What is Social Engineering in Cyber Security2022 / 10 / 07
Social Engineering Definition
The term "social engineering" describes a wide variety of malicious conduct carried out through interactions with other people. Users are lured into sharing critical information or committing security misjudgments through psychological manipulation.
Attacks by social engineers may involve one or more phases. To prepare for an assault, a perpetrator first looks into the target to learn background details like probable channels of entry and weak security measures. The attacker next makes an effort to win over the victim's trust and provide stimuli for later security-breaking activities, like disclosing confidential information or allowing access to vital resources.
The fact that social engineering depends on human mistakes rather than flaws in software and operating systems makes it particularly hazardous. Legitimate user errors are significantly less likely to be predicted, making them more difficult to spot and prevent than malware-based intrusions.
How Does Social Engineering Work?
During a social engineering assault, the cybercriminal will often connect with the intended victim while posing as someone from a reputable company. Sometimes they'll even pretend to be someone the victim knows.
The attacker will persuade the victim to take more action if the manipulation is successful (the victim believes the attacker is who they claim to be). This may be revealing critical data, like bank account information, passwords, and dates of birth. Alternatively, they could intrigue the victim to go to a website where malware is already installed and have a major impact on the victim's computer. In worst-case scenarios, the malicious website steals confidential data from the device or completely takes control of it.
Most Common Social Engineering Attack Techniques
Attacks using social engineering occur wherever human interaction is needed. The five most typical types of digital social engineering attacks are listed below.
The most dreaded type of baiting spreads malware through tangible material. Infected flash drives are frequently used as bait by attackers, who place them in plain sight where potential victims are guaranteed to see them (e.g., in bathrooms, elevators, and the parking lot of a targeted company). The bait has a legitimate appearance, such as a label that presents it as the business's “revenue analysis”. Out of curiosity, the victims pick up the bait and place it into their home or office computer, which causes the system to automatically download malware.
Baiting con tactics don't always have to happen in the real world. Online baiting takes the form of attractive advertisements that direct visitors to harmful websites or drive them to download malware-infected programs.
Scareware overwhelms victims with fake threats and misleading alarms. Users are tricked into believing their device is infected with malware, which leads them to install software that claims to "clean" or "remove" the malware, whereas in reality, installing the software serves the perpetrator or the software acts as the malware. Other names for scareware are fraudware, deception software, and rogue scanner software.
The legitimate-appearing popup ads that show in your browser as you use the internet and contain language such as "Your computer may be infected with harmful spyware applications" are a frequent type of scareware. Either it offers to install the malicious tool for you, or it sends you to a malicious website where your machine is infected.
Additionally, spam emails that provide false alerts or urge recipients to purchase useless services are a common way for scareware to spread.
An intruder gathers data by telling a thread of expertly constructed lies and misinformation. Typically, the deception begins with the perpetrator claiming to need some critical information and requesting it from the victim.
The perpetrator generally begins by gaining the victim's trust by posing as a colleague, law enforcement officer, bank employee, or any person with the power to know something. Through queries that are allegedly necessary to verify the victim's identification, the pretexter collects crucial personal information.
This scam is used to obtain all kinds of important data and records, including identification card numbers, individual addresses, and phone numbers, phone records, and bank details.
Phishing scams take the form of Email or SMS campaigns that urge the targeted individuals to feel like they need to take immediate action out of fear or curiosity. Then it prompts people to reveal private information, click on links to malicious websites, or open attachments in which malware is embedded.
For instance, phishing would be in the form of an email sent to subscribers of an online service informing them of a policy violation that needs immediate action, such as a mandatory password change. It contains a link to a fraudulent website that looks almost exactly like its original counterpart and asks the incautious user to input their existing login information and a new password. The attacker then receives the information as soon as the victim submits the form.
- Spear Phishing:
In this more focused variation of the phishing scam, the attacker chooses certain people or companies to target. Moreover, the attackers adjust their way of communication to match the ones that their victims are familiar with at a given organisation. This technique of social engineering is particularly challenging and time-consuming. If the attackers play it right, it is almost impossible to catch.
An attacker might send an email to one or more workers while posing as an organisation's employee in a spear phishing scenario. It is written and signed just like the organisation's employee would, leading recipients to believe it is legitimate correspondence.
Recipients of the mail are urged to update their passwords, and a link in the email sends them to a phishing page where the attacker may now steal their credentials.
Less Common Social Engineering Attack Techniques
There are other techniques that attackers carry out that are less common, we will go through them thoroughly.
Vishing, sometimes referred to as voice phishing, is the practice of using social engineering to get financial or personal information from a target over the phone.
A particular kind of phishing scam that targets high-profile workers in the C-suite (like the chief executive officer, chief financial officer, chief technology officer, etc.) in an effort to deceive them into providing confidential information.
- Watering hole:
In order to get network access, the attacker tries to compromise a certain set of users by infecting websites that they are known to visit and trust.
- Diversion theft:
In order to interrupt the transaction, social engineers deceive delivery or courier services into going to the wrong pickup or drop-off location.
- Honey trap:
The social engineer poses as an attractive person to communicate with a person online, establish a misleading online relationship, and use that relationship to collect personal data.
- Dumpster diving:
This social engineering technique involves searching through trash at a business establishment for data that might be used to enter the network of the firm, like passwords or access codes scribbled on sticky notes or pieces of paper.
The Earliest Social Engineering Attacks in History
Social engineering was undoubtedly practised before the internet and computers. The intriguing question, though, is what were the earliest incidents of social engineering in the era of computers and the internet?
The Melissa virus, which infected hundreds of computers in the late 1990s, is regarded as one of the first historical instances of social engineering and a significant development. Melissa was spread through a malicious Microsoft Word file in a phishing attack.
The email's misleading subject line read, "Important message from (name of a known person)." The cost of Melissa's harm is calculated approximately USD 80 million.
Another well-known instance of social engineering is the ILOVEYOU worm. It appeared to be an email that the victim received containing a love letter. The attachment was evidently a malicious malware.
The social engineer urged the victim to have a look at the letter in the email while posing as a helpless person in love. The projected losses inflicted by ILOVEYOU in the 2000s were approximately USD 15 billion.
Social Engineering Prevention
Social engineers use human emotions like enthusiasm and anxiety to their advantage in order to carry out their plans and lure victims into their traps. Therefore, be vigilant if you receive an alarming email, are drawn to an offer on a website, or come across alleged digital media. You can protect yourself against the majority of social engineering attempts that occur online by being vigilant. The following advice might also help you become more cautious about social engineering scams:
Never open emails or attachments from unknown senders.
Employ multi-factor authentication.
Watch out for alluring offers.
Regularly update your antivirus and antimalware programs.