Social Engineering Attacks

Social engineering attacks are more prevalent than most people think. The reason for their prevalence is that they are relatively easy to implement. Social engineering is the term used for a broad range of malicious activities accomplished through human interactions.

People are weakest link in the security chain, and in recent years hackers have be increasingly using social engineering techniques to exploit the people. In fact, an attacker attempts to convince someone to give them confidential information. Attacker uses Social engineering (psychological manipulation to trick users) for access to this goal.

In generally, Social engineering attacks happen in one or more steps:

First, an attacker investigates the intended victim to gather necessary background information.
In this phase, the attacker attempts to gain the victim’s trust.
When attacker won the victim’s trust, in this phase he/she asks victim about the sensitive information (for example, passwords and IP addresses). The victim, who trusts the attacker, gives them to the attacker.

Social engineering is a popular tactic among hackers because it is often easier to exploit users’ weaknesses than it is to find a network or software vulnerability. Mistakes made by legitimate users are much less predictable, making them harder to identify and thwart than a malware-based intrusion.

Source: imperva.com

Types of Social Engineering Attacks

Popular types of social engineering attacks include:

Phishing Attack: These attacks exploit human error to harvest credentials or spread malware. The method of attack is as an attacker sends a fraudulent email disguised as a legitimate email, often purporting to be from a trusted source. The message is meant to trick the recipient into sharing personal or financial information or clicking on a link that installs malware. We have a post about this type of attacks. Read it here.

Spear Phishing Attack: This attack is like phishing but tailored for a specific individual or organization. It’s a more in-depth version of phishing. Learn about spear phishing attacks.

Vishing (Voice Phishing) Attack: This attack uses the phone to gather personal and financial information from the target. Read more about vishing attacks.

Scareware Attack: This attack involves tricking the victim into thinking his computer is infected with malware or has inadvertently downloaded illegal content. The attacker then offers the victim a solution that will fix the bogus problem. But in fact, this anti-virus is a malicious malware that aims to steal the victim’s personal information. In other words, scareware uses social engineering to take advantage of a user’s fear, encouraging them into installing fake anti-virus software.

Baiting Attack: Baiting is when an attacker leaves a malware-infected physical device, such as a USB flash drive, in a place it is sure to be found. Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in automatic malware installation on the system. Baiting scams can also be done online. Online forms of baiting consist of enticing ads that lead to malicious sites or that encourage users to download a malware-infected application. (It is like Scareware attack). Learn more about Baiting Attacks.

Water-Holing Attack: This attack is when the attacker attempts to compromise a specific group of people by infecting websites they are known to visit and trust in order to gain network access. Legitimate or popular websites of high-profile companies are usually the focus of watering hole attacks. These websites called “target group “. Also victims called “targeted prey” that often employees of government offices, or large organizations. So, an attacker lurks on “target group”. Then attacker looks into the vulnerabilities associated with the websites and injects malware, usually in JavaScript or HTML. The code redirects the targeted groups to a different site where the malware or malvertisements are present. The malware is now ready to be infect machines upon their access of the compromised website.

Pretexting Attack: This attack is when one party lies to another to gain access to privileged data. The scam is often initiated by a perpetrator pretending to need sensitive information from a victim so as to perform a critical task.

Quid pro quo Attack: This attack is one in which the social engineer pretends to provide something in exchange for the target’s information or assistance. (In Latin, ‘quid pro quo’ means ‘something for something’). This attack that is commonly carried out by low-level attackers, because these attackers do not have any advanced tools at their disposal and also do not do research about the targets. For example, a hacker calls a selection of random numbers within an organization. Finally, the hacker will find someone with high privilege of network access, then hacker claims that he/she is a new technical support and he/ she can help. Now, hacker can have the target type in the commands to launch malware or can collect password information.

Honey Trap Attack: An attack in which the social engineer pretends to be romantically or sexually interested in the victim, then fake an online relationship and gathers sensitive information through that relationship. This attack is very like to Confidence/Romance Fraud attacks.

Tailgating (Piggybacking) Attack: This attack is when a hacker walks into a secured building by following someone with an authorized access card. Scam artists can simply befriend an employee near the entrance of the building and ask them to hold the door, thereby gaining access into a restricted area.

Rogue Attack: This attack is very similar to Scareware Attack. The rough is basically a malware but it can pretend that security software is completely legal and valid. This malware make pop-up windows and alerts. These alerts advise the user to download “rough security software”. These pop-up windows also show the user several agreements (with different scenarios). By clicking “yes” to any of these scenarios, the rogue software is downloaded to the user’s computer. Ok, the computer is provided to the attacker.

Diversion theft: In this type of attack, the social engineers trick a delivery or courier company into going to the wrong pickup or drop-off location, thus intercepting the transaction. In fact, what should be sent is sent to the wrong location. To the attacker (thief) location.

How to Defend Against Social Engineering Attacks?

Users should be aware: The most important step in protecting users and the organization against social engineering attacks is to inform all users (at all levels and in all departments) systematically and continuously about the types of these attacks.
Penetration testing: Security experts recommend that IT departments regularly carry out penetration testing that uses social engineering techniques. This will help administrators learn which types of users pose the most risk for specific types of attacks. Read this post about Penetration testing.
Two-factor authentication (2FA): It is the most effective method for countering these attacks. 2FA incorporating two methods of identity confirmation—something you know (i.e., password) and something you have (i.e., smartphone). Read more about 2FA and MFA.
Using anti-malware: Anti-malware has components for web communications. These components typically have names such as Web Control, Web Anti-Virus, mail Anti-Virus and IM Anti-Virus. One of the most important tasks of these components is that if the user clicks on a link (in the web browser, in the email and in the Instant Messengers), if that web page is a suspicious or dangerous page (in terms of the possibility of computer and network threats) prevent the page from loading and block that web page.
Operating system update: The operating system of all computers must receive the latest updates.
Changing the password: As a very good preventative measure, organizations should enforce strict password management policies. Employees should be required to periodically change their passwords. We are well aware that operating systems have the ability to force users to change their passwords at regular intervals by setting a policy.
Web Application Firewall (WAF): This firewall blocks malicious requests at the edge of your network. This also includes social engineering attacks. You can read more about this type of firewall here.