What is Social Engineering? How Can You Prevent it?
Have you ever received an email stating that your computer needs to be cleaned because of a Trojan horse virus and then asks you to install “new anti-virus software”? Or have you ever received a doubtful link that asks for your login credentials to access your so-called bank account? Have you ever seen Facebook marketing advertisements of items that are said to be free, but ask for your payment details anyway? Well, if you weren’t very careful, you could’ve been a victim of a social engineering attack.
As humans, we often never know who to trust in real life and it’s even worse when it comes to trusting people you meet on the internet. Online interactions with strangers get tricky when you are cautious of the website and platforms you are using. Social engineering can even happen in person whenever you’re not careful – this can be compared to a scenario when a salesperson asks you to enter your address when buying a product. For example, in 2019, Toyota Boshoku Corporation, an auto parts supplier, became a victim of a social engineering and BEC (Business Email Compromise) scam, which led the company to a major loss. The cost of the business amounted to USD 37 million due to the attacker’s persuasion to the finance executive to alter the recipient’s bank account into a wire transfer.
Nowadays, the best practical way to prevent social engineering attacks is to be wary all the time, verify your sources, and educate yourself. EC-Council’s Certified Ethical Hacker Certification helps you assess the security posture of an organization by identifying vulnerabilities in the network, which can greatly secure your business from social engineering threats, scams, and attacks.
What are Social Engineering Attacks?
Social engineering is the action of deceiving somebody into exposing their information or actions. It is the art of abusing human psychology for victims to reveal their private information. The motive behind every social engineering attack is to take advantage of a possible victim’s trust, perspectives, and responses to gain data that can benefit hackers.
Typical hackers look for software vulnerabilities whenever they try to access a network. Social engineer hackers are a bit clever on the other hand because they are required to have the wits and brains to imitate or act like someone. An example is when a fraudster acts as a technical support person so that they can trick an employee into exposing their login authorization.
Social Engineering attacks are performed by imposters who hope to gain people’s trust to their advantage. Since almost everyone is using social media sites, social engineering attacks have been reported to be of high success in gaining people’s information. Scams have been dominant through different social platforms that are widely known. Examples of these sites are Facebook, Instagram, Twitter, Snapchat, Youtube, and many more.
How do criminals benefit from Social Engineering Attacks?
Attackers perform social engineering attacks to gain a portion of your information that can be used for bigger misconduct. There are many variations of what they want to gain, but it’s normally the victim’s Personal Identifiable Information (PII) or Payment Card Information (PCI) data. Some attacks focus on gaining access to a person’s bank account so that they can steal from it. There are also benign-looking attacks such as gaining access to your address or birthday so that the hackers can use it to access your accounts.
Without the victim noticing, attackers can even try to access a victim’s computer to install malware that can retrieve all your information, and the worst part of this is that the victim does not even notice that malware has been installed in their system.
Types and Examples of
Social Engineering Attacks to be Aware of
In social engineering, baiting depends on a worker’s decision to create a weakness in a corporation’s network. Baiting is typically done in person and becomes a success when the desire to gratify curiosity or fulfill temptation dominates an employee’s understanding of the company’s security practices. An example of baiting is when a hacker leaves a flash drive filled with ransomware on a company table. An employee is then baited to check what the contents of the flash drive are. They will pick it up and plug it into a computer, which then injects malware automatically into the system.
Phishing is a famous way to fish for information from an oblivious victim. Even with so many warnings regarding this type of attack, it still prevails in the internet world. The offender usually sends an email or text to the victim and asks them for their credentials (such as name and address) in order to seek information that might lead to bigger criminality. A great phishing example is when attackers send emails to future victims, saying that the message comes from a trusted source such as banks. A link is then provided to lure the victims. When they click on the link, it requests login information. Upon logging in on the fake site, they fall into the hacker’s trap. The victim has officially handed over their credentials to the perpetrators, providing them access to their bank accounts.
Email hacking and contact spamming
In this type of attack, hackers pretend to be someone that the victim may know. They send messages to certain people, and as a result, the prey might think it’s a trusted source since it came from an acquaintance. Perpetrators take over email accounts and spam the prey’s contact list with scam links. An example is the Outlook phishing scam, where people received emails about certain “issues” with their accounts and were asked to ‘sign-in once again.’
Pretexting is the use of an eye-catching pretext, story, or a play to divert someone’s attention. Upon hooking the would-be victim with the storytelling session, the fraudster then tries to trick the prey into giving them something of value in return. An example of pretexting is when you receive an email stating you as the beneficiary of a last will. It then asks for your personal information to prove your relation to the originator of the will. Instead of having a speedy transfer of your inheritance, you are at risk of providing bank account information to a con artist, which can grant them access to withdraw your funds from your account.
Quid pro quo
This Social Engineering scam involves an exchange of information that can benefit both the victim and the trickster. Scammers would make the prey believe that a fair exchange will be present between both sides, but in reality, only the fraudster stands to benefit, leaving the victim hanging on to nothing. An example of a Quid Pro Quo is a scammer pretending to be an IT support technician. The con artist asks for the login credentials of the company’s computer saying that the company is going to receive technical support in return. Once the victim has provided the credentials, the scammer now has control over the company’s computer and may possibly load malware or steal personal information that can be a motive to commit identity theft.
The “v” in vishing stands for voice but the scam attempt is the same with phishing. The perpetrator uses the phone to call and trick a would-be victim into handing over some of their most valuable information. An example of this type of attack is when a criminal calls an employee and acts as a co-worker. The criminal asks the victim to provide information such as company secrets or credentials that may be used to target the employees or the organization itself.
This type of attack is also done in person. Fraudsters in this Social Engineering attack try to fit and blend into the crowd to sneak into their target’s location of business for data gathering. Tailgating can be deflected with security-conscious practices, which is why the majority of workplaces now require IDs with RFID embedded chips, electronic door locks, and systems with technology protection to keep them away from intruders. An example of this strategy attack is when someone dresses up as an employee of a certain organization. Without ID security, the dressed person would go unnoticed. Once they enter the building, there’s no limit to the damage that they can cause. They can physically intrude servers to gather the organization’s information and can install malware physically in the organization’s computers without being seen.
Latest Social Engineering Attacks
Coronavirus and Cybercrime: Germany assumes the EU presidency with a strong focus on cybersecurity
As the country’s EU presidency program is focused on the worldwide pandemic Covid-19, the cybersecurity issues were recently overlooked. Working from home has been a priority and made innovation to be obligatory, which made Germany’s EU presidency manifesto to call for the protection of the critical national infrastructure. They have key cybersecurity issues that they hope to tackle for the next few months: their connected devices, data protection, AI, and securing the IoT. According to Richard Cassidy, a senior director for security strategy at Exabeam, social engineering, phishing, and ransomware attacks have been occurring much moreover in the last three months. As COVID-19 is being contained, the presidency has its focus on the pandemic rather than the increasing cyber-attacks.
Zoom fixes ‘vanity URL’ security issue that left users exposed to phishing exploits
A zoom vanity URL is a URL that the user can customize. The security firm explained that prior to zoom’s fix, an attacker could have attempted to trick a victim into clicking the vanity URL to send invitations as if it seemed legit. As zoom became widely known during the coronavirus pandemic for being used at homes, there have been many attempts of criminals to lay phishing traps. An earlier flaw of the zoom application also includes the so-called ‘meeting crashing’ vulnerability, which allowed a hacker to gatecrash the meeting by simply guessing a zoom meeting URL.
Google Firebase messaging vulnerability allowed attackers to send push notifications to app users
It has been reported that there was more than $30,000 worth of money awarded for the security issue discovery that allowed attackers to send mass notifications to Android users. Being a commonly used social engineering attack, this phishing bug has been cleaned up by the developers involved in the Google Firebase projects through the checking of potentially vulnerable keys. The developers are now given an alert to fix the application whenever Google is able to identify that a server key is being used, as a result of the need for network security enhancement.
Social Engineering in the world of Social Media
Nowadays, with technology evolving, almost everybody has their own Social media accounts. Social media is a computer-based technology that simplifies and assists the process of sharing ideas, opinions, and information through the foundation of virtual networks and communities. With the normal use of Social media, it has made matters easier for criminals to create fictional stories to gather the public’s attention. People have been confident in posting their location on Facebook, sharing birthday pictures on Instagram or Snapchat, and ranting about issues on Twitter. Little do they know that this information can be used against them if they are not cautious enough.
The Abuse and Misconduct in Social media
Websites and other social media platforms have been open
to various types of scams that attackers use:
Command-and-control servers, which are referred to as C&C or C2, are used by attackers to continue certain communications with compromised systems such as computers and smartphones of an aimed target network. This type of phishing attack is dominating the Twitter platform, wherein shorter URLs are being abused to hide malicious links, as attackers hose their C2 infrastructure on the platform and gain access to the user’s profile account and information.
Phishing is a popular attack on social engineering. This attack comes with the use of impersonation. The better the impersonation, there is also a greater chance that the victim might believe the attacker. For example, an impersonator acts like someone who has the power in the company or acts like they have a strict authority. This could lead to tricking and damaging the victims, causing them to be scared and just follow what the attacker says. In cybersecurity, particularly in the world of social media, a threat actor may pose as a rich businessman and offer anything of value. Example of which is what you see on Facebook, Instagram, or Twitter posts of a celebrity. Scrolling upon their posts, there is one specific comment saying that they’re offering free bitcoins for free with an attached link, but in reality, it was a trap that installed malware into your device.
Credential Theft and Propagation
Attackers abuse social platforms by creating sites and links used to trick vulnerable users. These fake landing pages ask for your login credentials and once a victim logged in, the threat actor gains access to the user’s account and can use it to trick more new users into logging in as well. Upon stealing the personal information, hackers can propagate it to other users within the network and can even ask for wired bank transfers on the contacts list.
Several dumps of breached databases can normally be spread on the internet. The dark web or other marketplaces even sell confidential data that has been retrieved upon the breach. Dumpsites and forums can also spread the word about such incidents.
Upon creating social media accounts, there may be some security questions like what was the name of your first pet. Posting images of your pet and calling out their name on social media may reveal the answer to your security question, which can be used to reset passwords. What you post on social media can be a path for people to dig deeper into your personal life. Threat actors can find even the smallest data and use that information to build a malicious attack. Although data gathering may seem too simple, refrain from giving out your information to data gatherers that can be used against you.
The following are Data Collection Tools for Data Gathering
- Surveys: e.g. Google Forms, Facebook Polls
- Interviews: e.g. Zoom and Skype Meetings
- Check Lists: e.g. Canva, Checkli, and Trello
- Case Studies: e.g. Encyclopedia, Grammarly, and QueText
- Usage Data: e.g. Suma
The Abuse and Misconduct in Social media
Train your employees to think before they clickMost social engineering attacks victimize those who act first and think later. Some baiting messages express a sense of urgency and insist on a person clicking on some links or attachments. With an anti-phishing solution like OhPhish, you can deploy a campaign in minutes, get a detailed automated report, assess who is susceptible to such an attack, train them on an LMS to become more aware, and deploy the second wave to test their readiness post-training.
The OhPhish Learning Management System is designed and developed for all the sectors and different industries. It is integrated with several training videos and modules that are easy to comprehend and analyze.
These phishing simulations mimic real-time phishing situations helping you trace how your employees react to a phishing attack.
CheckAPhish and CheckAPhish+ monitor emails that an employee receives in the inbox and filters all the messages, deleting all spam emails.
Identify vulnerabilities and ensure safety protocols
EC-Council’s Certified Ethical Hacker (Master) program has an entire module dedicated to Social Engineering attacks, which helps you assess the security status of an organization by identifying vulnerabilities in the network and system infrastructure to determine if unauthorized access is possible. The CEH is the most inclusive ethical hacking course to help information security professionals understand the basics of ethical hacking. EC-Council will bring out the best of your understanding and skillset about cyber-attacks and how you can recover from it.
The Certified Ethical Hacker (CEH) is an acknowledged ethical hacking program and is a recommendation to all the information security professionals to be equipped with the proper ethical hacking skills. You can also practice Social Engineering via iLabs. The CEH brings out the best in you and updates you with the latest hacking tools and practices used by information security professionals to protect and secure the organization from future cybercrime attacks.