What is Social Engineering?
Do you remember the story of Trojan Horse, which is the concept behind one of the most common and successful network security threats – Trojan horse attack? Well, that story typically illustrates social engineering at work. Kaspersky lab defines social engineering as “a form of the technique used by cybercriminals that are designed to lure unsuspecting users into sending them their confidential data, infecting their computers with malware or opening links to infected sites.”
Social engineering works to get the better of people by tricking and deceiving them instead of using technological exploits. The attack leverages human vulnerabilities including emotions, habits or trust to convince them to take actions that would aid the attack in their network systems. These actions include clicking a fraudulent link in an email or visiting a malicious website. This is a less sophisticated and perhaps one of the cheapest methods of attack. However, it is very successful and can have severe consequences to the victim.
What are the Common Social Engineering Attack Techniques?
The social engineering threat landscape is constantly changing since it depends on the human mind, emotion, and knowledge which is never constant. Therefore, the techniques change depending on the craftiness of the attacker. However, currently, we can classify the threats into the following types:
Phishing Attack
Phishing is a type of social engineering attack used in stealing data of the targeted user. In most cases, this technique involves sending emails that disguised a legitimate email to a large number of recipients. Typically, these emails contain links that ask the owner to click on it to update their personal details on their accounts of trustworthy sites such as Amazon, for example. Usually, the attackers develop a clone of a genuine web application. Upon clicking the link, the user is directed to the counterfeit web page where the user’s personal details such as username, password, or email are collected.
Phishing techniques involve sending emails to a broad audience that either spoof a legitimate email address or contain what looks like legitimate company information in order to manipulate individuals to reveal passwords and other personal data. Phishing can also be done through text message or instant message. Also, the attacker may develop malware and hide it in the link. In such a case, upon clicking the link, the target user will have installed the malware on their computer devices. Clicking the link can also command freezing of the system as part of a ransomware attack.
A phishing attack can have a harmful effect on the affected user. The effect may include stealing funds, conducting an unauthorized transaction, or identity theft. A phishing attack can also be part of an advanced persistent threat (APT) event. In an APT, phishing is used to gain a foothold in governmental or corporate networks. In such an attack, employees’ user end is compromised to bypass security perimeters, gain privileged access to secured data, or distribute malware in a closed environment.
Successful phishing attacks on organizations may lead to severe financial losses, declining market share, tainted reputation, loss of customer trust. In the worst cases, phishing may escalate into a security incident in which an organization may never recover from.
Spear Phishing
Whereas phishing aims at a large number of recipients to attract a bite, spear phishing focuses on an individual or an organization. For instance, an attacker may develop a counterfeit email address disguised as the CEO’s email address and use it to send an email to a financial team member authorizing a payment to the hacker’s offshore bank account. A spear phishing attack is more dangerous since it is customized to a specific network belonging to an individual user or organization. It is always more relevant compared to phishing because it has a higher success rate.
Scareware
Just as the name sounds, this social engineering technique aims at leveraging our fears. In most cases, it involves the attacker sending a warning message to the target’s computer and then call for a specific action as a remedy. For example, the message may be warning the user of the risk of malware attack and then suggest malicious antivirus protection. If the user falls for this trick, they will have invited the enemy into their network.
Pretexting
This is a very commonly used social engineering technique. Most of us have probably encountered it only that we might be lucky enough to detect the fraud behind it before we were victimized. In pretexting, an attacker calls or emails the target person pretending to be contacting from an organization well-known to the target person. The attacker will proceed to request personal information in order to confirm the identity of the person they are contacting. In most cases, these people usually pretend to be from the victim’s financial institution such as a bank and request personal information in order to continue with communications.
If the victim falls for the trick and provides the information, the attacker can proceed with executing their planned attacks. The result may be a loss of funds or identity theft.
Psychological Manipulation
Psychological manipulation is a social engineering tactic that typically focuses on three human emotions when executing an attack: obedience, helpfulness, and fear. Different attackers may use different approaches in this tactic. As long as the approach aims at leveraging these three emotions, it is qualified as psychological manipulation. If the attacker manages to appropriately harness these emotions, they are likely to succeed in obtaining the information they are looking for swiftly and without being detected.
The Trust Factor
It is true that there are those people whom we trust. They can be family, friends or even co-workers. The attackers understand this too and they will leverage it against you. This attack may involve sending an email to the target person with an address of the people they know and trust. For example, the email may come from the targets close friend asking them to click the link and check out a specific job posting. The goal of the attacker in this approach is to win the target person’s trust so that they can do what they request them to do.
Access Tailgating
Access tailgating involves the passage of unauthorized users into a secure area. The passage may be forced or accidental. In most cases, the unauthorized person follows an authorized user into the secured area. This could be somebody who pretends to be in need of your service and follows you into your office. Once inside such room, they may plant their hardware at some hidden point in the computer network. They may also shoulder surf you while entering your login details. This is one of the most widely used social engineering method in attacking most organizations.
Sometimes we may be watching out for those Phishing emails and the other techniques we have discussed and forget that social engineering can take form in very simplistic methods. Shoulder surfing can be done in a very simple manner. For example, an attacker might frequent a public food court of a large office building where the targeted person usually sits. The attacker can shoulder surf the target person when using their laptops or tablets to steal their personal details.
Protection Against Social Engineering
Education
Protection against social engineering has to start with education. In the case of an organization, the employees must be trained to understand the methods hackers use to leverage their three emotions: obedience, helpfulness, and fear. With such knowledge, the employees will be at a better position to discern most of the tricks the attackers use before they put the entire organization at risk by falling for the tricks. An individual should also take personal initiative to learn about these attacks to avoid falling victim.
Appropriate Network Security Policy and Procedure
Every organization should have an appropriate network security policy and procedure that tells the employees what to do when they detect signs of social engineering. In most cases, some employees may detect signs of social engineering, via their instincts. However, without appropriate network policy, they may let that feeling go which may put the organization in a huge network security risk. The communication channel should also be effective and well understood by all the employees. This will increase their resistance to tricks of emails from their “bosses” or “personal friends”.
Installing Firewall
This may seem less important considering that social engineering tends to leverage human being’s weaknesses more than the system weaknesses. However, it should be considered that in most cases, these tricks may involve tricking the victims into installing malware. In such a case, the firewall can greatly help in fighting malware attack. Also, it is important to update the firewall and the system in general. In most cases, antimalware software is released with weaknesses. It is important to watch out for the patches that these software companies release for rectifying such weaknesses.
Conclusion
Social Engineering is applied in almost all the network security attacks. It is important to watch out for the common tricks that the hackers use so as to be in a better position for resisting their attacks.
