An attack against a user known as “social engineering” usually entails social interaction of some kind. The attack’s exposed hole may not be related to technical expertise or even security awareness.
Fundamentally, social engineering entails influencing the social aspect of interpersonal interactions. In essence, it preys on a number of traits that we often aspire to. For example, one quality that one would like to see in a team setting is the willingness to assist. We prefer to promote helpful employees and penalize unhelpful ones because we want employees who support one another.
How can this be abused if cooperation and teamwork are the cornerstones of our workplace culture? Although it is not easy, a number of deceptive tactics can be used to achieve it. One is based on the idea of becoming familiar with the group and appearing to be a part of it. For instance, you can appear as though you belong by introducing yourself into a discussion or interaction with the appropriate words and knowledge. You can blend in undetected by carefully mentioning names and tying your narrative to current affairs and expectations. Another example is that you can probably convince someone to open and hold a door for you if you arrive at the entrance at the same time as them and they have an ID card and something in both hands. Talking about anything that makes you fit in on the walk to the door is an even more effective tactic. This strategy motivates the person to assist you since people desire to help.
Creating a hostile environment is a second strategy. As people tend to avoid conflict, you can quickly connect with anyone who has experienced similar mistreatment if you are having a heated argument with someone as you enter the group you want to join—making sure that not only are you losing the argument, but that it also seems completely unfair. Play on their empathy and need for compassion, then take advantage of the circumstance to avoid making a relationship.
A skilled social engineer is aware of how to influence people using body language, including when to grin, how to mimic gestures, and how to use body language cues rather than words.
This game is understood by any woman who has persuaded a man to do something by using body language rather than asking him directly. Men are also aware of this, and they play in an effort to obtain something.
A thorough training and awareness program that incorporates social engineering is the best defense against social engineering attacks; however, this does not imply that staff members should be taught to be uncooperative and obstinate. Instead, training ought to stress the importance of being helpful and cooperating with others, but doing so in a setting where trust is established and is a custom free from social shame. When checking in at an airport, no one will be able to evade Transportation Security Administration (TSA) staff using social engineering techniques because they impartially enforce and adhere to established protocols, but they also usually do so in a kind, courteous, and helpful manner while making sure that the screening processes are always finished.
The following describes the “techniques” that are frequently used in social engineering attacks.
Phishing
Phishing is the most common form of social engineering. Attackers send deceptive emails, messages, or websites designed to trick victims into revealing sensitive information.
Common examples:
-
Fake password reset emails
-
“Account Suspension” notices
-
Fraudulent bank or payment gateway messages
The hacker tries to get information on the victims’ bank accounts, credit card numbers, usernames, and passwords. The delivered message frequently directs the recipient to a website that looks to be for a trustworthy organization, such PayPal or eBay, both of which have been widely exploited in phishing attempts.
However, the legitimate organization does not own the website that the user actually views, and it requests information from the user that could be used in a future attack. Frequently, the user receives a notification stating that their account has been compromised and asking them to confirm the contents by entering their account information for security reasons.
Another prevalent phishing scenario involves the attacker sending a mass email purporting to be from a bank informing the recipients of a security breach and directing them to click on a link to confirm that their account has not been compromised. The person is directed to a website that looks to be owned by the bank but is actually under the attacker’s control if they click on the link. The person is actually giving their account and password to the attacker when they provide it for “verification” purposes.
Vishing
Vishing attacks use phone calls to trick individuals into providing sensitive information or performing security-compromising actions. Vishing exploits the confidence that certain individuals have in the phone system. Users are unaware that Voice over IP (VoIP) technology allows attackers to mimic or spoof calls from trustworthy organizations. These efforts may also corrupt and use voice messaging. This strategy is employed to build a foundation of trust, which the attacker subsequently takes advantage of over the phone. Typically, the attacker wants to get information that can be used to commit identity theft, such as credit card numbers. An email requesting that the user contact a number that may have a compromised voice message system answering it could be sent to the user. Additionally, users can get a recorded message that seems to be from a trustworthy source. In both situations, the user will be urged to reply promptly and supply the private data in order to prevent account access from being stopped. Users should use the Internet or look through a genuine account statement to locate a phone number that can be used to get in touch with the entity if they ever receive a message requesting sensitive information purporting to be from a trustworthy source. The user can then report the vishing attempt and confirm that the message they received was authentic.
Smishing
Smishing involves sending fraudulent text messages that lure victims into visiting malicious sites or disclosing private information. Smishing is an attack on victims’ cell phones that uses Short Message Service (SMS). It is a type of SMS phishing. It starts with an SMS message that points the recipient to a URL that may offer malware or other attack vectors. The main reason this approach is effective is because the message uses threats and urgency, such as “You are subscribed to ABC service, which will begin regular billings of $10 a month.” To unsubscribe before billing occurs, click here. The second stage of the assault can start when the user clicks on the URL.
Spear Phishing
Spear phishing is a word coined to describe a type of phishing assault that targets a particular individual or group of individuals who have a common characteristic. The ratio of successful attacks (i.e., the number of responses received) to the total number of emails or messages sent typically rises when the attack targets a particular group, like senior executives, because a targeted attack will appear more credible than a message sent to users at random. Unlike broad phishing campaigns, spear phishing is highly targeted, often using personal information gathered from research to craft convincing emails.
Shoulder Surfing
Shoulder surfing is a social engineering technique where an attacker observes a person’s private information by directly watching them as they enter sensitive data, such as passwords, PINs, or credit card numbers. For example, the attacker may just glance over the user’s shoulder at work, or they could put up a camera or use binoculars to watch the user entering private information. An attacker may try to get information like a calling card or credit card number, an access control entry code at a secure gate or door, or a personal identification number (PIN) at an automated teller machine (ATM). Nowadays, a lot of places enclose a keypad with a privacy screen or filter to make it challenging to watch someone enter data. In fact, more advanced systems have the ability to jumble the numbers’ positions so that the top row once contains the numbers 1, 2, and 3, and then later contains 4, 8, and 0. Although this slows down the user’s input a little, it prevents an attacker from observing which numbers are pressed and then entering the same button sequence because the numbers’ locations are always changing.
Tailgating
The straightforward strategy of closely following someone who has just used their own access card or PIN to physically enter a room or building is known as tailgating, or piggybacking. People usually don’t follow proper physical security measures and practices since they are rushing. Attackers are aware of this and might try to take advantage of this aspect of human nature. As a result, an attacker can enter the building without needing to obtain an access card or know the access code. In that it depends on the attacker exploiting an authorized user who is not adhering to security protocols, it is comparable to shoulder surfing. In order to make the user feel more at ease letting the person in without confronting them, the attacker will frequently even strike up a discussion with the target before they even reach the door. In this way, social engineering assaults and piggybacking are connected.
The success of both the shoulder surfing and piggybacking attack strategies depends on an authorized user’s lax security. Therefore, both strategies are easily handled by teaching staff members to follow straightforward protocols to make sure no one pays too much attention to them or is able to watch what they do. A more advanced method of preventing piggybacking is the employment of a mantrap, which enters the building through two doors. The doors are tightly spaced to create an enclosure that only permits one person to enter at a time, and the second door doesn’t open until the first one is closed.
Whaling
Whales are considered high-value targets. Therefore, a whaling attack is one in which a high-value individual, like a CEO or CFO, is the target. Whaling attacks are designed to improve the likelihood of success rather than hitting several targets and waiting for a response. Spear phishing is a popular technique employed against whales since the communication is made to seem unsuspicious and is intended to seem like the target’s regular business. The distinction is that the target group is smaller, so an attacker cannot rely on random returns from a large population of targets. Otherwise, whales can be tricked just like anyone else.
Identity Fraud
The use of false credentials to accomplish a goal is known as identity fraud. This can be minor risk, such as posing as the person who watered the plants, or high risk, such as posing as an official representative of a government agency or a regulator. One may attempt direct delivery to the server room by posing as a delivery agent and arriving with a box, or even better, a server. This is most effective when the victim is anticipating the person, as is the case with a server that is malfunctioning and covered by a repair guarantee. Identity fraud can also be committed online by tricking the victim you are assaulting and using information you already know about the person you are impersonating Similar to most other social engineering assaults, identity fraud can be prevented by implementing strict standards and procedures. For instance, all visitors who require access must be led, without exception, and all packages must be dropped off at the security desk. Additionally, disclosure policies shouldn’t have any exceptions, such as when it comes to granting access to a party or changing passwords. Following the rules is effective; simply take a look at TSA security, where it is impossible to evade their line. While their screening’s efficacy and accuracy may be questioned, circumventing it is not. The majority of social engineering attacks can be prevented by doing this.
Credential Harvesting
Credential harvesting is a cyberattack technique where attackers collect large volumes of usernames, passwords, and other login information, often through deceptive means.
A phishing email that persuades a user to click on a link and then displays a copy of their bank’s website is the first step in a popular method of credential harvesting. When users enter their user ID and password, their credentials are collected and saved for the criminal’s future use because they usually don’t verify the security settings of their browser connection.
Getting credentials is the only goal of a credential harvest. The criminal will either redirect you to the correct page or provide an error and a fresh connection to the correct website so you may try again once they have fooled you into giving them your credentials. They wish to conceal the fact that your credentials were stolen. Due to the great success of this attack technique, financial institutions now routinely deploy a second-factor, out-of-band inquiry along with a standard user ID and password to stop the use of credentials that have been collected. This has become standard procedure and is required to stop the reuse of harvested credentials, even though it causes the user additional complexity and inconvenience.
Dumpster Diving
Dumpster diving is the term used in the security world to describe the practice of searching through a target’s trash in an attempt to locate important information that could be used in a penetration attempt. If the attacker is close to the target, they can typically find information in the target’s trash. Small pieces of information that could be helpful for an attack could be discovered by the attacker. However, the strategy is not exclusive to the computing community; Others, including identity thieves, private investigators, and law enforcement officers, have been using it for many years to gather information on a person or organization. The attacker may really discover user IDs and passwords if they are extremely fortunate and the target has very lax security measures.
In order to launch a social engineering attack, an attacker may collect a range of data. Trash is generally no longer regarded as private property once it has been disposed of, and even in places where dumpster diving is prohibited, enforcement is often lax. Policies for the disposal of items should be in place within an organization. In addition to shredding sensitive documents, the firm must also think about locking the trash can to prevent others from searching through it. Individuals who want to get rid of sensitive or confidential information in their own trash should also think about shredding it. When weighed against the possible loss resulting from identity theft, a reasonably priced shredder of acceptable quality is definitely worth the cost.
Spam over Instant Messaging (SPIM)
SPIM is a less well-known form of spam that is essentially spam sent over an instant messaging program. Similar to spam, hostile SPIM aims to trick an unwary user into clicking on harmful links or material, which starts the attack.
Pharming
Pharming is the practice of tricking people into visiting phony websites that appear authentic. By sending out emails, attackers use phishing to target people one at a time. The recipient must do something (for instance, reply by giving personal information) in order to become a victim. Pharming involves actions like DNS poisoning, which modifies URLs in a server’s domain name table, or altering local host files, which are used to modify URLs to the correct IP address, which will lead the user to the fraudulent website. The user may enter personal information on the fraudulent website, thinking it is associated with the authentic website.
Eliciting Information
Information can be obtained by calling the help desk or tech support teams. A proficient social engineer can persuade people, whose primary responsibility is to assist others, to carry out actions that undermine security by employing a variety of psychological strategies. An attacker can obtain a password reset, system details, or other helpful data by impersonating an employee. The call may also go the other way, with the social engineer impersonating a tech support or help desk representative. The attacker can then obtain information on system status and other intriguing details that they can utilize later by contacting staff members.
Identity Fraud
Identity fraud occurs when someone illegally obtains and uses another person’s personal information — such as their name, Social Security number, credit card details, or bank account information — to commit fraud or other crimes. The use of false credentials to accomplish a goal is known as identity fraud. This can be minor risk, such as posing as the person who watered the plants, or high risk, such as posing as an official representative of a government agency or a regulator. One may attempt direct delivery to the server room by posing as a delivery agent and arriving with a box, or even better, a server. This is most effective when the victim is anticipating the person, as is the case with a server that is malfunctioning and covered by a repair guarantee. Identity fraud can also be committed online by tricking the victim you are assaulting and using information you already know about the person you are impersonating Similar to most other social engineering assaults, identity fraud can be prevented by implementing strict standards and procedures. For instance, all visitors who require access must be led, without exception, and all packages must be dropped off at the security desk. Additionally, disclosure policies shouldn’t have any exceptions, such as when it comes to granting access to a party or changing passwords. Following the rules is effective; simply take a look at TSA security, where it is impossible to evade their line. While their screening’s efficacy and accuracy may be questioned, circumventing it is not. The majority of social engineering attacks can be prevented by doing this.
Credential Harvesting
The process of credential harvesting is gathering user IDs, passwords, and other credentials so that an attacker can gain multiple access permits to the system. A phishing email that persuades a user to click on a link and then displays a copy of their bank’s website is the first step in a popular method of credential harvesting. When users enter their user ID and password, their credentials are collected and saved for the criminal’s future use because they usually don’t verify the security settings of their browser connection.
Getting credentials is the only goal of a credential harvest. The criminal will either redirect you to the correct page or provide an error and a fresh connection to the correct website so you may try again once they have fooled you into giving them your credentials. They wish to conceal the fact that your credentials were stolen. Due to the great success of this attack technique, financial institutions now routinely deploy a second-factor, out-of-band inquiry along with a standard user ID and password to stop the use of credentials that have been collected. This has become standard procedure and is required to stop the reuse of harvested credentials, even though it causes the user additional complexity and inconvenience.
