Social Engineering: The Greyjoy of Pyke

By Jeff Aldorisio

Posted on May 20, 2019

As Lord Balon Greyjoy, founder of the Kingdom of the Iron Islands once said, “We do not plow the field or toil in the mine. We take what is ours.” Lord Balon, murdered by his brother Euron, declared the Iron Islands sovereign, seceding from the Seven Kingdoms during the Greyjoy Rebellion. Seated at castle Pyke, the Greyjoys and their kingdom survive raiding neighbors. In the same way, cybercriminals use social engineering to steal from their cyber “neighbors.”

Social Engineering: The Greyjoys of cyber security

Social engineering is a technical term for “manipulating people into giving away their information.” Unlike most media representations of cybercriminals, today’s malicious actors prey upon psychological weaknesses. They create a sense of urgency to stimulate people emotion then overwhelm their victims with information. Once they have created a heightened emotional state and overwhelmed the person, they suggest a set of actions that can resolve the emotional struggle.

Throughout their history, the Greyjoys create and destroy alliances - between themselves and with others. Theon Greyjoy, a ward of the Starks, lives at Winterfell, befriending the family and securing their trust. However, when his father Balon chooses to attack the North, he pledges allegiance to his birth family, takes control of Winterfell, and captures the youngest Stark sons, Bran and Rickon. Balon later returns the treachery by abandoning Theon and leaving him in the hands of the murderous torturer, Ramsay Bolton.

They Greyjoy line, much like cybercriminals engaging in social engineering attacks, first create seek to establish an emotional connection then use that against their victims.

Search Engine Phishing: The Theon Greyjoy

As search engines such as Google or Bing become more ingrained in society, cybcriminals have found a way to exploit them. Malicious actors create fake websites, then optimize them the same way legitimate businesses do. When people do an internet search, the fake site shows up on the search list and users click through. The fake website, although optimized for a legitimate search through a legitimate website, tricks the users into providing information that can lead to stolen credentials.

In the same way, Theon Greyjoy lived with the Starks and won Robb Stark’s trust. When Robb trusts him to go on a legitimate mission to secure help from his father Balon, Theon chooses to side with the Greyjoys, abandoning the Starks and kidnapping two of the Stark children. Later, tortured and brainwashed by Ramsay Bolton, Theon infiltrates the Ironborn military and obtains their surrender, only to have Bolton murder the troops anyway.

Theon’s actions, much like those of a search engine phishing campaign, often appear legitimate to others, yet they often have dangerous and criminal consequences.

Spear Phishing/Whaling: Euron Greyjoy

While early email phishing attacks sent emails to a broad spectrum of unknown users, cybercriminals now focus on spear phishing and whaling. In a spear phishing attack, cybercriminals target individuals who share a common group, such as working for the same company.

A whaling attack is a subset of spear phishing. Targeting an organization's users, the cybercriminal creates fake emails that appear to come from a senior executive. By using the senior executive, the malicious actor heightens the employees’ sense of urgency which pushes them to respond.

Euron Greyjoy, seeking nothing more than power, becomes Cersei Lannister’s ally. Despite the distrust that lingers between the Greyjoys and Lannisters, the two create an alliance founded on destroying their relatives who sided with Daenerys. When Cersei refuses Euron’s marriage proposal, he promises to bring her a gift, one which will ultimately convince her to trust him. Euron Greyjoy becomes an accepted, and to an extent trusted, member of King’s Landing precisely because he infiltrates it from the top. Although Cersei does not trust Euron, her willingness to work with him provides him a veneer of legitimacy.

In the same way that cybercriminals spear phishing and whaling campaigns to trick people into trusting them since they appear linked to the organization, so does Euron attempt to gain the Iron Throne by establishing a shaky alliance with Cersei.

Social Media Phishing: The Yara Greyjoy

Malicious actors use social media websites to attract new victims. In some cases, they obtain unauthorized access to an account and then send create malicious links to the person’s friends using messenger applications. In other cases, they post fake contests that require people to input information that can later be used to steal credentials.  In still others, they impersonate a brand’s customer support social media account which tricks people into providing information.

Yara Greyjoy is perhaps the most honorable member of House Greyjoy. Her reputation as a warrior earns her support for the Salt Throne, until Euron undermines her. After losing the challenge for the Salt Throne, Yara and her loyalists flee. Yara, unlike the male Greyjoys, possesses both physical strength and political savvy. After she forges an alliance with Daenerys, Euron captures her and imprisons her. Yara’s ability to connect with people saves her, as her loyalists rescue her by infiltrating Euron’s prison.

In the same way Yara’s ability to use social networking as a tool to gain loyalty and infiltrate her enemies’ prisons, so do malicious actors use the trust built on social networking sites to obtain user information.

Cybercriminals obtain information not just by breaking into networks, systems, and software, but also through social engineering attacks where they manipulate into voluntarily providing information in much the same way that House Greyjoy, master manipulators, rise to power by socially engineering those around them.

This series was a labor of love from tech writer Karen Walsh, an extremely talented SecurityScorecard consultant and major contributor to our ongoing offerings of relevant news, blogs and reports.  This is Karen’s final blog contribution before she moves on to a full time job. And while we’re saddened enough by her departure to sarcastically call her “dead to us”, the SecurityScorecard team truly wishes her well in her future endeavors and is extremely grateful for the time spent.  Thank you Karen, your legacy will live on in our hearts and in your repurposed materials.

Security Research in your Inbox

Thanks for siging up for the newsletter!

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!

Request a Demo

Thank you for requesting a demo!