Social Engineering is the term used for a wide range malicious activities which are accomplished through human interactions. It uses psychological manipulation to cheat users to make security mistakes or reveal sensitive information.
Social Attacks engineering occur in one or more ways. An actor first investigates the victim who intends to gather the necessary information, such as possible entry points and weak security protocols, required for the attack to proceed. Then, the hacker tries to gain victim's confidence and lead him to actions that will make him vulnerable, such as disclosing sensitive information or providing access to critical resources.
What makes social engineering especially dangerous is that it is based on human error and not on vulnerabilities software and operating systems. Errors made by legitimate users are much less predictable, making it harder to detect and prevent than a malware-based invasion.
Attack techniques social engineering
Social engineering attacks come in many different forms and can executed wherever the human interaction is involved. The following are the five most common forms of digital social engineering attacks.
As its name implies, the attacks Baiting they use a false promise to move the curiosity of the victim. They attract users to a trap that steals their personal information or infects their systems with malicious software.
The most dangerous form of Baiting uses physical means to distribute malicious software. For example, attackers send the bait (flash drivers with contaminated software) in prominent areas, where potential victims are certain to see it (eg bathrooms, lifts, parking space of a targeting company). The bait will have something that usually draws the attention of the victims, such as a label that says "company pay list".
Victims take the bait out of curiosity and import it to a work computer or home, resulting in the automatic installation of malware in the system.
Of course, baiting scams do not have to be done only in physical space. There are also online baiting forms made up of tempting advertisements that lead to malicious sites or that encourage users to download an application that is infected by malicious software.
Scareware is the bombing of victims with false alarms and fictitious threats. Users are misled to think that their system is infected by malware, encouraging them to install software that has no real benefit. Scareware is also referred to as cheating software, rogue scanner software or fraudware.
A common example of scareware is the legally pop-up pop-up banners that appear on Browser during surfing, presenting such a text "Your computer may be infected with malicious spyware." It is either set up for you the necessary tool (often infected with malware) or will direct you to a malicious location where your computer will be infected.
Scareware is also distributed through spam email.
Here an attacker acquires information through a series of intelligently created lies. Fraud is often caused by an offender pretending to need sensitive information from a victim to perform a critical job.
The attacker usually starts by establishing trust with the victim representing colleagues, police officers, bankers and tax officers or other persons with legitimate authority. The pretexter poses questions that are apparently required to confirm the identity of the victim through which they collect important personal data.
All the necessary data and files are collected using this fraud, such as social security numbers, personal addresses and phone numbers, phone records, holiday dates, bank files and more.
One of the most popular types of social engineering attack, the phishing scams are emails which are aimed at drawing the attention of the victims. They then lead to the disclosure of sensitive information by clicking links on malicious sites or by opening attachments that contain malware.
An exemplary example is the email sent to users of an online service that notifies them of a policy violation that requires immediate action on their part, such as a change Password. It includes a link to an illegal site - almost identical to its legitimate version - prompting the unsuspecting user to enter the current credentials and its new password. By submitting the form, the information is sent to the attacker.
Since the same or almost identical messages are sent to all users in phishing campaigns, detection and blocking are much easier for mail servers that have access to threat sharing platforms.
This is a more targeted version of it phishing fraud with which an attacker selects specific individuals or businesses. They then customize their messages based on the features, jobs, and contacts that belong to their victims to make their attack less apparent. Spear Phishing requires a lot more effort on the part of the offender and it may take weeks and months to withdraw. They are much harder to identify and have better success rates if they are skillful.
A spear phishing scenario may include an attacker who, in the same way he mimics one IT consultant an organization sends an e-mail to one or more employees. It is drafted and signed exactly as a counselor would do, deceiving the recipients to believe it is an authentic message. The message asks recipients to change their password and provides them with a link that redirects them to a malicious page where the attacker now captures their credentials.
Prevention of Social Engineering
Social engineers manipulate human feelings, such as curiosity or fear, to achieve their purpose. Therefore, be cautious whenever you receive an email, message the notice which seems a little strange to us.
Additionally, the following tips can help you improve your vigilance with regard to social engineering hacks.
- Do not open emails and attachments from suspicious sources
If you do not know this sender, you do not have to reply to an email. Even if you know them and are suspicious of their message, check and confirm the news from other sources, such as by phone or directly from a service provider's website. Remember that all email addresses are being continually violated. Even an email that allegedly comes from a trusted source may come from a hacker.
- Use multi-factor authentication
Using multiple-factor authentication helps protect your account in the event of a malicious system.
- Be careful with the tempting offers
If a bid sounds very tempting, think twice before clicking the click.
- Keep up-to-date antivirus / anti-malware
Make sure you've turned on automatic updates. Check periodically to make sure that updates have been applied and to scan your system for possible infections.