Social Engineering : Hacking the Human Vulnerabilities

By
Image : Zootopia 
Social engineering has become the biggest cyber threat today. In social engineering, the target is a human, who cannot be patched. Humans  continues to carry zero day vulnerabilities. Humans are most vulnerable end point.

An attacker using social engineering techniques to deceive and manipulate a victim  to divulge sensitive information like  credentials. The attacker then uses the information obtained to gain unauthorized access to systems to carry out an attack.

Social engineering criminals hide their true identities and motives, presenting themselves as trusted individuals or high ranking officials of the organisation. Their objective is to deceive, trick, influence, and manipulate the victim to give information willingly. They exploit fear, greed,  curiosity, fatigue, ambition, urgency, helpfulness, empathy imotions of people. 

Social engineering is a popular tactic among attackers because it is quite easier to exploit people than to find a network or software vulnerability. 

Following are the most common social engineering techniques, which can use various attack vectors logically online or physically offline.

1. Phishing

The threat actor uses deceptive emails, instant messages,  and websites to misguided and steal sensitive information from unsuspecting victims. The  victim believing that the message is legitimate,  clicks on the suspicious link, visits to a malacious web site, or download a malware attachment.

2. Spear Phishing

This is a highly targeted attack against known individuals in top management. Unlike sending mass phishing emails, the attacker do an in-depth research on potential victims with specific objectives to harm the organisation.

3. Baiting

The cyber criminal operating online or physical spaces, develops a cordial relationship with the victim offering a reward in return for sensitive information or partnering on a hack. Some insider attacks initiated with bating.

3. Ransomware 

The cyber criminal sends an urgently worded message tricking the victims to install a malware on their computer. The malware encrypts  the content of the computer. Then demands a payment in crypto currency to decrypt data. Large corporations has become victims of ransomware.

5. Pretexting

This attacker assumes a false identity to trick victims into divulge sensitive information acting as banks, credit card providers, and utility companies.

6. Quid Pro Quo

This attacker convince the victim to exchange of information, offering to provide “assistance,” assuming identities like tech support executives. 

7. Tailgating

The cyber criminal gains physical access to a secure building or area, by following a  victims pretending as a new employee. The victim may hold the door open for the attacker due to misguided courtesy.

8. Vishing 

The cyber criminals leaves urgent voicemails to convince victims they must act quickly to avoid an arrest or another risk. 

9. Water-Holing

This technique infects a website visited by targeted victims with a malware. The infection then spreads to the victims’ organization.

10. An attacker might pretend to be a co-worker who has some kind of urgent problem that requires access to additional network resources.

11. Whaling.

This  is a type of phishing attack that targets high-profile employees, such as the chief executive officer or chief financial officer into disclosing sensitive information.

12. Diversion theft

The attacker uses a courier company into going to the wrong pickup or drop-off location, thus intercepting the transaction.

13. Honey trap

The attacker pretends to be an attractive person to interact with a person online, fake an online relationship and gather sensitive information through that relationship.

14. Rogue security software

This is a  type of malware that tricks targets into paying for the fake removal of malware.

15. Dumpster diving

The attacker searches though trash to find information, such as passwords or access codes written on sticky notes or scraps of paper, that could be used to infiltrate the organization's network.

16. Pharming

Cyber criminals install malicious code on a computer or server that automatically directs the user to a malicious website, where the user may be tricked into providing personal information.

Most social engineering attacks are well planned through research and reconnaissance on the target. The attacker gathers  intelligence on the organization structure, culture, management , operations, events, systems , service providers and partners etc. They also research on the behaviors and patterns of employees who has low-level access to systems. Attackers scan social media profiles of staff whome they can easily trick. The criminal then design an attack based on the information collected and exploit the vulnerabilities uncovered during the reconnaissance. Once the initial intrusion is successful, the attacker use additional tools or programs in the system to escalate the previlages to steal sensitive data.

Preventing social engineering

  • User awareness is the most effective strategy to preventing social engineering attacks.
  • Implement secure email and web gateways to scan incoming emails for malicious links. Then filter them out to reduce the probability of attacks. 
  • Keep anti-malware and antivirus software up to date. 
  • Stay up to date with software and firmware patches on endpoints.
  • Create a culture of password hygiene and secure remote work practices.
  • Keep track of staff members who handle sensitive information, and enable advanced authentication measures.
  • Implement 2FA to access key accounts, where confirmation code send via text message or voice recognition.
  • Instruct employees not to use the same passwords for personal and work accounts. If the attackers gains access to employee's social media account, they could also gain access to the employee's work accounts.
  • Implement spam filters.  spam filter might have a blacklist of suspicious IP addresses or sender IDs, detect suspicious files or links, as well as analyze the content of emails to determine which may be fake.

Following are some famous social engineering attacks.

  • $100 Million Google and Facebook Spear Phishing Scam.
  • Email phishing attack on US Department of Labor
  • Russian spear phishing attack on Ukraine 
  • Deepfake Attack on UK Energy Company
  • $60 Million FACC CEO Fraud
  • Microsoft 365 phishing scam
  • 2022 Uber Attack 
  • Google Drive collaboration scam
  • 419 Nigerian money scam

Think before you click. Research the source. Don’t download unknown files. Free offers and prizes can be fake. Never share personal information or passwords. Reject requests for help or offers of help from unknown people. Set your spam filters to high. Secure your devices. Always be mindful on risks. 

In social engineering, you are the last line of defence. As an end user, you are responsible yourself to monitor your own activities. Never become a victim of social engineering.

Niranjan Meegammana 

Comments

Post a Comment

Popular posts from this blog

ISO 27001 ISMS in a Nutshell

By
Image
Image : ISO The ISO 27001 certification is the most comprehensive  information security standard recognized globally. It ensures standardizing of your organisation's information security strategies to ensure confidentiality, integrity and availability of your systems and data to conduct your business effectively.  Gaining the certification is a journey with several milestones. It is a carefully planned systematic activity that transforms an organisation to a secure entity,  where everyone becomes a stakeholder in information security. Follow this processes to get to your goal successfully. Step 1. Obtain Management Support . This is the most critical requirement to achieve ISO 27001 status. Your ISMS project will definitely fail if it does not receive to management support. The management should provide, people, money and strategic direction for your ISMS to be a success story. In the sections below you’ll find some tips on how to convince your management, and how much the implemen
Read more

Best Practices for secure Software Development

By
Image
image : OpenSense Labs Are you aware of the  Solarwinds attack in 2020? The hackers exploited software vulnerabilities of Orion IT monitoring and management software used by thousands of enterprises and government agencies. This hack triggered a larger scale supply chain incident which affected thousands of organizations, including the U.S. government. The attackers infliltrated the Solarwinds network, and infected the software used for Network monitoring before it shipped to customers.This insident and many more warn us on the importance of building secure software.  Secure software development is a methodology used for creating robust software by incorporating security practices into every stage of the software development life cycle (SDLC). It begins at planning stage before a single line of code is written, and continue through the life cycle. A bug fixing at implementation stage cost six times than fixing it during design stage. Every new feature added, may carry series of vulnera
Read more

How easily the data breaches occur? 5 ways to be aware of.

By
Image
Data breaches can occur at any unexpected moment. Unless you do not detect it fast, cybercriminals will have more time to exfiltrate information and cause bigger damage. On average it takes up to 30 days and costs $1 million to address a data breach incident stated 2021 Cost of a Data Breach Study. However, it could be more if you wait longer. Unfortunately, some took 6 months to respond.      Better safe than be sorry! Be prepared against data breaches.  There are 5 ways for your organization to avoid data breaches. Here is how. 1. Weak and stolen credentials  The most simplest way hackers use for data breaches is stealing passwords. Many people use predictable passwords like ‘Password1’ and ‘123456’. With them, cybercriminals don't even need to hack into a system to steal your sensitive data.  There are many tools that can help a cybercriminal to crack passwords. They run millions of popular credentials to break into your system. This requires you to have a strong password policy
Read more