Cyber Security – Understanding Social Engineering Attacks
What Are Social Engineering Attacks?
In some of my recent posts I mentioned a few types of social engineering attacks. In this post we’ll dig deeper into what social engineering attacks are and identify some of the most common methods.
Social engineering is a means of attack that leans on human interaction and involves manipulating people. The goal is to get people to break normal security protocols in order to get access to technology systems or data. An example would be someone who calls an employee of a company pretending to be from the IT Department. They may question the user and get them to reveal sensitive information (such as credentials, IP addresses, WiFi passwords, etc.). In short, the architects of social engineering attacks are con artists.
Most social engineering attacks start with reconnaissance. The attacker does research and learns as much as they can about their target. Information that may be helpful to the attacker could include something like a company organizational chart of employees. This may reveal who the decision makers are and who may have access to various systems. For example, HR is usually a prime target for social engineering attacks because it’s assumed personnel in that department have access to employee records, healthcare records, payroll records, etc.
Having completed the reconnaissance phase, the attacker can then begin to engineer a method to gain entry into the targeted system or access to the desired data. If successful, the attacker will have access to sensitive data such as banking, payroll, or credit card information. From there, they make money from that data by either selling it for profit, or using it to directly exploit accounts.
Types of Social Engineering Attacks
Some of the most common social engineering attacks are defined below:
- Phishing: We’ve all heard this term. Phishing is the practice of sending a malicious Email that is designed to look like a legitimate Email. The intent is to trick the recipient into sharing personal or financial information or to click on a link that installs malware. A sub-set of Phishing is termed Spear-Phishing. The concept is the same, but the target is usually a very specific individual or organization.
- Whaling: This is a type of fraud that usually targets C-level executives or high-profile public figures. It is also a type of phishing attack where the attacker will send an Email to the target that appears to come from a trusted source. A link may be provided in the Email that takes the target to a website created specifically for the attack. The Emails for whaling attacks are usually very specific and can contain personalized information pertaining to the target.
- Vishing: Vishing, or voice phishing, is the practice of using a telephone call to gather personal or financial information. With VoIP (Voice over IP) phone systems, it is very easy these days to do caller ID spoofing. A caller may say he’s from a legitimate company and the caller ID on your phone may support that. That may be enough to create a level of trust that the caller is who he says he is.
- Water-holing: Water hole attacks is when a hacker targets a specific group of people by hacking into and infecting websites they are known to visit. The hacker injects code into the site that collects information or redirects them to a bogus site that can infect computers or collect information. In 2015, a Chinese attack group infected Forbes.com via this method. The target were visitors working in the financial services and defense industries.
- Baiting: Baiting is the use of a physical device that is infected with some type of malware. For example, an attacker may leave a USB flash drive laying on a table at a local coffee shop. The next unsuspecting patron to sit at that table may discover the drive and put it into their computer. Once the malware is installed it could create a connection back to the attacker and begin transmitting private data or user credentials to financial sites.
- Pretexting: The attacker will present themselves as someone else to gain access to private or sensitive data. The attacker often creates an elaborate back-story and may even have gone so far as to create fake credentials. For example, an attacker may claim to be an insurance investigator and ask for personal or financial data to support an ongoing investigation.
- Quid Pro Quo: “Scratch my back and I’ll scratch yours” attacks. With this type of attack the hacker offers something in exchange for information. One of the most common is someone impersonating an IT professional. The target is offered some type of upgrade or performance improvement to their computer. Eager to get better software or a faster computer, the user grants access (via a screen sharing session). Upon having access, the hacker can install malware.
- Tailgating: Tailgating is the practice of gaining physical access to a facility or restricted area by shadowing someone who has authorized access. The attacker simply walks in behind a person who has gained authorized access to the area. I attended a cyber security forum a few months ago and one of the speakers was a CEH (Certified Ethical Hacker) contracted to perform an assessment of a company’s security practices. As he explained, he attempted to hack into the company’s network for weeks and could not gain access – everything was locked down tight. However, he showed up at the company’s facility one day and “piggy-backed” his way through the front door simply by following an employee who unlocked the door by using the key-access pad. Once inside he was able to plant a device that connected to the network and “called home”. He now had access to anything he wanted on the network.
Social Engineering attacks are very effective because they rely on the weakest point of security – human beings. As effective as they are, there are some things you can do to protect yourself.
First and foremost, be suspicious of anyone who contacts you (via Email or telephone) and appears to know a lot about you. They may be very friendly and attempt to gain your trust, but if you’ve never dealt this this person before, ask yourself how they might come to know so much about you and why they are contacting you.
If the contact is via telephone, don’t blindly provide information. If you’re radar goes up and you suspect a scam, hang up. Another good tactic is to offer to call the person back. Ask them for a direct phone number. If they can’t provide one, discontinue the call. If they do provide one, do some of your own research. Can you find a website for the company? Do a Google search on the phone number – does it come back linked to the company name you were given?
As a matter of practice, never give up personal or sensitive information over the phone. Your user credentials, your social security number, your wifi name and password, your bank account number should never be provided to someone on a phone call. If the person you’re speaking with is persistent in trying to get this information from you, explain that you are concerned about security and do not wish to provide this information over the phone. If they don’t accept that explanation, they should not be trusted.
Take stock of your social media presence. How much do you reveal about yourself to the social media world? Do you provide information about your position with a company and does that make you a target for a social engineering attack? Do you share your habits – such as “I stop by my favorite coffee shop every morning at 7:30 AM and have a scone”? Refer back to the “Baiting” attack – would you pick up a USB drive if you found it on the table and pop it into your computer? Even the most mundane information you share about yourself online could be used as an angle in a social engineering attack.
Social Engineering attacks range from unsophisticated attacks (simply lying to get information) to very elaborate attacks (specifically designed websites to attack targets). The one thing they have in common is that they exploit the weakest link – people. For this reason, these types of attacks will continue to increase. Being aware and cautious is the best defense.