.
Though Mitnick was hacking in the early days of personal computers and cellphones, social engineering tactics remain an effective way for hackers to get into computer systems to steal sensitive information, as is evidenced by this June 2024 article on the arrest of one of the members of Scattered Spider, an international cybercrime gang that has attacked 45 U.S. companies: Cops cuff 22-year-old Brit suspected of being Scattered Spider leader.
Note this line in the article: "Being native English speakers is perhaps why the group started off as a SIM-swapping gang, able to convincingly assume victims' identities and manipulate mobile network support staff into transferring the control of devices to the criminals. [emphasis added]
That's social engineering at work and echoes what Kevin Mitnick did in terms of contacting the staff of phone and computer companies to hack his way into their systems.
Phishing attacks via email are another way hackers play on our trusting nature to click the link (there is almost always a link) that allows them entry into our computers. Phone calls or emails with someone posing as a relative (or Nigerian prince!) needing money is yet another social engineering tactic.
Cybercriminals can also pose as lawyers in order to take advantage of their victims, like in this recent article about cybercriminals impersonating lawyers purporting to help victims of cryptocurrency scams but are stealing their money and personal info instead: FBI Has New Warning About Cybercriminals Posing as Lawyers.
Of course, attorneys and law firms are not immune from cyber attacks and may be targeted because of their sensitive client data and handling of client funds. They have to be particularly vigilant if they regularly conduct wire transfers as part of their work, as pointed out in this article from Law.com: Former FBI Cyber Expert on How AI Will Exacerbate Law Firms' Wire Transfer Vulnerabilities.
Lawyers and law firms staff need to always be on guard against social engineering and should get regular training in how to recognize it.
For example, MSBA staff are sent periodic simulated phishing emails by our IT company in order to learn to spot real phishing emails. We've become pretty suspicious of strange emails and I have called law firms when I have occasionally gotten a spoofed email (another type of social engineering, where a hacker sends a phishing email through a real email account) to confirm whether the email is legitimate.
If you don't have an IT department training you to watch out for social engineering, start with this article from CISA, the U.S. Cybersecurity & Infrastructure Security Agency: Avoiding Social Engineering & Phishing Attacks.
CISA also provides tips and tools to help increase cybersecurity, particularly involving organizations and governments that are part of the country's critical infrastructure. Check this page for some of their Free Cybersecurity Services and Tools.
After Kevin Mitnick served his time for illegal hacking, he became an ethical hacker, also known as a white hat hacker, opening his own cybersecurity business. He was hired by companies to help them find flaws in their tech security and was often called upon to share his expertise in the media, with government agencies, and at corporate events. Though Mitnick died last year, his company, Mitnick Security is still operating and provides more info about him and his books through its website.
***