What is Social Engineering?

Ethical Hacking
Penetration Testing
Network Security
Digital Forensics
SOC
Disaster Recovery
Incident Response
Threat Intelligence
DOS Attacks
CISSP
Enterprise Architect
SQL Injection

What is Social Engineering? How Can You Prevent it?

Have you ever received an email stating that your computer needs to be cleaned because of a Trojan horse virus and then asks you to install “new anti-virus software”? Or have you ever received a doubtful link that asks for your login credentials to access your so-called bank account? Have you ever seen Facebook marketing advertisements of items that are said to be free, but ask for your payment details anyway? Well, if you weren’t very careful, you could’ve been a victim of a social engineering attack.

As humans, we often never know who to trust in real life and it’s even worse when it comes to trusting people you meet on the internet. Online interactions with strangers get tricky when you are cautious of the website and platforms you are using. Social engineering can even happen in person whenever you’re not careful – this can be compared to a scenario when a salesperson asks you to enter your address when buying a product. For example, in 2019, Toyota Boshoku Corporation, an auto parts supplier, became a victim of a social engineering and BEC (Business Email Compromise) scam, which led the company to a major loss. The cost of the business amounted to USD 37 million due to the attacker’s persuasion to the finance executive to alter the recipient’s bank account into a wire transfer.

Nowadays, the best practical way to prevent social engineering attacks is to be wary all the time, verify your sources, and educate yourself. EC-Council’s Certified Ethical Hacker Certification helps you assess the security posture of an organization by identifying vulnerabilities in the network, which can greatly secure your business from social engineering threats, scams, and attacks.

become a cyber security

What are Social Engineering Attacks?

Social engineering is the action of deceiving somebody into exposing their information or actions. It is the art of abusing human psychology for victims to reveal their private information. The motive behind every social engineering attack is to take advantage of a possible victim’s trust, perspectives, and responses to gain data that can benefit hackers.

Typical hackers look for software vulnerabilities whenever they try to access a network. Social engineer hackers are a bit clever on the other hand because they are required to have the wits and brains to imitate or act like someone. An example is when a fraudster acts as a technical support person so that they can trick an employee into exposing their login authorization.

Social Engineering attacks are performed by imposters who hope to gain people’s trust to their advantage.  Since almost everyone is using social media sites, social engineering attacks have been reported to be of high success in gaining people’s information. Scams have been dominant through different social platforms that are widely known. Examples of these sites are Facebook, Instagram, Twitter, Snapchat, Youtube, and many more.

 

How do criminals benefit from Social Engineering Attacks?

Attackers perform social engineering attacks to gain a portion of your information that can be used for bigger misconduct. There are many variations of what they want to gain, but it’s normally the victim’s Personal Identifiable Information (PII) or Payment Card Information (PCI) data. Some attacks focus on gaining access to a person’s bank account so that they can steal from it. There are also benign-looking attacks such as gaining access to your address or birthday so that the hackers can use it to access your accounts.

Without the victim noticing, attackers can even try to access a victim’s computer to install malware that can retrieve all your information, and the worst part of this is that the victim does not even notice that malware has been installed in their system.

Social-Engineering-Attack

Types and Examples of
Social Engineering Attacks to be Aware of

Baiting

In social engineering, baiting depends on a worker’s decision to create a weakness in a corporation’s network. Baiting is typically done in person and becomes a success when the desire to gratify curiosity or fulfill temptation dominates an employee’s understanding of the company’s security practices. An example of baiting is when a hacker leaves a flash drive filled with ransomware on a company table. An employee is then baited to check what the contents of the flash drive are. They will pick it up and plug it into a computer, which then injects malware automatically into the system.

 

Baiting
Phishing

Phishing

Phishing is a famous way to fish for information from an oblivious victim. Even with so many warnings regarding this type of attack, it still prevails in the internet world. The offender usually sends an email or text to the victim and asks them for their credentials (such as name and address) in order to seek information that might lead to bigger criminality. A great phishing example is when attackers send emails to future victims, saying that the message comes from a trusted source such as banks. A link is then provided to lure the victims. When they click on the link, it requests login information. Upon logging in on the fake site, they fall into the hacker’s trap. The victim has officially handed over their credentials to the perpetrators, providing them access to their bank accounts.

Phishing has several kinds of attacks like spear-phishing or pretexting. Spear phishing involves an extra effort from the impostor. Hackers who attempt a spear-phishing attack need specific details such as who they are after and what kind of information they should collect. They must brainstorm on how they will manipulate the prey into revealing such information. Spear phishing requires a lot of time on doing several background checks, including social media stalking, so hackers receive double pay when such an attack succeeds.

Email hacking and contact spamming

In this type of attack, hackers pretend to be someone that the victim may know. They send messages to certain people, and as a result, the prey might think it’s a trusted source since it came from an acquaintance. Perpetrators take over email accounts and spam the prey’s contact list with scam links. An example is the Outlook phishing scam, where people received emails about certain “issues” with their accounts and were asked to ‘sign-in once again.’

 

Email hacking and contact spamming
Pretexting

Pretexting

Pretexting is the use of an eye-catching pretext, story, or a play to divert someone’s attention. Upon hooking the would-be victim with the storytelling session, the fraudster then tries to trick the prey into giving them something of value in return. An example of pretexting is when you receive an email stating you as the beneficiary of a last will. It then asks for your personal information to prove your relation to the originator of the will. Instead of having a speedy transfer of your inheritance, you are at risk of providing bank account information to a con artist, which can grant them access to withdraw your funds from your account.

Quid pro quo

This Social Engineering scam involves an exchange of information that can benefit both the victim and the trickster. Scammers would make the prey believe that a fair exchange will be present between both sides, but in reality, only the fraudster stands to benefit, leaving the victim hanging on to nothing. An example of a Quid Pro Quo is a scammer pretending to be an IT support technician. The con artist asks for the login credentials of the company’s computer saying that the company is going to receive technical support in return. Once the victim has provided the credentials, the scammer now has control over the company’s computer and may possibly load malware or steal personal information that can be a motive to commit identity theft.

Quid-pro-quo
Vishing

Vishing

The “v” in vishing stands for voice but the scam attempt is the same with phishing. The perpetrator uses the phone to call and trick a would-be victim into handing over some of their most valuable information. An example of this type of attack is when a criminal calls an employee and acts as a co-worker. The criminal asks the victim to provide information such as company secrets or credentials that may be used to target the employees or the organization itself.

Tailgating

This type of attack is also done in person. Fraudsters in this Social Engineering attack try to fit and blend into the crowd to sneak into their target’s location of business for data gathering. Tailgating can be deflected with security-conscious practices, which is why the majority of workplaces now require IDs with RFID embedded chips, electronic door locks, and systems with technology protection to keep them away from intruders. An example of this strategy attack is when someone dresses up as an employee of a certain organization. Without ID security, the dressed person would go unnoticed. Once they enter the building, there’s no limit to the damage that they can cause. They can physically intrude servers to gather the organization’s information and can install malware physically in the organization’s computers without being seen.

Tailgating

Latest Social Engineering Attacks

Coronavirus and Cybercrime: Germany assumes the EU presidency with a strong focus on cybersecurity

As the country’s EU presidency program is focused on the worldwide pandemic Covid-19, the cybersecurity issues were recently overlooked. Working from home has been a priority and made innovation to be obligatory, which made Germany’s EU presidency manifesto to call for the protection of the critical national infrastructure. They have key cybersecurity issues that they hope to tackle for the next few months: their connected devices, data protection, AI, and securing the IoT. According to Richard Cassidy, a senior director for security strategy at Exabeam, social engineering, phishing, and ransomware attacks have been occurring much moreover in the last three months. As COVID-19 is being contained, the presidency has its focus on the pandemic rather than the increasing cyber-attacks.

Coronavirus and Cybercrime
Zoom fixes ‘vanity URL’ security issue

Zoom fixes ‘vanity URL’ security issue that left users exposed to phishing exploits

A zoom vanity URL is a URL that the user can customize. The security firm explained that prior to zoom’s fix, an attacker could have attempted to trick a victim into clicking the vanity URL to send invitations as if it seemed legit. As zoom became widely known during the coronavirus pandemic for being used at homes, there have been many attempts of criminals to lay phishing traps. An earlier flaw of the zoom application also includes the so-called ‘meeting crashing’ vulnerability, which allowed a hacker to gatecrash the meeting by simply guessing a zoom meeting URL.

Google Firebase messaging vulnerability allowed attackers to send push notifications to app users

It has been reported that there was more than $30,000 worth of money awarded for the security issue discovery that allowed attackers to send mass notifications to Android users. Being a commonly used social engineering attack, this phishing bug has been cleaned up by the developers involved in the Google Firebase projects through the checking of potentially vulnerable keys. The developers are now given an alert to fix the application whenever Google is able to identify that a server key is being used, as a result of the need for network security enhancement.

firebase

Social Engineering in the world of Social Media

Nowadays, with technology evolving, almost everybody has their own Social media accounts. Social media is a computer-based technology that simplifies and assists the process of sharing ideas, opinions, and information through the foundation of virtual networks and communities. With the normal use of Social media, it has made matters easier for criminals to create fictional stories to gather the public’s attention. People have been confident in posting their location on Facebook, sharing birthday pictures on Instagram or Snapchat, and ranting about issues on Twitter. Little do they know that this information can be used against them if they are not cautious enough.

The Bigger, the Deadlier
People use social media as part of their day-to-day routine. Some get addicted to lurking behind these social media platforms, and others just scroll once a day only to be updated. With connected networks all over the world, there is a great chance that you will encounter advertisements of cute stuff or discounted services upon scrolling. This advertisement aims to hook your attention with the product they offer, along with the number of likes and engagements that the posts receive.
However, believing in these numbers may lead to you being scammed. The bigger the influence of a post on social media is, the threats exposed might be just as big. For example, there is a brand on Facebook or Instagram offers amazing coats at a buy-take-1 price. You see that Social media influencers have been sharing the post, and a lot of people have liked and commented on it. This may even make you believe that people have been buying the product and you might click on the advertisement. It then proceeds to add the product in the cart, and you pay for it. But then the product was never shipped out to you because it was a scam and the attackers only gained your money. The thing is, with Social media, attackers can use several bots for their post engagements and make it seem like it is legitimate with so much post likes, comments, and shares. The more widespread and spoken a digital medium is, there is a bigger likelihood that a threat attacker will give a shot at abusing the platform.

The Abuse and Misconduct in Social media

Websites and other social media platforms have been open
to various types of scams that attackers use:

C2 InfrastructuresImpersonationCredential Theft and PropagationAnalytical skillsData Gathering

C2 Infrastructures

Command-and-control servers, which are referred to as C&C or C2, are used by attackers to continue certain communications with compromised systems such as computers and smartphones of an aimed target network. This type of phishing attack is dominating the Twitter platform, wherein shorter URLs are being abused to hide malicious links, as attackers hose their C2 infrastructure on the platform and gain access to the user’s profile account and information.

Impersonation

Phishing is a popular attack on social engineering. This attack comes with the use of impersonation. The better the impersonation, there is also a greater chance that the victim might believe the attacker. For example, an impersonator acts like someone who has the power in the company or acts like they have a strict authority. This could lead to tricking and damaging the victims, causing them to be scared and just follow what the attacker says. In cybersecurity, particularly in the world of social media, a threat actor may pose as a rich businessman and offer anything of value. Example of which is what you see on Facebook, Instagram, or Twitter posts of a celebrity. Scrolling upon their posts, there is one specific comment saying that they’re offering free bitcoins for free with an attached link, but in reality, it was a trap that installed malware into your device.

Credential Theft and Propagation

Attackers abuse social platforms by creating sites and links used to trick vulnerable users. These fake landing pages ask for your login credentials and once a victim logged in, the threat actor gains access to the user’s account and can use it to trick more new users into logging in as well. Upon stealing the personal information, hackers can propagate it to other users within the network and can even ask for wired bank transfers on the contacts list.

Data Dumps

Several dumps of breached databases can normally be spread on the internet. The dark web or other marketplaces even sell confidential data that has been retrieved upon the breach. Dumpsites and forums can also spread the word about such incidents.

Data Gathering

Upon creating social media accounts, there may be some security questions like what was the name of your first pet. Posting images of your pet and calling out their name on social media may reveal the answer to your security question, which can be used to reset passwords. What you post on social media can be a path for people to dig deeper into your personal life. Threat actors can find even the smallest data and use that information to build a malicious attack. Although data gathering may seem too simple, refrain from giving out your information to data gatherers that can be used against you.

The following are Data Collection Tools for Data Gathering

  1. Surveys: e.g. Google Forms, Facebook Polls
  2. Interviews: e.g. Zoom and Skype Meetings
  3. Check Lists: e.g. Canva, Checkli, and Trello
  4. Case Studies: e.g. Encyclopedia, Grammarly, and QueText
  5. Usage Data: e.g. Suma

The Abuse and Misconduct in Social media

Train your employees to think before they click

Most social engineering attacks victimize those who act first and think later. Some baiting messages express a sense of urgency and insist on a person clicking on some links or attachments. With an anti-phishing solution like OhPhish, you can deploy a campaign in minutes, get a detailed automated report, assess who is susceptible to such an attack, train them on an LMS to become more aware, and deploy the second wave to test their readiness post-training.

Train your employees to think before they click
Here are some of OhPhish’s most prominent solution to avert phishing attacks:

OhPhish Learning Management System

The OhPhish Learning Management System is designed and developed for all the sectors and different industries. It is integrated with several training videos and modules that are easy to comprehend and analyze.

Email, SMSishing, and Vishing Phishing Simulation

These phishing simulations mimic real-time phishing situations helping you trace how your employees react to a phishing attack.

CheckAPhish & CheckAPhish+

CheckAPhish and CheckAPhish+ monitor emails that an employee receives in the inbox and filters all the messages, deleting all spam emails.

Identify vulnerabilities and ensure safety protocols

EC-Council’s Certified Ethical Hacker (Master) program has an entire module dedicated to Social Engineering attacks, which helps you assess the security status of an organization by identifying vulnerabilities in the network and system infrastructure to determine if unauthorized access is possible. The CEH is the most inclusive ethical hacking course to help information security professionals understand the basics of ethical hacking. EC-Council will bring out the best of your understanding and skillset about cyber-attacks and how you can recover from it.

vulnerabilities

The Certified Ethical Hacker (CEH) is an acknowledged ethical hacking program and is a recommendation to all the information security professionals to be equipped with the proper ethical hacking skills. You can also practice Social Engineering via iLabs. The CEH brings out the best in you and updates you with the latest hacking tools and practices used by information security professionals to protect and secure the organization from future cybercrime attacks.