What is Social Engineering ?
All humans make mistakes. One of the most intriguing findings from IBM’s “2014 Cyber Security Intelligence Index” is that 95 percent of all security incidents involve human error. Many of these are successful security attacks from external attackers who prey on human weakness in order to lure insiders or outsiders within organizations to unwittingly provide them with access to sensitive information.
Today, legitimate websites are increasingly being hacked since they are just the sort of websites that users would routinely trust. However, compromised websites are also being used in attacks that target the interests of specific users or groups.
Even if you use anonymity mechanisms, secure (encrypted) channels to communicate and take variety of other measures to protect and secure your online privacy — what will happen if you get caught by social engineering and someone simply get your credentials and bypasses all of the security barriers to access your online world. So what is social engineering ?
Remember the ancient Greeks’ “gift” horse to the city of Troy? While a social-engineering attack is by no means new, today this highly effective tool snares its victims through phishing, elicitation and impersonation.
Anyone — even pros — can become a victim of a social-engineering attack. “It’s nearly impossible to detect you’ve been socially engineered,” said Daniel Cohen, head of knowledge delivery and business development for RSA’s FraudAction group, who says malicious social engineering is one of the biggest problems for security. “As long as there’s a conscious interface between man and machine, social engineering will always exist.”
Money is the main reason malicious social engineering is so pervasive. In October 2013, RSA identified more than 62,000 phishing attacks, which raised the bar in terms of number of attacks carried out within a single month. The median takedown time for attacks is 12 hours — worth roughly $300 each hour. During October 2013 alone, phishing attacks netted $233 million.
And it’s easy money. On the underground market, you can buy a spam service to blast out 500,000 emails for a mere $75. “Of those 500,000 recipients, some people will inevitably send Bitcoins or whatever you’re asking for,” said Cohen. “It’s why we’re seeing mind-blowing losses on the order of hundreds of millions globally to phishing.”
While phishing has traditionally plagued the financial sector because it’s easy to commercialize and sell financial credentials, attackers are now branching out to target mobile and gaming platforms, as well as airlines’ frequent flier mile programs. Every company can be and will be a target.
One factor behind the expansion of phishing attacks is that, thanks to ‘underground’ sites on the dark Web, fraudsters from all over the globe have a way to connect and collaborate anonymously. They frequently solicit partners with social-engineering skills, as shown in the figure below, to help fill in the missing pieces of identities, which they can then turn around and either use or sell.
Phishing scams might be the most common types of social engineering attacks used today. Most phishing scams demonstrate the following characteristics:
- Seek to obtain personal information, such as names, addresses and social security numbers.
- Use link shorteners or embed links that redirect users to suspicious websites in URLs that appear legitimate.
- Incorporates threats, fear and a sense of urgency in an attempt to manipulate the user into acting promptly.
Some phishing emails are more poorly crafted than others to the extent that their messages oftentimes exhibit spelling and grammar errors but these emails are no less focused on directing victims to a fake website or form where they can steal user login credentials and other personal information.
They are often paired-up with malwares to create a perfect package — where user’s machine doesn’t only leaks the credentials but also get compromised.
Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information. These types of attacks commonly take the form of a scammer who pretends that they need certain bits of information from their target in order to confirm their identity.
Pretexting attacks are commonly used to gain both sensitive and non-sensitive information. Back in October, for instance, a group of scammers posed as representatives from modeling agencies and escort services, invented fake background stories and interview questions in order to have women, including teenage girls, send them nude pictures of themselves — which they later forwarded to pornographic businesses against large amounts of money.
Baiting is in many ways similar to phishing attacks. However, what distinguishes them from other types of social engineering is the promise of an item or good that hackers use to entice victims. Baiters may offer users free music or movie downloads, if they surrender their login credentials to a certain site.
Baiting attacks are not restricted to online schemes, either. Attackers can also focus on exploiting human curiosity via the use of physical media.
- QUID PRO QUO
Similarly, quid pro quo attacks promise a benefit in exchange for information. This benefit usually assumes the form of a service, whereas baiting frequently takes the form of a good.
One of the most common types of quid pro quo attacks involve fraudsters who impersonate IT service people and who spam call as many direct numbers that belong to a company as they can find. These attackers offer IT assistance to each and every one of their victims — which in fact is to establish a path for their own malicious desires.
It is important to note, however, that attackers can use much less sophisticated quid pro quo offers than IT fixes.
Another social engineering attack type is known as tailgating or “piggybacking.” These types of attacks involve someone who lacks the proper authentication following an employee into a restricted area.
In fact, Colin Greenless, a security consultant at Siemens Enterprise Communications, used these same tactics to gain access to several different floors, as well as the data room at an FTSE-listed financial firm. He was even able to base himself in a third floor meeting room, out of which he worked for several days.
The bottom line is that you can fight against a social-engineering attack, but social engineering isn’t going away. As Michele Fincher, chief influencing agent at Social-Engineer, sums it up:
“Many of the decisions we make come from basic human nature and behavior, and we’re reacting as humans react. Good social engineers really understand how to work with that, and it’s something technology can’t keep you safe from.”
Hackers who engage in social engineering attack prey using human psychology and curiosity in order to compromise their targets’ information. With this human-centric focus in mind, it is strictly upon users to prepare themselves against these malicious acts.
In the next post you can find several tips on how you can avoid social engineering schemes.
Check blog.mailfence.com for having the most recent version of this blogpost.
- Mailfence Team