Since the very first day I started working in the information security industry, I have found everything to be just so interesting and fascinating. The fire inside me I have for knowledge has been doused in petrol by stories of complex crimes, and this has educated me and forced me in to some real life studies. Over the years, I have delved quite deep into the world of 'real social engineers'. My past life before InfoSec hasn't helped in keeping me away from this knowledge either. When you ask people to describe what a social engineer is, they are forced to rely on cliché images served up by the media – most of the time, a suited guy in a balaclava, tapping away on some Netbook. Indeed, in many videos and interviews that detail the exploits of some real world attacker, there is usually some person giving testimony to the crime scene, sitting there yet again in a ski mask and a voice distorter disclosing the tricks of the trade. I know what we have to do in order to combat the rise in this activity. We need to look them in the eyes, say, "No, thank you. I know what you are about," and educate ourselves in order to make us the harder people to target. But where do you start? Where do you look them in the eyes? And where do you find one with no mask on? Well, this is a very long journey and it's so diverse. If online cyber crime were a nation it would be the 4th largest nation (financially) in the world. That's an awful lot of crime and people! And it's only set to rise with figures published this week detailing UK ID fraud has increased 30 percent over the past year. Eighty percent of this is due to Internet-based frauds and scams. But luckily some distinct styles and groups jump out at us and we can have a look at their lives and see what motivates these people. A term I hear a lot is "some African scammer" but have you ever met one? Have you ever called them out and told them the scam is over, asked for 20 minutes of their time on Skype and offered to PayPal them £20? Well, we have. It's became a mini obsession! We have focused on Ghana, mainly because of 'Sakawa,' which is a mix of contemporary African religion combined with online cyber crime. It's an unlikely couple, but it's spreading like crazy. Ghana and the west of Africa were once very wealthy and the general stance is: "The west stole this wealth and we are going to scam it back, it's rightfully ours." This permeates deep into nearly all Sakawa believers I've talked to and certainly is a common theme. So, we have a motive... But what do they look like? Well, this is when it gets tricky. African children as young as eight years old can play vital roles in these scams and have some truly amazing skills. Nearly all the Ghanaian public can identify a scammer. But why is it so hard for us to prevent being a ‘mugu’ (African: Big Fool). You have to understand what motivates them, what it's all about, and it becomes a lot clearer. Sakawa believers have the same kind of logic as the man defending against vampires: Bob: Why do you have garlic around you neck? Dave: It's to ward off vampires, of course. Bob: Do you ever see any vampires? Dave: Of course not. Since the garlic, not a single one! In Africa, logic and religion can be quite diverse. If your whole street is living in poverty and your neighbour has just scammed a Range Rover and £10k after he visited a special voodoo priest to pray for his phishing campaign to work, then you could quite easily be convinced that 'Sakawa' has been responsible and this is in a nutshell why it's spreading. Sakawa has a style, the believers wear certain clothes and listen to a certain style of music. They write their emails in a certain way and with a little education, you can pick them out clearer than a red devil at an evangelical church. It becomes in our favour to see these people, struggling through their nation's corruption on a mission to stay alive and have nice things. We know their motives, we know how they work, what kind of clothes they have, and what they believe—and this is as good as 'looking into their eyes' as we might ever get but you can see a little closer the more you learn. This is just one example, one tiny spot on earth with a clearly identifiable demographic – but there are many, and I suggest it's time your organisation starts to look at them. I have constructed a short talk this year for BSides London 2015 and eagerly await displaying some of this knowledge. Thinking outside the box has been a key factor in our business 'The AntiSocial Engineer,' which serves to protect organisations from threats caused by social engineers – whatever they may look like!
About the Author: Richard De Vere, who is the Principal Consultant for the AntiSocial Engineer Ltd., has an extensive background in penetration testing and social engineering, including ‘red team’ exercises and information gathering assessments. Qualifications include CISMP and CompTIA Security+. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
