What is Social Engineering?

Social Engineering ?

 

 

 Social Engineering :

                         Social Engineering is a technique used by criminals and cyber-crooks to trick users into revealing confidential information. The data obtained is then used to gain access to systems and carry out actions to the detriment of the person or organization whose data has been revealed.

How Social Engineering works ?   

       

 Social engineers use a wide variety of tactics to perform social engineering attacks.

The first step in most social engineering attacks is for the attacker to perform research and reconnaissance on the target. If the target is an enterprise, for instance, the hacker may gather intelligence on the employee structure, internal operations, common lingo used within the industry and possible business partners, among other information. One common tactic of social engineers is to focus on the behaviors and patterns of employees with low level but initial access, such as a security guard or receptionist; hackers can scan the person's social media profiles for information and study their behavior online and in person.

From there, the hacker can design an attack based on the information collected and exploit the weakness uncovered during the reconnaissance phase.

If the attack is successful, hackers have access to sensitive data -- such as credit card or banking information -- have made money off the targets or have gained access to protected systems or networks.

Types of Social Engineering attacks

Popular types of Social Engineering attacks are:

1. Phishing

     Phishing is the most common type of social engineering attack that occurs today. But what is it exactly? At a high level, most phishing scams endeavor to accomplish three things:

• Obtain personal information such as names, addresses and Social Security Numbers.
• Use shortened or misleading links that redirect users to suspicious websites that host phishing landing pages.
• Incorporate threats, fear and a sense of urgency in an attempt to manipulate the user into responding quickly.No two phishing emails are the same.

No two phishing emails are the same. There are actually at least six different sub-categories of phishing attacks. Additionally, we all know some are poorly crafted to the extent that their messages suffer from spelling and grammar errors. Even so, these emails usually have the same goal of using fake websites or forms to steal user login credentials and other personal data.

A recent phishing campaign used a compromised email account to send out attack emails. These messages asked recipients to review a proposed document by clicking on an embedded URL. Wrapped with Symantec’s Click-time URL Protection, this malicious URL redirected recipients to a compromised SharePoint account that delivered a second malicious URL embedded in a OneNote document. That URL, in turn, redirected users to a phishing page impersonating a Microsoft Office 365 login portal.

2. Pretexting

Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they use to try and steal their victims’ personal information. In these types of attacks, the scammer usually says they need certain bits of information from their target to confirm their identity. In actuality, they steal that data and use it to commit identity theft or stage secondary attacks.

 

More advanced attacks sometimes try to trick their targets into doing something that abuses an organization’s digital and/or physical weaknesses. For example, an attacker might impersonate an external IT services auditor so that they can talk a target company’s physical security team into letting them into the building.

 Whereas phishing attacks mainly use fear and urgency to their advantage, pretexting attacks rely on building a false sense of trust with the victim. This requires the attacker to build a credible story that leaves little room for doubt on the part of their target.

Pretexting can and does take on various forms. Even so, many threat actors who embrace this attack type decide to masquerade as HR personnel or employees in the finance development. These disguises allow them to target C-level executives, as Verizon found in its 2019 Data Breach Investigations Report (DBIR).

3. Baiting

Baiting is in many ways similar to phishing attacks. However, what distinguishes them from other types of social engineering is the promise of an item or good that malicious actors use to entice victims. Baiters may leverage the offer of free music or movie downloads, for example, to trick users into handing their login credentials.

Baiting attacks are not restricted to online schemes, either. Attackers can also focus on exploiting human curiosity via the use of physical media.

Back in July 2018, for instance, KrebsOnSecurity reported on an attack campaign targeting state and local government agencies in the United States. The operation sent out Chinese postmarked envelopes that included a confusing letter along with a compact disc (CD). The point was to pique recipients’ curiosity so that they would load the CD and thereby inadvertently infect their computers with malware.

4. Quid Pro Quo

Similar to baiting, quid pro quo attacks promise a benefit in exchange for information. This benefit usually assumes the form of a service, whereas baiting usually takes the form of a good.

One of the most common types of quid pro quo attacks that’s come out in recent years is when fraudsters impersonate the U.S. Social Security Administration (SSA). These fake SSA personnel contact random individuals, inform them that there’s been a computer problem on their end and ask that those individuals confirm their Social Security Number, all for the purpose of committing identity theft. In other cases detected by the Federal Trade Commission (FTC), malicious actors set up fake SSA websites that say they can help users apply for new Social Security cards but instead simply steal their personal information.

It is important to note, however, that attackers can use quid pro quo offers that are far less sophisticated than SSA-themed ruses. As earlier attacks have shown, office workers are more than willing to give away their passwords for a cheap pen or even a bar of chocolate.

5. Tailgating

Our final social engineering attack type of the day is known as tailgating or “piggybacking.” In these types of attacks, someone without the proper authentication follows an authenticated employee into a restricted area. The attacker might impersonate a delivery driver and wait outside a building to get things started. When an employee gains security’s approval and opens the door, the attacker asks the employee to hold the door, thereby gaining access to the building.

Tailgating does not work in all corporate settings such as large companies whose entrances require the use of a keycard. However, in mid-size enterprises, attackers can strike up conversations with employees and use this show of familiarity to get past the front desk.

In fact, Colin Greenless, a security consultant at Siemens Enterprise Communications, used these tactics to gain access to multiple floors and the data room at an FTSE-listed financial firm. He was even able to set up shop in a third floor meeting room and work there for several days.

Are you worried about how to get protected ??

Here i have given you some tips :

• Do not open any emails from untrusted sources. Contact a friend or family member in person or by phone if you receive a suspicious email message from them.
• Do not give offers from strangers the benefit of the doubt. If they seem too good to be true, they probably are.
• Lock your laptop whenever you are away from your workstation.
• Purchase anti-virus software. No AV solution can defend against every threat that seeks to jeopardize users’ information, but they can help protect against some.
• Read your company’s privacy policy to understand under what circumstances you can or should let a stranger into the building.

    Hooray!! Today you have learned about social engineering attack 🤩🤩

    STAY HOME!! AND STAY SAFE !!

For an article about information gathering click here 

AUTHOR :-𝕄ℝ.𝔻𝔼𝕍𝕀𝕃  

GIVE YOUR COMMENTS BELOW....!!