Researcher published a dangerous Windows 10 zero-day exploit
infosec

Researcher published a dangerous Windows 10 zero-day exploit

A security researcher today revealed at GitHub the existence of a zero-day vulnerability in Windows 10. Zero-day vulnerabilities are often called ...
Read More
infosec

School in Ohio fell victim to attack hacking with Trickbot

On Friday, a school in Ohio discovered he was hacked. In particular, malicious software infected systems and so ...
Read More
infosec

AMSA alerts users to phone frauds

AMSA has warned that it has received reports that its phone number has been used to make phishing via telephone ...
Read More
inet infosec

Does industrial robots increase the risk of cyber attacks?

The use of robots in industrial environments has greatly changed the conditions under which the various jobs are being done in the last ...
Read More
infosec

Cyber ​​warfare: What is it and which domains it affects?

The term cyber warfare refers to online warfare between governments by performing complex internet attacks. These carriers ...
Read More
Latest Posts

What is Social Engineering, what are its techniques and how to protect yourself?

Social Engineering is the term used for a wide range malicious activities which are accomplished through human interactions. It uses psychological manipulation to cheat users to make security mistakes or reveal sensitive information.

Social Attacks engineering occur in one or more ways. An actor first investigates the victim who intends to gather the necessary information, such as possible entry points and weak security protocols, required for the attack to proceed. Then, the hacker tries to gain victim's confidence and lead him to actions that will make him vulnerable, such as disclosing sensitive information or providing access to critical resources.

What makes social engineering especially dangerous is that it is based on human error and not on vulnerabilities software and operating systems. Errors made by legitimate users are much less predictable, making it harder to detect and prevent than a malware-based invasion.

Social Engineering

Attack techniques social engineering

Social engineering attacks come in many different forms and can executed wherever the human interaction is involved. The following are the five most common forms of digital social engineering attacks.

Baiting

As its name implies, the attacks Baiting they use a false promise to move the curiosity of the victim. They attract users to a trap that steals their personal information or infects their systems with malicious software.

The most dangerous form of Baiting uses physical means to distribute malicious software. For example, attackers send the bait (flash drivers with contaminated software) in prominent areas, where potential victims are certain to see it (eg bathrooms, lifts, parking space of a targeting company). The bait will have something that usually draws the attention of the victims, such as a label that says "company pay list".

Victims take the bait out of curiosity and import it to a work computer or home, resulting in the automatic installation of malware in the system.

Of course, baiting scams do not have to be done only in physical space. There are also online baiting forms made up of tempting advertisements that lead to malicious sites or that encourage users to download an application that is infected by malicious software.

Scareware

Scareware is the bombing of victims with false alarms and fictitious threats. Users are misled to think that their system is infected by malware, encouraging them to install software that has no real benefit. Scareware is also referred to as cheating software, rogue scanner software or fraudware.

A common example of scareware is the legally pop-up pop-up banners that appear on Browser during surfing, presenting such a text "Your computer may be infected with malicious spyware." It is either set up for you the necessary tool (often infected with malware) or will direct you to a malicious location where your computer will be infected.

Scareware is also distributed through spam email.

Pretexting

Here an attacker acquires information through a series of intelligently created lies. Fraud is often caused by an offender pretending to need sensitive information from a victim to perform a critical job.

The attacker usually starts by establishing trust with the victim representing colleagues, police officers, bankers and tax officers or other persons with legitimate authority. The pretexter poses questions that are apparently required to confirm the identity of the victim through which they collect important personal data.

All the necessary data and files are collected using this fraud, such as social security numbers, personal addresses and phone numbers, phone records, holiday dates, bank files and more.

Phishing

One of the most popular types of social engineering attack, the phishing scams are emails which are aimed at drawing the attention of the victims. They then lead to the disclosure of sensitive information by clicking links on malicious sites or by opening attachments that contain malware.

An exemplary example is the email sent to users of an online service that notifies them of a policy violation that requires immediate action on their part, such as a change Password. It includes a link to an illegal site - almost identical to its legitimate version - prompting the unsuspecting user to enter the current credentials and its new password. By submitting the form, the information is sent to the attacker.

Since the same or almost identical messages are sent to all users in phishing campaigns, detection and blocking are much easier for mail servers that have access to threat sharing platforms.

Spear phishing

This is a more targeted version of it phishing fraud with which an attacker selects specific individuals or businesses. They then customize their messages based on the features, jobs, and contacts that belong to their victims to make their attack less apparent. Spear Phishing requires a lot more effort on the part of the offender and it may take weeks and months to withdraw. They are much harder to identify and have better success rates if they are skillful.

A spear phishing scenario may include an attacker who, in the same way he mimics one IT consultant an organization sends an e-mail to one or more employees. It is drafted and signed exactly as a counselor would do, deceiving the recipients to believe it is an authentic message. The message asks recipients to change their password and provides them with a link that redirects them to a malicious page where the attacker now captures their credentials.

Social Engineering

Prevention of Social Engineering

Social engineers manipulate human feelings, such as curiosity or fear, to achieve their purpose. Therefore, be cautious whenever you receive an email, message the notice which seems a little strange to us.

Additionally, the following tips can help you improve your vigilance with regard to social engineering hacks.

  • Do not open emails and attachments from suspicious sources

If you do not know this sender, you do not have to reply to an email. Even if you know them and are suspicious of their message, check and confirm the news from other sources, such as by phone or directly from a service provider's website. Remember that all email addresses are being continually violated. Even an email that allegedly comes from a trusted source may come from a hacker.

  • Use multi-factor authentication

Using multiple-factor authentication helps protect your account in the event of a malicious system.

  • Be careful with the tempting offers

If a bid sounds very tempting, think twice before clicking the click.

Make sure you've turned on automatic updates. Check periodically to make sure that updates have been applied and to scan your system for possible infections.

Do you have an opinion? Leave your comment.

The author allows you to copy his / her text only if you report the source (SecNews.gr), as an e-mail address (Live URL) of the article.
Updated on by

Reader Interactions

Leave a reply

Your email address is not published. Τα υποχρεωτικά πεδία σημειώνονται με *