The process of a hacker in hacking something or someone mainly starts with exploiting vulnerabilities in the system or a network, i.e. finding a way to get into the system using technical aspects. In case he fails to find any weakness and the security of the target is foolproof, the hacker has to think something different. Something non-technical. This thought leads to the use of Social Engineering.
What is Social Engineering?
In the context of information security, social engineering is an attack vector that highly involves human interaction. It performs psychological manipulation on people tricking them into breaking security procedures or giving sensitive information. The primary objective of this attack is to find such information from the target itself which can be useful to either hack him or his organization.
Examples of Social Engineering
Consider the scenario in which a hacker succeeds in compromising one person’s email account. Now that he has full access to all the contacts of the person, he creates a specially crafted email embedded with a trojan and sends it to all his contacts. As the email will come from a friend’s email id, the victims will open the mail without any hesitation, thereby installing trojan in their system.
Here we will take another scenario. We all love to download stuff like movies and music for FREE from websites. Hacker knows your interests. He develops a website offering the latest movies to download for FREE. But these movies contain malicious software. As soon as someone downloads a movie from this website, the malicious software comes along with it and when the user runs the movie, the malware gets executed and infects the computer.
Types of Social Engineering
Social engineering can be performed through various techniques which include human attention. Although there are a lot of methods, the following five are most commonly used:
Phishing scams are most common as well as a popular type of social engineering. Phishing is a technique of obtaining private or sensitive information of a person fraudulently. This can be done in many ways.
An example – an attacker sends a fraudulent email to the target pretending to be from the person’s bank and asks him to change his bank account credentials. The attacker provides a phishing link of a bank to login and as soon as the person clicks the link and enters his username and password, they are sent to the attacker.
Nowadays, phishing scams are not to difficult to detect but then too cybercriminals find new, innovative ways to lure the people. If you want to know how to detect a phishing attack, you can read my post here.
As the name suggests, baiting targets the people into revealing their information in exchange for some goodies like free music or movies. Its “Throw peanuts, get monkeys” kind of thing. The attacker offers them the free stuff but with the malware included in it. People are not aware of the evil stuff and end up messing their computers.
Baiting is not done only in the online world but also in the physical world. Here the attacker leaves a bait- typically malware-infected USB drives in places where people are most likely to find them. They pick up the drives out of curiosity and plug them into their home or office computer, leading to installing malware unintentionally.
Pretexting is an attack in which a scammer fabricates a good pretext that can be used to steal the victim’s personal information. Scammer tries to establish trust with the victim and aks him some information for confirming the victim’s identity. Here scammer pretends to be a police officer, bank or tax official or someone who has right-to-know authority.
An example would be an attacker creating a duplicate access card of a person working in a company and bypassing its entrance.
Scareware involves tricking the victim into believing that his computer has been infected by malware and providing him with a fake solution. The scammer first bombards the victim with false security threats and pop-ups. Then he convinces the victim that his computer has malware installed and offers him to download anti-malware which itself is a malware.
So, the victim downloads and installs the software( malware) presented by the scammer. These scareware are distributed by spam emails that give bogus warnings or offer to buy worthless services.
Tailgating is also known as “piggybacking”. These types of attacks involve someone who lacks the proper authentication following an employee into a restricted area.
In this attack, a hacker walks into a company’s building or a restricted area following an employee with authorized access card (RFID card). Following common courtesy, an employee will hold the door open for the attacker or the attacker himself may ask the employee to hold the door open for him.
Tailgating does not work in all corporate settings, such as in larger companies where all persons entering a building are required to swipe a card. However, in mid-size enterprises, attackers can strike up conversations with employees and use this show of familiarity to successfully get past the front desk.
Some Notable Social Engineers
Kevin Mitnick is an American computer security consultant, author and hacker, best known for his high-profile 1995 arrest and later five-year conviction for various computer and communications-related crimes. He now runs the security firm Mitnick Security Consulting, LLC which helps test companies’ security strengths, weaknesses, and potential loopholes. He is also the Chief Hacking Officer of the security awareness training company KnowBe4, as well as an active advisory board member at Zimperium, a firm that develops a mobile intrusion prevention system.
Susan Headley was an American hacker active during the late 1970s and early 1980s widely respected for her expertise in social engineering, pretexting, and psychological subversion. She was known for her speciality in breaking into military computer systems, which often involved going to bed with military personnel and going through their clothes for usernames and passwords while they slept. She became heavily involved in phreaking with Kevin Mitnick and Lewis de Payne in Los Angeles but later framed them for erasing the system files at US Leasing after a falling out, leading to Mitnick’s first conviction. She retired to professional poker.
Brothers Ramy, Muzher, and Shadde Badir—all of whom were blind from birth—managed to set up an extensive phone and computer fraud scheme in Israel in the 1990s using social engineering, voice impersonation, and Braille-display computers.
Since social engineering attacks are non-technical and do involve human psychological aspect, we need to give more attention and focus to prevent them. Following are the things you should take care of :
- Do not reply to spam emails unless you are sure that it has come from someone you trust.
- Do not download any media from untrusted, pirated websites or online sources.
- Before entering your sensitive information like credit card details for payment or login credentials, do check for the authenticity of the website or requesting party.
- Use two-factor authentication for logging into your accounts.
- Train the company’s employees about security awareness and best practises to handle the company’s data.
- Install anti-virus or anti-malware on your system and keep it up-to-date.
According to Nuix survey, nearly 84 per cent of hackers use social engineering as their attack strategy and 50 per cent of them change their methodologies with every target. This makes a layman know the basics of social engineering to protect himself.