Social Engineering, also referred to as ‘Human Hacking’ refers to the art of gaining private information, valuables, or access through manipulating and exploiting people. Depending on the attacker(s) and their motive, various psychological manipulation can be used to trick the users into giving away the information the attacker(s) is/are looking for. Since social engineering is relatively easier to carry out as opposed to performing or discovering ways of hacking a system or software, attackers/ criminals opt to carry out Social engineering and have deduced ingenious ways of doing it. In this article, we will review the various common social engineering tactics used by attackers that you need to be on the lookout for.
1. Phishing Atack
For this attack, an adversary sends a fraudulent message that is designed to trick them into revealing sensitive information. Phishing attacks also can be used by an attacker to deploy malicious programs on the victim’s device, such as malware. This attack is mainly passed through emails (96%), Malicious websites (3%), telephone or text messages (1%) from an attacker posing as a legitimate individual or institution. There are various types of phishing such as Angler phishing, BEC (business email compromise), Pharming, Whaling/CEO fraud, Spear phishing, and Tabnabbing/reverse tabnabbing. Additionally, phishing may be combined with spoofing making an attack more seamless and convincing.
2. Quid Pro Quo (‘something for something’) Attack
Also referred to as ‘something for something’ attack, Quid Pro Quo attack closely resembles baiting as it promises a benefit (usually in the form of service) in exchange if the victim’s information or access. This attack mainly occurs when the attackers impersonate a high-ranking individual eg an IT staffer in an organization, attempt to contact vim for software installation or upgrade, and may request the victim to facilitate operations such as disabling the firewall or antivirus program or even providing their credentials.
3. Baiting
Baiting is quite similar to a phishing attack, but what distinguishes it is the element of promising an item or rather reward to enticing the victim. Baiting, unlike Phishing attacks, is not limited to online schemes but can also be used for exploiting the human curiosity for physical media, for instance, the attack performed in July 2018 targeting US agencies whose main goal was to confuse the users to loading CD by using confusing letters as highlighted by KrebsOnSecurity.
4. Pretexting
Pretexting is a social engineering attack that an attacker uses pretenses and false scenarios to compel a victim to comply. The attacker can impersonate anyone in a powerful position, such as a police officer, sales manager, investigator, auditor, or any other position they believe would help persuade their victim to provide them with the information they need. The success vector for his attack will rely on the attacker’s ability to build trust with the victim.
5. Tailgating Attack (‘piggybacking’).
Tailgating, also called “Piggybacking,” is a physical attack that encompasses an unauthorized person following an authorized person to a restricted area to gain access. Through this attack, the attackers can use psychological tricks, for instance, striking up conversations indicating their familiarity with the environment to get past the front desk. For instance, during a penetration testing activity at an FTSE firm, Colin Greenlees posing as an IT consultant, is said to have been able to set up a shop and work for several days in a meeting room by using this attack.
There are other forms of social engineering attacks to look out for, which include: Smishing/SMS phishing, Honey trap, Diversion theft, Water-holing/watering hole, and 419/Nigerian prince/advance fee scams cons. To avoid, or generally, minimize the chances of falling a victim to these attacks; it is recommended to avoid opening emails from untrusted sources, offers from strangers, and locking your pc/laptop while away from the workstation, using anti-virus programs as well as reading and maintaining your company’s privacy policy.
To acknowledge cybersecurity, visit S4E:Education now. There are learning quizzes to increase your cybersecurity awareness.
✓ You can come back and take the tests anytime you want.
✓ You can encourage your colleagues or employees to take the tests to protect your companies' assets against being victims of social engineering.
✓ There are real social engineering attacks to reassure your knowledge.
✓ You can find the risk scores.
References:
State Govts. Warned of Malware-Laden CD Sent Via Snail Mail from China – Krebs on Security. Krebsonsecurity.com. (2018). Retrieved 2 September 2021, from https://krebsonsecurity.com/2018/07/state-govts-warned-of-malware-laden-cd-sent-via-snail-mail-from-china/.
Greenlees, C. (2009). Social engineering: an intruder's tale. Eandt.theiet.org. Retrieved 2 September 2021, from https://eandt.theiet.org/content/articles/2009/07/social-engineering-an-intruders-tale/.
https://www.verizon.com/business/en-gb/resources/reports/dbir/
control security posture