Social engineering

Introduction

When it come to cyber security, most people think of technical attacks such as SQL injection, cross-site scripting, man-in-the-middle attacks, or malware. However, the most common and effective attacks are often not technical at all. Social engineering is the art of manipulating people so they give up confidential information. Every cyber crime starts with a social engineering attack.

Here is the definition from Wikipedia:

In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.[1] It has also been defined as "any act that influences a person to take an action that may or may not be in their best interests."

The types of information these criminals are seeking may vary, but when individuals are targeted, the criminals are usually trying to trick you into giving them your passwords, personal information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer.

How does social engineering work?

Social engineering attacks happen in one or more steps. Most social engineering attacks rely on actual communication between attackers and victims. It is often the case that victims are targeted by multiple attackers over an extended period of time, and attacks are carefully crafted to avoid detection. A successful attack involves the following steps:

1. Research: The attacker gathers information about the target, such as potential points of entry and weak security protocols, needed to carry out the attack. In todays world, it is very easy to find information about a person online. For example, you can find a person's email address, phone number, and even their home address on their social media profile. You can also find out where they work, what they do, and who they work with. This information can be used to craft a very convincing phishing email or phone call on the next step.

2. Hook: The attacker uses that information to create a believable scenario to lure the victim into doing what the attacker wants. For example, the attacker may call the victim and pose as a customer service agent from their bank, asking them to verify their account information. Or, they might call an employee at a company and pose as an IT support person, asking them to reset their password.

3. Play on emotions: The attacker plays on emotions to get the victim to act immediately, without thinking. For example, the attacker might threaten the victim with fines, penalties, or prosecution if they don't comply with the request right away. Or, they might appeal to the victim's greed, promising them a large sum of money or reward in exchange for their help.

4. Execute: The attacker executes the attack, which can take any number of forms. For example, they might:

   • Trick the victim into installing malware on their computer.
   • Trick the victim into revealing sensitive information in an email or over the phone.
   • Trick the victim into sending money to the attacker.
   • Trick the victim into clicking on a malicious link in an email or text message.

This above steps may happen in a very short period of time, or they may happen over the course of weeks or months. The attacker may target one person, or they may target a group of people. The connection may be established through a phone call, email, text message, or social media chats. But it ultimately concludes with an action you take, like sharing your information or exposing yourself to malware.

Types of social engineering attacks

There are many types of social engineering attacks, and each has its own purpose and goal. Here are some of the most common types of social engineering attacks:

Spam Phishing

Spam phishing is the most common type of social engineering attack. It is a type of phishing attack where the attacker sends out millions of emails to random people, hoping that some of them will fall for the scam. The emails are usually sent from a fake email address, and they often contain a link to a malicious website or a malicious attachment. The goal of the attack is to trick the victim into clicking on the link or opening the attachment, which will install malware on their computer.

Example

Imagine you receive an unsolicited email in your inbox with an enticing subject line that claims you've won a substantial cash prize. The email's title states that you've won $1,000,000 and need to claim your prize immediately.

Upon opening the email, you find a message congratulating you on your supposed lottery win. It may include extravagant promises, such as a life-changing amount of money. The email typically contains a link or contact information for you to claim your winnings.

This email exhibits classic signs of a spam phishing attack:

1. Unsolicited: You never participated in any lottery or contest, so you shouldn't have won any prize.

2. Too Good to Be True: The promise of a large sum of money for no apparent reason is a common tactic used to lure victims.

3. Urgent Action: The email may claim that you must act quickly to claim your prize, creating a sense of urgency.

4. Requests for Personal Information or Money: To "claim" your prize, you may be asked to provide personal information, pay fees, or transfer money to cover alleged processing costs.

Spear Phishing

Spear phishing is a type of phishing attack where the attacker targets a specific person or group of people. The attacker will do research on the target, and then send them a personalized email that looks like it came from a trusted source. The email will usually contain a link to a malicious website or a malicious attachment. The goal of the attack is to trick the victim into clicking on the link or opening the attachment, which will install malware on their computer. Unlike spam phishing, spear phishing attacks are highly targeted and personalized, and they are much more likely to succeed.

Example

In this spear phishing scenario, you receive an email that appears to be from a colleague or someone you know. The email contains a subject line that suggests it's an important security notice. What makes spear phishing different from regular phishing is that the attacker targets a specific individual and often possesses some knowledge about the target.

Upon opening the email, you find a message that claims to be from your IT advisor, Charles. It addresses you by your full name and mentions an alleged security breach on your work account. The email requests that you click on a link or download an attachment to secure your account. You click on the link, and it takes you to a website that looks exactly like your company's login page. You enter your username and password, and the attacker now has access to your account.

This email exhibits classic signs of a spear phishing attack:

1. Personalization: The email addresses you by your full name, giving it an appearance of legitimacy.

2. Urgency: The message conveys a sense of urgency, implying that you need to take immediate action to address a security issue.

3. Requests for Action: The email asks you to click on a link or download an attachment. These links or attachments often contain malware or phishing sites.

Baiting

Baiting is a type of social engineering attack where the attacker offers something enticing to the victim in exchange for their personal information. For example, the attacker might offer a free gift card or a free movie download in exchange for the victim's email address. The goal of the attack is to trick the victim into giving up their personal information, which the attacker can then use to steal their identity or commit fraud. It takes advantage of the curiosity or greed of the victim.

Example

In this baiting scenario, the attackers leave a USB drive in a public place, such as a coffee shop or a parking lot. The USB drive is labeled "Confidential" or "Private", and it contains a malicious program that will install malware on the victim's computer when they plug it in. The goal of the attack is to trick the victim into plugging the USB drive into their computer, which will install malware on their computer.

You plug the USB drive into your computer, hoping to find valuable information. It appears to contain a file named "Confidential_Project_Data.csv." As you try to open the file, it triggers a hidden script that infects your computer with malware.

In this baiting attack:

1. The bait is the USB drive, which is labeled "Confidential" or "Private" making it enticing for anyone who comes across it, especially in a professional or workplace setting.
2. Curiosity Factor: Human curiosity is leveraged as a vulnerability, prompting individuals to take actions they might otherwise avoid.

Water holing

Water holing is a type of social engineering attack where the attacker targets a specific group of people by infecting a website that they are likely to visit. For example, the attacker might infect a popular news website or a popular social media site. The goal of the attack is to trick the victim into visiting the infected website, which will install malware on their computer.

Example

A group of attackers aims to compromise the security of a specific industry association that represents a community of cybersecurity professionals. The attackers intend to steal sensitive data and infiltrate the systems of cybersecurity experts.

The attackers identify a well-known and respected website used by this community. In this case, they choose the official website of the cybersecurity industry association.The attackers identify and exploit a vulnerability on the industry association's website. They may use tech methods like SQL injection or cross-site scripting (XSS) to gain unauthorized access to the site's content management system. Once they gain access to the website, the attackers inject malicious code into the site's pages. This code is designed to deliver malware to visitors of the compromised pages.

Then the attackers wait for cybersecurity professionals to visit the website. They know that many cybersecurity experts regularly check the site for updates, news, and resources.

As cybersecurity professionals visit the industry association's website to read articles, attend webinars, or download resources, they unknowingly expose their devices to the injected malware. The malware may steal sensitive information, such as login credentials or personal data. It can also provide the attackers with a foothold to launch further attacks, including spear phishing or exploiting known vulnerabilities on the victims' systems.

In this water holing attack:

1. The watering hole is the industry association's website, which is a popular destination for cybersecurity professionals.
2. Targeted Audience: The attackers target a specific group of people, in this case, cybersecurity professionals.
3. Exploiting Trust: The attackers exploit the trust that cybersecurity professionals have in the industry association's website.
4. Exploiting Vulnerabilities: The attackers exploit vulnerabilities in the website's content management system to inject malicious code into the site's pages.

How to protect yourself from social engineering attacks

Protecting yourself from social engineering attacks requires a combination of awareness, skepticism, and best practices. Here are some essential steps to safeguard yourself against social engineering attacks:

1. Educate Yourself: Learn about common social engineering tactics, including phishing, pretexting, baiting, and tailgating. Stay informed about the latest social engineering techniques and trends.

2. Verify the Identity: Always verify the identity of individuals or organizations that request your personal or sensitive information. Don't rely solely on phone numbers, emails, or websites provided by the person contacting you. Use official contact information obtained independently from reliable sources.

3. Question Requests: Be skeptical of unsolicited requests for personal, financial, or confidential information. Legitimate organizations typically don't request such information via email or phone. If someone asks for sensitive information, ask why it's needed and how it will be used.

4. Beware of Urgency and Pressure: Social engineers often create a sense of urgency to rush you into making decisions without thinking. Take your time to consider requests or offers. Verify the legitimacy of the situation.

5. Secure Physical Access: Protect your physical workspace from unauthorized access. Lock your computer and devices when not in use. Be cautious when allowing unfamiliar individuals into secure areas.

6. Employee Training: If you're part of an organization, provide social engineering awareness training for employees. Teach employees to recognize and report suspicious activities.

7. Use Reliable Sources: Get information from trustworthy and verified sources. Avoid relying on unofficial websites or unverified news.

8. Data Encryption: Encrypt sensitive data, both at rest and during transmission, to protect it from unauthorized access.

Practice Secure Online Behavior

For developers and business owners. If you are developing a web application, you should follow the best practices to protect your users from social engineering attacks. There are may ways to enable extra security for your application:

1. Use strong passwords. Most people use weak passwords that are easy to guess based on their personal information.To implement a secure and trustworthy user identity management system, you should enable strong password policies. This will prevent users from using their weak passwords without proper security measures in place.
2. Enable multi-factor authentication. Multi-factor authentication (MFA) adds an extra layer of security to users' account by requiring them to enter a code from their phone or another device in addition to the passwords. This makes it much harder for attackers to gain access to your clients' account. Even if your clients' passwords are compromised, the attackers won't be able to access their accounts without the second factor.
3. Encrypt users data. Encrypting users' data is a good way to protect it from unauthorized access. If an attacker gains access to your database, they won't be able to read the data without the encryption key. This will prevent them from stealing your clients' personal information.
4. Frequently rotate the access keys. Access keys are used to access your application's resources. If an attacker gains access to your access keys, they will be able to access your application's resources without your permission. To prevent this, you should frequently rotate the access keys.
5. Use modern authentication systems. Modern authentication protocols like OAuth 2.0 and OpenID Connect are much more secure than older protocols like SAML and WS-Federation. They use modern cryptographic algorithms and are much harder to attack.
6. Pre-register the sign-in redirect urls and devices If you are using OAuth 2.0 or OpenID Connect for authentication, you should pre-register the sign-in redirect urls and devices. This will prevent attackers from using your clients' accounts to sign in to your application from their own devices.