Overview of Social Engineering

Arshad Suraj
May 15 · 6 min read
Photo by vipul uthaiah on Unsplash

Social Engineering is the art of influencing individuals in order to gain Confidential information such as passwords, bank details etc by exploiting human vulnerabilities. Instead of using technological vulnerabilities, these attacks take advantage of human weaknesses such as feelings, trust, and habits to gain people’s confidential information. Even though this is less advanced than other cyber-attack strategies, social engineering can cause severe harm to the victim.

How Does social Engineering work?

Social engineering scams are focused on how people think and behave. Once an attacker knows what triggers a user’s actions, then they can easily manipulate them. The majority of social engineering scams rely on direct communication between the attacker and the victim. Rather than using brute force methods to break the data, the attacker would try and convince the user to compromise themselves.

The following are the steps in a typical social engineering attack cycle:

Investigation: The attacker will choose a victim, conduct background research on them, and determine an attack method.

Hook: The attacker will get closer to the victim by establishing a relationship and gaining trust.

Play: Once the relationship is developed, the attacker will manipulate the victim and obtain the necessary information.

Exit: When the attacker receives the necessary information or the user performs the desired action, the attacker will end their communication with the victim and move on to a new target.

Why Social Engineering? Rather than doing advanced technical hacking to crack your password, it’s easy for an attacker to get your password if he knows you are using your girlfriend’s name as your password. 😜

Popular Social Engineering Attacks

Phishing Attacks

Phishing attackers will pretend as a trustworthy organization or individual in order to force you to reveal personal information. This method involves sending spoof emails, phone calls, or SMS randomly to a large number of people requesting them to provide their confidential information. To trick people into giving up passwords and other personal details, their communication will appear to come from a legitimate organization. Whether it’s a direct communication or via a fake website form, anything you share goes directly into a scammer’s pocket.

Spear Phishing

This is a more focused variant of the phishing scam, in which the attacker targets particular people or companies. They then do a background study and customize their messages based on the characteristics, job titles, and contacts of their victims in order to build trust and make their attack less transparent.

Scareware

Scareware is a technique that manipulates victims by sending false alerts and threatening them with fictitious attacks. Users are fooled into believing their device is infected with viruses and asked to download and install software that has no real benefit (other than for the attacker). When the user clicks the link or installs the software, the attacker gains access to the user’s data.

Baiting

Baiting attacks use baits to lure the victim by triggering their curiosity. Baits are physical or non-physical items such as pendrives, CDs with company logos etc which is used to steal a victim’s confidential information. Attacker leaves bait in a common area such as parking, bathroom etc. Once victim picks up the bait out of curiosity and injects it into a work or home computer, the device will be infected with malware automatically.

Pretexting

By impersonating coworkers, police, bank officials, or other people with right-to-know authority, the attacker will typically gain the confidence of their target. The attacker will pretend they need confidential information from the victim in order to complete a critical task. An attacker will obtain confidential information by telling a series of highly detailed lies.

Social engineering prevention

Every organization has human aspect. Humans are curious by nature, sometimes make rash decisions by guided by their emotions. As a result, knowing how to avoid social engineering attacks is important. Below are few steps to prevent social engineering attacks.

  1. Do not open emails or attachments from unknown senders — You do not need to reply if you do not recognize the sender. Even if you know them and are suspicious of their message, you can double-check and validate the information from other sources, such as the telephone.
  2. Using multifactor authentication — User credentials are one of the most useful pieces of information for attackers. Multifactor authentication helps secure your account by preventing giving access to the attacker if he knows 1 factor of your credential.
  3. Use strong passwords (and a password manager) — Each of your passwords should be unique and difficult to guess. Make an effort to use a variety of character forms, such as uppercase, numbers, and symbols. make sure your password contains more than 8 characters (As the length increase, so does the strong). You can use a password manager to securely store and remember all of your custom passwords.
  4. Avoid sharing your 1st school teacher, pets, birthplace, or other personal information. You may be unintentionally disclosing the answers to your security questions or portions of your password. You’ll find it more difficult for an attacker to access your account if you make your security questions memorable but incorrect.
  5. Be very cautious of building online-only friendships. — Although the internet can be a useful tool for connecting with people all over the world, it is also a popular platform for social engineering attacks.
  6. Never leave your computers unlocked in a public place. — Always make sure your computer and mobile devices are locked, particularly if you’re at work. Always keep your devices in your hands when using them in public places such as airports and coffee shops.

How can developers secure their client’s password?

Regardless of how much the user protects their password, due to the vulnerabilities of the system built by an inexperienced developer, the user’s password can end up in the hands of an attacker. Hackers would find it much easier to steal data if passwords are stored in plain text with no modifications. Password protection should be handled properly by developers. Developers have number of options for protecting their clients’ passwords. Some of them are,

  1. Encryption
  2. Hashing

let’s take a brief look on each.

Encryption

Encryption is a method of converting data into an unreadable format. The converted unreadable form is called as cypher text. This cypher text is not the same as the original message, it is an entirely different message. The encryption algorithm uses encryption keys to generate cypher text from plain text. Since senders use an encryption algorithm and send their data as cypher text, hackers would be unable to read the data.

Encrypthion mechanism — picture by-guru99

When we encrypt something, we can decrypt it and read the original message later. Decryption is a process of converting cypher text to plain text which readable by a human or a computer.

Decryption mechanism — picture by-guru99

Hashing

Hashing is the one-way calculation that is used in cryptography. They take any length string of data and always return an output of the predetermined length. This output is called “Hash value”. The length of the hash value is same, regardless of whether your input is 1000 letters or 2 letters.

Since these functions don’t use keys, the result for a given input is always the same. Therefore if 2 hash values are identical then the real text is also identical. Therefore while storing password as a hash value if two people has the same hash value, they are having same password. To avoid this drawback Salting is introduced.

Salting is the method of applying a random piece of data to an existing password before hashing it. The Salt refers to the random data that is applied. When the algorithm generates salt, it generates a unique salt for each password. So the password will be hashed with the salted value at the end. As a result, at the end of the day, each password has unique hash value.

Nerd For Tech

From Confusion to Clarification

Nerd For Tech

NFT is an Educational Media House. Our mission is to bring the invaluable knowledge and experiences of experts from all over the world to the novice. To know more about us, visit https://www.nerdfortech.org/. Don’t forget to check out Ask-NFT, a mentorship ecosystem we’ve started

Arshad Suraj

Written by

Associate Software Engineer at Virtusa

Nerd For Tech

NFT is an Educational Media House. Our mission is to bring the invaluable knowledge and experiences of experts from all over the world to the novice. To know more about us, visit https://www.nerdfortech.org/. Don’t forget to check out Ask-NFT, a mentorship ecosystem we’ve started

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store