Social Engineering : Hacking the Human Vulnerabilities

Image : Zootopia 
Social engineering has become the biggest cyber threat today. In social engineering, the target is a human, who cannot be patched. Humans  continues to carry zero day vulnerabilities. Humans are most vulnerable end point.

An attacker using social engineering techniques to deceive and manipulate a victim  to divulge sensitive information like  credentials. The attacker then uses the information obtained to gain unauthorized access to systems to carry out an attack.

Social engineering criminals hide their true identities and motives, presenting themselves as trusted individuals or high ranking officials of the organisation. Their objective is to deceive, trick, influence, and manipulate the victim to give information willingly. They exploit fear, greed,  curiosity, fatigue, ambition, urgency, helpfulness, empathy imotions of people. 

Social engineering is a popular tactic among attackers because it is quite easier to exploit people than to find a network or software vulnerability. 

Following are the most common social engineering techniques, which can use various attack vectors logically online or physically offline.

1. Phishing

The threat actor uses deceptive emails, instant messages,  and websites to misguided and steal sensitive information from unsuspecting victims. The  victim believing that the message is legitimate,  clicks on the suspicious link, visits to a malacious web site, or download a malware attachment.

2. Spear Phishing

This is a highly targeted attack against known individuals in top management. Unlike sending mass phishing emails, the attacker do an in-depth research on potential victims with specific objectives to harm the organisation.

3. Baiting

The cyber criminal operating online or physical spaces, develops a cordial relationship with the victim offering a reward in return for sensitive information or partnering on a hack. Some insider attacks initiated with bating.

3. Ransomware 

The cyber criminal sends an urgently worded message tricking the victims to install a malware on their computer. The malware encrypts  the content of the computer. Then demands a payment in crypto currency to decrypt data. Large corporations has become victims of ransomware.

5. Pretexting

This attacker assumes a false identity to trick victims into divulge sensitive information acting as banks, credit card providers, and utility companies.

6. Quid Pro Quo

This attacker convince the victim to exchange of information, offering to provide “assistance,” assuming identities like tech support executives. 

7. Tailgating

The cyber criminal gains physical access to a secure building or area, by following a  victims pretending as a new employee. The victim may hold the door open for the attacker due to misguided courtesy.

8. Vishing 

The cyber criminals leaves urgent voicemails to convince victims they must act quickly to avoid an arrest or another risk. 

9. Water-Holing

This technique infects a website visited by targeted victims with a malware. The infection then spreads to the victims’ organization.

10. An attacker might pretend to be a co-worker who has some kind of urgent problem that requires access to additional network resources.

11. Whaling.

This  is a type of phishing attack that targets high-profile employees, such as the chief executive officer or chief financial officer into disclosing sensitive information.

12. Diversion theft

The attacker uses a courier company into going to the wrong pickup or drop-off location, thus intercepting the transaction.

13. Honey trap

The attacker pretends to be an attractive person to interact with a person online, fake an online relationship and gather sensitive information through that relationship.

14. Rogue security software

This is a  type of malware that tricks targets into paying for the fake removal of malware.

15. Dumpster diving

The attacker searches though trash to find information, such as passwords or access codes written on sticky notes or scraps of paper, that could be used to infiltrate the organization's network.

16. Pharming

Cyber criminals install malicious code on a computer or server that automatically directs the user to a malicious website, where the user may be tricked into providing personal information.

Most social engineering attacks are well planned through research and reconnaissance on the target. The attacker gathers  intelligence on the organization structure, culture, management , operations, events, systems , service providers and partners etc. They also research on the behaviors and patterns of employees who has low-level access to systems. Attackers scan social media profiles of staff whome they can easily trick. The criminal then design an attack based on the information collected and exploit the vulnerabilities uncovered during the reconnaissance. Once the initial intrusion is successful, the attacker use additional tools or programs in the system to escalate the previlages to steal sensitive data.

Preventing social engineering

  • User awareness is the most effective strategy to preventing social engineering attacks.
  • Implement secure email and web gateways to scan incoming emails for malicious links. Then filter them out to reduce the probability of attacks. 
  • Keep anti-malware and antivirus software up to date. 
  • Stay up to date with software and firmware patches on endpoints.
  • Create a culture of password hygiene and secure remote work practices.
  • Keep track of staff members who handle sensitive information, and enable advanced authentication measures.
  • Implement 2FA to access key accounts, where confirmation code send via text message or voice recognition.
  • Instruct employees not to use the same passwords for personal and work accounts. If the attackers gains access to employee's social media account, they could also gain access to the employee's work accounts.
  • Implement spam filters.  spam filter might have a blacklist of suspicious IP addresses or sender IDs, detect suspicious files or links, as well as analyze the content of emails to determine which may be fake.

Following are some famous social engineering attacks.

  • $100 Million Google and Facebook Spear Phishing Scam.
  • Email phishing attack on US Department of Labor
  • Russian spear phishing attack on Ukraine 
  • Deepfake Attack on UK Energy Company
  • $60 Million FACC CEO Fraud
  • Microsoft 365 phishing scam
  • 2022 Uber Attack 
  • Google Drive collaboration scam
  • 419 Nigerian money scam

Think before you click. Research the source. Don’t download unknown files. Free offers and prizes can be fake. Never share personal information or passwords. Reject requests for help or offers of help from unknown people. Set your spam filters to high. Secure your devices. Always be mindful on risks. 

In social engineering, you are the last line of defence. As an end user, you are responsible yourself to monitor your own activities. Never become a victim of social engineering.

Niranjan Meegammana 

Comments

Popular posts from this blog

The 7 Layers of Cyber Security : Attacks on OSI model

Best Practices for secure Software Development

ISO 27001 ISMS in a Nutshell