Social engineering is a type of manipulation based on tricking the user through different malicious activities to secretly provide private information like passwords and bank account information or access your device to install malware (malicious software). These attacks usually happen online, in person, and through other interactions.
- What are the steps in a social engineering attack?
- How do you recognize social engineering attacks?
- Types of social engineering attacks
- Final thoughts
Scams based on social engineering are built around the way people think and behave. Therefore, social engineering attacks are handy for manipulating user’s behavior. Once the attacker understands the motivation of the user’s behavior, they can effectively deceive and manipulate the user. For example, it’s a lot easier to trick someone into giving their passwords than for you to try hacking their password (unless the password is really week).
What are the steps in a social engineering attack?
Social engineering attacks usually happen in one or more steps. A threat actor mostly follows the steps below:
- Preparing the ground for attack
- identifying the victim (or the victims)
- obtaining background information
- deciding what attack method(s) to use
2. Deceiving the victim
- engaging the target
- spinning a story
- taking control of the interaction
3. Gaining access to the information over a period of time
- extending foothold
- performing the attack
- destroying business or/and siphoning data
4. Closing the interaction without arousing suspicion
- removing all traces of malware
- covering tracks
- ending the attack naturally
This process can take place in a single email or over months after several social media chats. Or, as we said, it could even happen in face-to-face interaction. Eventually, it concludes with an action you take, like giving your personal information or exposing yourself to malware.
How do you recognize social engineering attacks?
1. Email from a “friend”
If criminals manage to crack or socially engineer a person’s email password, they can access that person’s contact list, and since most people use a password everywhere, they may also have access to that person’s social network contacts people.
Once the threat actor takes control of the email account, they will send emails to all of the person’s contacts or leave a message on all the social pages of their friends, or they may also leave a message on the friend’s page of the person’s friends.
To take advantage of your trust and curiosity, these messages will mostly contain the following:
- contain a link: that you just have to check-out because the link comes from a friend and you are curious about it. Eventually, you’ll click on the link and be infected with malware so the criminal can control your device and collect your contacts info for deceiving others
- contain an attachment to download: it can either be pictures, movies, music, a document and so on. However, these attachments have a malicious software embedded. Now, the hacker has access to your device. social network accounts and contacts, email account, and the attack spreads to everyone you know on and on.
2. Email from other trusted source
Phishing attacks are a part of social engineering strategy that mimics a trusted source and come up with a seemingly logical scenario for handing over login credentials or other sensitive personal data.
According to Verizon’s annual data breach investigation, social engineering attacks are responsible for 93% of successful data breaches.
Possible scenarios and messages you may receive:
- urgently asking for your help: your “friend” has been robbed, had an accident or is in the hospital and they need you to send money immediately. After all, they tell you how to send the money to the scammer.
- phishing attempts with a legitimate appearing background: basically, a phisher sends an email, instant message, comment or text message that appears to come from a legitimate bank, school, popular company or institution.
- ask for a donation for their charitable fundraiser: you’ll most likely receive instructions on how to send the money to the criminal. Relying on your kindness and generosity, these hackers ask for aid or support for whatever disaster, political campaign or charity.
- presenting a problem that asks you to “verify” your data by clicking on a specific link: the link location appear very legitimate with all the right logos and content (maybe even copied the exact format from the original site). Given that, you trust the email and the false website and provide whatever information the hacker is asking for. In addition, these types of phishing scams include a warning of what will happen if you fail to act soon (manipulating you into “act before you think”).
Types of social engineering attacks
1. Phishing attacks
- Phishing attackers pretend to be a legitimate, trusted company or individual trying to persuade you to share personal data and other valuables.
- It can happen in one or two ways, respectively, spam phishing (widespread attack aimed at many users) and spear-phishing (by extension whaling, which use personalized info to target specific users, such as celebrities, upper management, and high government officials).
2. Baiting attacks
- Baiting abuses your natural curiosity to persuade you into exposing yourself to an attacker. The manipulation used to exploit you is usually a potential for something exclusive or free. This type of abuse typically involves infecting your device with malware.
- Popular methods of baiting are: USB drives left in public spaces and email attachments including details on a free offer, or fraudulent free software.
3. Physical breach attacks
- This type of attack involves hackers appearing in-person, posing as someone legitimate to gain access to unauthorized areas or data.
- Such attacks are most common in enterprise environments, such as business, governments or other organizations. Therefore, attackers pretend to be a representative of a trusted company. As a fact, some of the attackers might even be recently fired employees that want to take revenge.
- They make their identity unknown but credible enough to avoid further questions. This requires a bit of research for the attacker and also involves high-risk.
4. Pretexting attacks
Pretexting uses deceptive identities as an “excuse” to build trusts, such as directly impersonating a supplier or facility employee. This method requires the attacker to interact with you more actively. Once they convince you that they are legitimate, they will continue to exploit you.
5. Access tailgating attacks
Tailgating (or piggybacking) is the act of trailing an authorized employee into a restricted access area.
Basically, the attackers try to convince you that they are also authorized to be in the area. As a fact, pretexting can play a role here too.
6. Quid pro quo attacks
- This literally means “a favor for a favor”, which in the context of phishing means an exchange of your personal information for some reward or compensations. Most commonly, giveaways or offers to take part in research studies might expose you to this type of attack.
- The exploit comes from getting you excited for something valuable that comes with a low investment. In the end, though, the attacker simply collects your data with no rewards for you.
7. DNS spoofing and cache poisoning attacks
- DNS spoofing manipulates your browser and web servers to redirect you to malicious websites when you enter a legitimate URL. Once infected, the redirect will continue unless the wrong routing data is erased from the systems involved.
- On the other hand, DNS cache poisoning attacks particularly infect your device with routing instructions for the legitimate URL or multiple URLs to connect to suspicious websites.
8. Scareware attacks
- Scareware is a type of malware used to terrify you into taking an action. This deceptive malware uses alarming warning that report fake malware infections or claim one of your accounts has been compromised.
- As an effect, scareware pushes you to buy fraudulent cybersecurity software, or reveal private info like your account credentials.
9. Watering hole attacks
- These attacks infect well-known webpages with malware to impact a lot of users at a time. It requires careful planning on the attacker’s part to find vulnerabilities in specific sites. They look for existing weaknesses that are not known and patched (these vulnerabilities are considered zero-day exploits)
- However, they may find a website has not updated their infrastructure to patch out known issues. Website owners usually choose delay software updates to keep software versions they know are steady. They will switch once the newer version has a proven track record of system stability.
- Therefore, hackers abuse this behavior to target recently patched weaknesses.
10. Unusual social engineering methods
- fax-based phishing: when a customer of a bank receives a fake e-mail claiming to be from the bank, asking the customer to confirm their access code, the confirmation method was not via the usual e-mail or Internet route. Instead, customers were asked to print out the form in the email, then fill in their details and fax the form to the phone number of the attacker.
- traditional mail malware distribution: in Japan, cyber attackers used a home-delivery service to share CDs that were infected with Trojan spyware. The disks were delivered to the clients of a Japanese bank. Given that, the clients’ addresses had previously been stolen from the bank’s database.
Preventing social engineering attacks begins with education. If all users are aware of these threats, our safety as a collective society will be improved. Therefore, make sure you raise awareness about these risks by sharing what you have learned with your employees, colleagues, friends, and family!