We have become all familiar with the type of hacker who leverages their technical expertise to penetrate protected IT and digital systems and compromise sensitive data. We hear about this type of hacker in the news regularly, and we are motivated to counter their exploits by investing in new technologies that will bolster our network defenses.
However, there is another type of hacker who can use their maneuvers to skirt our tools and solutions. The social engineers, hackers who exploit the one weakness that is found in each and every organization: human psychology. By using the diversity of media, including phone calls and social media, these attackers trick people into offering them access to sensitive information and stealing passwords for later use.
Social Engineering is a term that is commonly used but poorly understood. It is generally defined as any type of attack that is nontechnical in nature and that involves some type of human interaction with the goal of trying to trick or force a victim into revealing information or violate normal security practices.
Social engineering is consist of a wide-ranging of malicious activity. The most common types of attack of social engineering that are used to target their victims: phishing, pretexting, baiting, quid pro quo and tailgating
1. Phishing is the common and general types of social engineering attacks that is used by the attacker today. Phishing attacks display the following appearances:
Social Engineering- Phishing
Seek to obtain personal information, such as names, addresses and social security numbers.
Use link shorteners or embed links that redirect users to suspicious websites in URLs that appear legitimate.
Incorporates threats, fear and a sense of urgency in an attempt to manipulate the user into acting promptly.
Phishing is when a malicious party sends a fraudulent email disguised as a legitimate email, often purporting to be from a trusted source. The message is meant to trick the recipient into sharing personal or financial information or clicking on a link that installs malware.
Social Engineering -Pretexting
2. Pretexting is a method of social engineering where hackers emphasis on creating a good pretext, or a made-up scenario, that they can use to try and take their targets’ private information. These kinds of attacks usually take the form of a scammer who imagines that they need certain bits of information from their target in order to make sure their identity and used to gain both sensitive and non-sensitive information.
For a instance, a group of scammers posed as representatives from modeling agencies and companion services, created fake contextual stories and interview questions in order to have women, including teenage girls, send them nude pictures of themselves.
Social Engineering -Baiting
3. Baiting is in many ways similar to phishing attacks. However, what distinguishes them from other types of social engineering is the potential of an item or good that hackers use to entice targets. Baiters may offer users free music or movie downloads, if they surrender their login credentials to a certain site.
Baiting attacks are not limited to online schemes, either. Attackers can also emphasis on exploiting human interest via the use of physical media.
4. Quid pro quo attack is one in which the social engineer pretends to provide something in exchange for the target’s information or assistance. This benefit usually assumes the
Social Engineering-Quid pro quo
whereas enticing frequently takes the form of a good.
One of the most common styles of quid pro quo attacks involve cheats who impersonate IT service people and who spam call as many direct numbers that belong to a company as they can find. These attackers offer IT assistance to each and every one of their victims. The fraudsters will promise a quick fix in exchange for the employee disabling their AV program and for installing malware on their computers that assumes the guise of software updates.
5. Tailgating is another social engineering attack type is known as “piggybacking.” These types of attacks involve someone who lacks the proper authentication following an employee into a restricted area.
Tailgating attack, a person impersonates a delivery driver and waits outside a building. When an employee gains security’s approval and opens their door, the attacker asks that the employee hold the door, thereby gaining access off of someone who is authorized to enter the company.
Tailgating does not work in all corporate settings, such as in larger companies where all persons entering a building are required to swipe a card. However, in mid-size enterprises, attackers can strike up conversations with employees and use this show of familiarity to successfully get past the front desk.
Tips to Remember:
Slow down. Attackers want you to act first and think later. If the message takes a sense of urgency or uses high-pressure sales strategies be doubting; never let their urgency effect your careful review.
Research the facts. Be doubtful of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number.
Don’t let a link be in control of where you land. Stay in control by finding the website yourself using a search engine to be sure you land where you intend to land. Hovering over links in email will show the actual URL at the bottom, but a good fake can still steer you wrong.
Email hijacking is rampant. Hackers, spammers, and social engineers taking over control of people’s email accounts has become wild. Once they control an email account, they prey on the trust of the person’s contacts. Even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment check with your friend before opening links or downloading.
Beware of any download. If you don’t know the sender personally and expect a file from them, downloading anything is a mistake.
Foreign offers are fake. If you receive an email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country for a share of the money it is guaranteed to be a scam.
Ways to Protect Yourself:
Delete any request for financial information or passwords. If you get asked to reply to a message with personal information, it’s a scam.
Do not open any emails from untrusted sources. Be sure to contact a friend or family member in person or via phone if you ever receive an email message that seems unlike them in any way.
Do not give offers from strangers the benefit of the doubt. If they seem too good to be true, they probably are.
Lock your laptop whenever you are away from your workstation.
Purchase anti-virus software. No AV solution can defend against every threat that seeks to jeopardize users’ information, but they can help protect against some.
Conduct phishing campaign. Some penetration testing tools (Metasploit Pro) has the capability to conduct phishing campaign, use this type of tools and find out which employee is vulnerable to social engineering and provide them some awareness training.