Online radicalisation and social engineering
There has been a lot of media coverage here in the UK about a young woman who previously left the UK as a teenager to go to Syria and join Islamic State. She has recently expressed her desire to return to the UK, causing widespread disagreement as to whether she and her new-born child should be allowed back in the country. Should we take the risk that this woman may commit terrorist acts when back in the UK? Or is it our duty to allow her and her child back?
The radicalisation process
Many people find the process of radicalisation hard to understand. You look at the end-result and can’t relate to how they got there. When I was working in intelligence I led a research project investigating how young British nationals were being targeted and radicalised online by terrorist recruiters from Islamic State. The aim was to convince them to leave for Syria and join the caliphate. Just as Shamima Begum did. Since then I have worked in the cyber-security sphere. From that perspective, I can see the similarities between what terrorist-recruiters were doing — grooming and radicalising young people — and the information security term “social engineering”.
Social engineering is a term used by the information and cyber-security industry. It relates to the process of “hacking humans”, tricking individuals into clicking a link, opening an email, or stealing company data on the criminal’s behalf. The manipulative tactics used by hackers on individuals and members of staff are the same as those used to get young, vulnerable kids to travel to Syria. Here’s how it’s done.
Choose your targets
One of the most effective ways of targeting European youngsters was online, bringing the world of the terrorist- recruiters into the bedrooms of vulnerable youngsters. Social media and YouTube were employed to make contact with their key demographic. Just as I, as a social engineer, would identify the key staff to target when testing a company’s security, so these recruiters knew the type of profiles they were looking for. Young, preferably vulnerable or troubled, perhaps they had suffered some bullying or family drama or were a bit of an outsider.
Create a social media profile to build rapport
Let’s say that their target was a fifteen-year-old boy from the U.K. They would make contact via a profile that was set up to look like a similarly aged individual, having examined their target’s profile and identified some of their likes and dislikes. Commonality builds rapport, making them more likely to like, listen and agree with what you say.
Introduce target to a new online community
Once this initial rapport is established they feed in key concepts that underpin their political messages, while staying as mainstream as possible. For example, an article from a western source and about the UK military in Iraq. Ideally with a human interest angle, perhaps a young boy who lost his mother and father in a bombing. Nothing that gives away the end-goal but could be used to point up the idea of the west’s reckless actions causing the deaths of innocent people. The fifteen-year-old agrees with you that this is horrifying and unjustified. The recruiter suggests he join an online group that airs these sorts of things. He does. The group consists of other fake profiles and a few genuine people further down the path toward radicalisation. The discussions start introducing more conspiracy- orientated theories about the west targeting Muslims deliberately.
The recruiter gradually suggests other people and news sources to the target’s social media feed. The more direct messages, likes, comments, tags they make with their targets, the more likely their posts would be on their home feed every day. This creates an echo chamber controlled by the recruiters which drowns out counter-narratives from other online contacts.
As their target becomes more comfortable with radical viewpoints, the recruiters’ strategies evolve. They show him videos and profiles of people who have joined the fight. For young boys, the recruiters would focus more on feeding them action videos of people firing guns, driving cars and blowing things up. For girls the focus is more on finding an ideal husband, nursing wounded people and saving innocent animals caught in the crossfire. They have their narratives perfected. Many would be encouraged to suggest other people as potential contacts and listen to more extreme religious views from people who were portrayed as scholars, such as Anjem Choudhry.
Interestingly, more often than not it was the victim who initiated travel to Syria, not the recruiter. They were then referred to another contact who would have a detailed action plan ready. They provided guidance on how to buy a plane ticket to Turkey and which were the best airports to fly from so you wouldn’t get stopped. Leave at a time of day when you wouldn’t be missed or tell your parents you were going to a friend’s house after school. They would tell their targets to erase their hard drives or, better still, take the hard drive with you. The plan was to leave no trace behind .Sadly, many young people right across Europe got caught up in this process and left for Syria. On arrival in Turkey they would often be met by Islamic State smugglers who would help them across the Syrian border and into training camps. Once there, messages would be sent from their profiles telling other “suitable” friends of the amazing time they were having. Whether it was even them writing the messages we will never know. Many who left for Syria have never been heard from again. A few now wish to return to the UK, USA and other European nations and those governments are faced with the difficult choice of managing these cases.
Online “radicalisation” and cybercrime
In my work helping companies with security, we are increasingly seeing cyber-attackers engaging in a very similar process to that just described. They find a member of staff, befriend them using a fake profile and bond with them to start introducing ideas about how the company they work for is corrupt or is committing immoral acts. They start asking them to steal data from the company, usually by photographing it on their phones. They will always feed some sort of “us versus themˮ narrative to their target and often paint what they are doing as activism. The company loses data, money and may even collapse. You may think that this could never work on me, that I could never be radicalised like this. However, there’s always a narrative that works, it’s just a matter of finding what it is. We are all of us different but each one of us can be got at, manipulated and fed a story that could take you down a path you never thought you would find yourself on.
What we can learn from online radicalisation
Anyone who contacts you online who’s unknown to you in the real world should be treated with extreme caution, no matter how similar and attractive they may appear. Balance your risks and categorise your social media. Look at your social media accounts and decide whether an account is to be personal or more public. For personal accounts, lock them down and limit the friends or followers to close friends and family. You can then post carefully curated posts and photos of your life. If you want followers, you should only post things you don’t mind the entire world seeing.
To build rapport an attacker needs information. In a security test, I need to gather information on the company and its staff for my attack. This information really helps me build credible pretexts and attacks. Cyber-attackers and terrorist-recruiters employ the same strategy. We need to start making them work a bit harder for their money and stop handing them so much information on a plate. We all need to be much more aware of our posts and interactions online.
Red Goat Cyber Security runs classroom based social engineering training in the UK and oversees for companies that want to defend against social engineering attacks. For more information on this training click here