Sometimes you may have heard Social Engineering but sometimes you may not, however, it will not be an excuse for you to become a victim of social engineering attack. That is the main reason to empower you with knowledge of social engineering and the strategy of handling social engineering attacks. The objectives of this post are to share about types of social engineering, understanding identity theft with potential effects, techniques used by social engineers which are phishing attacks and malicious email attachments, etc. You will mitigate personnel vulnerabilities with an awareness of the security and protect against identity theft and double-dealing with social engineering that compromise the security of the organization.
What is Social Engineering?
This is the new face of security compromise therefore it will be the greatest threat to confidentiality today. Here, social engineers manipulate people to expose their private information, and sometimes they will make unauthorized changes to that information. Social engineers will take the advantage of human behavior to pull off a scam. It is a type of deception in which they present themselves as people that you can trust. They do not hesitate if they want to enter a building and they will just ask confidently from you to help them get inside. You will mislead as everything will happen without any compromise with the firewall but it will break all the security if you are tricked into clicking on a malicious link you think came from a Facebook or LinkedIn connection.
Social Engineering's Playbook
Criminals will often take weeks and months to get to know a place before even coming in the door or making a phone call. Their preparation might include finding an organization's phone list or its chart and researching employees on social networking sites like Facebook and LinkedIn.
On the Phone
A social engineer might call and pretended to be a fellow or a trusted outside authority such as law enforcement or an auditor. The criminals try to make the person feel comfortable with familiarity. They might learn the corporate lingo so the person on the end thinks they are an insider.
In the Office
This is a generic tactic used by social engineers when they want to enter a building. How many times do you have heard this kind of request on the organization premises?
Can you hold the door for a second for me? I just forgot to bring my access card today.
Online
Today, there are plenty of social networks like LinkedIn, Facebook, Instagram, and Twitter, therefore, if you want to do company research before you going to face an interview, that will be really easy and you will definitely find loads of valuable information from them. Social engineers use the same strategy to collect information before launching an attack. They can find current employees of an organization from LinkedIn and they will collect everything about them. It is clearly proved by the below quote of a social engineer.
It's now a matter of minutes that I can put together a good social engineering exercise, versus days and weeks in the past. Ad if I send out a hundred spear phishing emails, based on gathered information, it's almost a guarantee that I'm going to get a good hit rate. (Social Engineer)
For online scams, social engineers take advantage of fear, curiosity, and greed, such as sending phishing emails asking if a target has ever seen their video, or a tech support scam claiming that the target's computer has been compromised. Attackers customize phishing attacks to target known areas of interest that can be leveraged to convince users to click on attachments linked by malware such as artists, actors, music, politics, and more. It creates a fake Facebook app designed to collect information. It can be designed to attract users and collect contacts and other information based on items that have already expressed interest. Exactly who you are connected to, whether you are connected to someone who will be another juicy target.
Types of Social Engineering Attacks
There are endless ways an identity thief could use social engineering to steal your personal information. Below is the scratch at the surface, but it covers the majority of common tactics used. The first line of defense is being aware of these tactics.
Pretexting
Pretexting is used in almost every other type of social engineering attack. It is the art of lying t obtain privileged data, typically by researching a person to impersonate them. this may include knowing personal details such as their Identity card number, date of birth, or their wife's name. It may also be as simple as impersonating an insurance salesman. Pretexting is an excellent way to establish legitimacy early in an attack.
Phishing
The origin of the word phishing comes from "phone fishing". It is a technique of fraudulently obtaining private information. Typically, the phisher sends an email that appears to come from a legitimate business such as a bank, or a credit card company. Phishers request verification of information and warning of some dire consequences if it is not provided. The email usually contains a link to a fake web page that seems legitimate and has a form requesting everything from a home address to an ATM card's PIN or a credit card number.
There is another way of phishing called "spear-phishing" and although it is similar to phishing, it is a technique that fraudulently obtains personal information by sending 100% customized emails to targeted users. For these emails, the attacker needs to perform additional research to trick the end-user o the requested activities. spear-phishing has a higher success rate when compared to phishing.
Vishing
Vishing, which is also known as voice fishing is the process of collecting personally identifiable information fraudulently from the general public with the help of telephone systems for the purpose of using a financial reward. Normally, the end-user might receive a telephone call with a voice message from a financial institute or a customer and ask the recipient to call a number and enter their account information or PIN for official use or security. But the number rings right away to the attacker via a voice-over-IP service.
Tailgating
In tailgating, basically, the attacker wants to enter to premises and it might be restricted electronic access control system normally, by RFID card. Then he/she simply asks an employee or customer who has legitimate access to the premises to hold the door for a second to enter or will enter the building just after the employee when the employee opens the door only for himself/herself. Mistakenly the legitimate employee may fail to ask the attacker to present the access token or sometimes the attacker pretends as he/she was forgotten to bring it with. Sometimes they may present a fake access token when someone asks in that kind of situation.
Baiting
In baiting, the attacker uses physical media to make curiosity of the victim. Normally, attackers leave malware-infected USB flash drives or other portable devices in locations people will find them and connect to work networks. This attack can also come in the form of giving you little pieces of information to trigger a response. In a situation of the attacker is asking to transfer a call from an employee to the supervisor of him/her, it shows the attacker baiting the employee where the employee should've asked for more authentication before transferring the phone call to the supervisor.
Quid Pro Quo
This is a variant of baiting. Instead of baiting a target with a device, a quid pro quo attack promises a service or a benefit based on the execution of a specific action. A hacker impersonating an IT staff for a large organization is the most generic quid pro quo attack. The attacker may call the employee of the target organization and offer some kind of system upgrade or software installation. They might request victims to facilitate the operation by disabling the antivirus software temporarily to install the malicious apps.
Detecting Phony Emails
Detecting phony emails is simpler than you may think-common sense is your best defense. If something seems suspicious or does not feel right, it may be an attack. Most of the time, below common clues will include social engineering attacks.
- Creating a sense of urgency
- Asking for your password
- Asking for information they should not have access to
- Something too good to be true like winning the lottery.
- Pressuring you to bypass or ignore security procedures.
- An odd email containing wording that does not sound like your colleague.
We can do the below things to overcome the risk of those emails.
- Do not click on links in messages.
- Verify with known parties.
- Check the email address. Does it match the text of the email?
- Use known links and contacts outside those provided in the email.
- Do not download files from unsolicited sources.
- Watch for poor grammar, misspellings, urgent messages, and please for money.
Handling Social Engineering Attacks
We can see new threats on a regular basis and there are many additional types of social engineering attacks. It is really impossible to stay away from being a target of such attacks, therefore following advice will help to ensure that you will not become a victim though you would have to be the target of someone.
- Be cautious when opening attachments.: It is better to research if in doubt or to contact the security team.
- Find the URL from links on your own.: If you have a doubt about the legitimacy of the URL, then better go for a manual search with a known search engine.
- Ignore unsolicited requests.: Nobody should have to know your passwords or financial info in an email or phone call.
- Secure your devices.: Lock your workstation and install the right software and keep applications up-to-date.
- Multifactor Authentication: During the phone calls, ask the person on the other end multiple questions to verify identity.
- Follow company policy.: Every company should have a standard set of policies and procedures that you must follow.
- Ensure antivirus software is updated.: This kind of software is able to give you adequate security warnings and able to prevent further damage.
It is better to call the security team of the organization if you have even a small doubt before getting the problem worst because it is the easiest action we can take in a few minutes.
Sources:
https://www.coursehero.com/file/p7a4ck1/We-have-all-of-the-different-social-network-platforms-we-can-check-now-to/
Post a Comment