Social Engineering

What Is Social Engineering

Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information. It is the art of manipulating people so they share confidential information. The types of information these criminals are seeking can differ, but when individuals are targeted the criminals are usually trying to trick you into sharing your passwords or bank information or access your computer to secretly install malicious software which gives them access to your passwords and bank information as well as giving them control over your computer. Criminals use social engineering tactics because it is easier to exploit your natural habit to trust than it is to discover ways to hack your software.

Security is all about knowing who and what to trust. It is important to know when and when not to take a person at their word and when the person you are communicating with is whom they say they are. The same is true of online interactions and website usage: when do you trust that the website you are using is legitimate or is safe to provide your information?

Any security professional will tell you that the weakest link in the security chain is the human who accepts a person or scenario at face value. It doesn’t matter how many layers of security you have; if you trust the wrong who wants to know about your private information and you let him have those without first checking to see if he is legitimate you are completely exposed to whatever risk he represents.

How Social Engineering Works

Social engineers use a wide variety of tactics to perform attacks. Most social engineering attacks start with the attacker to perform research and reconnaissance on the target. If the target is an enterprise, for instance, the hacker may gather intelligence on the employee structure, internal operations, common terms and norms within the industry and potential business partners, and other information. One common method of social engineers is to focus on the behaviors and patterns of employees with low level but initial access, such as a security guard or receptionist; hackers can scan the person's social media profiles for information and study their behavior online and in person. From there, the hacker can design an attack based on the information collected and exploit the weakness uncovered during the reconnaissance phase.

In case of a successful attack, hackers have access to sensitive data; such as credit card or banking information -- have made money off the targets or have gained access to protected systems or networks. Almost every type of attack contains some kind of social engineering. The classic email "phishing" and virus scams, for example, are laden with social overtones. Phishing emails attempt to convince users they are in fact from legitimate sources, in the hopes of procuring even a small bit of personal or company data.

In some cases, attackers use more simplistic methods of social engineering to gain network or computer access. For example, a hacker might frequent the public food court of a large office building and "shoulder surf" users working on their tablets or laptops. Doing so can result in a large number of passwords and user names, all without sending an email or writing a line of virus code. Some attacks, meanwhile, rely on actual communication between attackers and victims; here, the attacker pressures the user into granting network access under the guise of a serious problem that needs immediate attention. Anger, guilt, and sadness are all used in equal measure to convince users their help are needed and they cannot refuse. Finally, it's important to beware of social engineering as a means of confusion. Many employees and consumers don't realize that with only a few pieces of information — name, date of birth or address. Hackers can gain access to multiple networks by masquerading as legitimate users to IT support personnel. From there, it's a simple matter to reset passwords and gain almost unlimited access.

Protection against social engineering starts with education. Users must be trained to never click on suspicious links and always guard their log-in credentials, even at the office or at home. If social tactics are successful, however, the likely result is a malware infection. To combat rootkits, Trojans and other bots, it's critical to employ a high-quality Internet security solution that can both eliminate infections and help track their source.

Social Engineering Attack Techniques

Most social engineering attacks are diverse in forms and can be performed anywhere where human interaction is involved. Some of the most common forms of digital social engineering attacks are given below:

Baiting: As its name implies, baiting attacks use a false promise to pique a victim’s greed or curiosity. They lure users into a trap that steals their personal information or inflicts their systems with malware. The most reviled form of baiting uses physical media to disperse malware. For example, attackers leave the bait—typically malware-infected flash drive, in conspicuous areas where potential victims are certain to see them (e.g., bathrooms, elevators, the parking lot of a targeted company). The bait has an authentic look to it, such as a label presenting it as the company’s payroll list. Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in automatic malware installation on the system.

Scareware: Scareware involves victims being bombarded with false alarms and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that has no real benefit (other than for the perpetrator) or is malware itself. Scareware is also referred to as deception software, rogue scanner software. A common example is the legitimate-looking pop-up banners appearing in your browser while surfing the web, displaying such text such as, “Your computer may be infected with harmful spyware programs.” It either offers to install the tool which is often the malware itself for you or will direct you to a malicious site where your computer becomes infected. Scareware is also distributed via spam email that doles out fake warnings or makes offers for users to buy worthless/harmful services.

Pretexting: Here an attacker obtains information through a series of cleverly crafted lies. The scam is often initiated by a perpetrator pretending to need sensitive information from a victim to perform a critical task. The attacker usually starts by creating trust with their victim by impersonating co-workers, police, bank and tax officials, or other persons who have right-to-know authority. The pretexter asks questions that are required to confirm the victim’s identity, through which they gather important personal data. All sorts of pertinent information and records are gathered using this scam, such as social security numbers, personal addresses, and phone numbers, phone records, staff vacation dates, bank records and even security information related to a physical plant.

Phishing: As one of the most popular social engineering attack types, phishing scams are email and text message campaigns aimed at creating a sense of urgency, curiosity or fear in victims. It then prods them into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware. An example is an email sent to users of an online service that alerts them of a policy violation requiring immediate action on their part, such as a required password change. It includes a link to an illegitimate website—nearly identical in appearance to its legitimate version—prompting the unsuspecting user to enter their current credentials and new password. Upon form submittal, the information is sent to the attacker.

Spear phishing: This is a more targeted version of the phishing scam whereby an attacker chooses specific individuals or enterprises. They then tailor their messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous. Spear phishing requires much more effort on behalf of the perpetrator and may take weeks and months to pull off. They’re much harder to detect and have better success rates if done skillfully. A spear-phishing scenario might involve an attacker who, in impersonating an organization’s IT consultant, sends an email to one or more employees. It’s worded and signed exactly as the consultant normally does, thereby deceiving recipients into thinking it’s an authentic message. The message prompts recipients to change their password and provides them with a link that redirects them to a malicious page where the attacker now captures their credentials. Water-holing: A watering hole attack is when the attacker attempts to compromise a specific group of people by infecting websites they are known to visit and trust to gain network access.

Diversion theft: In this type of attack, the social engineers trick a delivery or courier company into going to the wrong pickup or drop-off location, thus intercepting the transaction.

Quid pro quo: A quid pro quo attack is one in which the social engineer pretends to provide something in exchange for the target's information or assistance. For instance, a hacker calls a selection of random numbers within an organization and pretends to be calling back from tech support. Eventually, the hacker will find someone with a legitimate tech issue whom they will then pretend to help. Through this, the hacker can have the target type in the commands to launch malware or can collect password information.

Honey trap: An attack in which the social engineer pretends to be an attractive person to interact with a person online, fake an online relationship and gather sensitive information through that relationship.

Tailgating: Tailgating sometimes called piggybacking, is when a hacker walks into a secured building by following someone with an authorized access card. This attack presumes the person with legitimate access to the building is courteous enough to hold the door open for the person behind them, assuming they are allowed to be there.

How to be safe from social engineering assaults

Research the facts. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number.
Spammers want you to act first and think later. If the message portrays a sense of urgency or uses high-pressure sales tactics to be cautious, never let their haste influence your careful review.
Don’t let a link be in control of where you land. Stay in control by finding the website yourself using a search engine to be sure you land where you intend to land. Hovering over links in the email will show the actual URL at the bottom, but a good fake can still steer you wrong.
Beware of any download. If you don’t know the sender personally AND expect a file from them, downloading anything is a mistake.
Foreign offers are fake. If you receive an email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country for a share of the money it is guaranteed to be a scam.
Delete any request for financial information or passwords. If you get asked to reply to a message with personal information, it’s a scam.
Reject requests for help or offers of help. Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, etc., a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizations on your own to avoid falling for a scam.
Set your spam filters to high. Every email program has spam filters. To find yours, look at your settings options, and set these too high–just remember to check your spam folder periodically to see if a legitimate email has been accidentally trapped there. You can also search for a step-by-step guide to setting your spam filters by searching on the name of your email provider plus the phrase ’spam filters’.
Secure your computing devices. Install anti-virus software, firewalls, email filters and keep these up-to-date. Set your operating system to automatically update, and if your smartphone doesn’t automatically update, manually update it whenever you receive a notice to do so. Use an anti-phishing tool offered by your web browser or a third party to alert you to risks.

SECUPENT'S Social Engineering Services

Security is all about knowing who and what to trust. It is important to know when and when not to take a person at their word and when the person you are communicating with is whom they say they are. The same is true of online interactions and website usage: when do you trust that the website you are using is legitimate or is safe to provide your information? For safety against social engineering, we offer the following services:

Social Engineering Penetration Test
Designed to mimic attacks that malicious social engineers will use to breach your company. We use a number of techniques to include all methods of phone, Internet-based, and onsite engagements. Our Social Engineering Penetration Test services include:

• Thorough Internet, live, and onsite perimeter testing.
• Detailed reporting and mitigation recommendations.
• Confidential debriefing including methods, sources, and step-by-step attack outlines that allow your company to know what you are doing correctly and where improvement is needed.
• Customized training and education delivered onsite or based on customer request.

Social Engineering Risk Assessment

For companies not yet ready to commit to a full Social EngineeringPentest, a Social Engineering Risk Assessment is an online assessment and expert analysis of your potential risk designed to help you plan, educate, and prepare for a social engineering attack. This can be especially useful to organizations looking for a way to either introduce their staff to the dangers of social engineering or augment existing security awareness training. This is accomplished through the following:
• In-depth information gathering on your company, employees, and online information leakage
• Detailed reporting that includes specific and realistic attack vectors that could be employed by malicious social engineers
• Confidential debrief
• Customized training and education delivered via teleconference or webcast, based on client request

Phishing as a Service
While there are many technical security solutions designed to stop phishing attacks, there is no practical way to prevent an employee from clicking links, filling out forms, or unintentionally offering information that could put your organization at risk. Social-Engineer helps organizations develop a continuous assessment and training process to successfully combat susceptibility to phishing attacks. Social-Engineer provides organizations with:

• A constant repeatable process for addressing security challenges through assessment, awareness and education.
• Employees who understand the threats posed by phishing attacks are less likely to click malicious links, and more likely to report suspicious activity.
• Organizations that implement programs dramatically reduce malware infection rates, laptop re-imaging, drive-by downloads, and adware while protecting an organization’s most critical assets and trade secrets.