The Art of Social Engineering
“Frailty, thy name is human”
Ask any security professional and he/she would tell you that most of the cyber attacks and breaches are carried out through Social Engineering. Almost all cyber criminals who want to infect your device with a malware and then use the deployed malware to steal sensitive information from you and your device start with social engineering. The art of Social Engineering involves the art of psychological manipulation. Technically, the term signifies gaining access to an organization, an individual or a system through exploit of frailties of human behavior. It is an art of deception aimed to psychologically manipulate a person into performing an action through lures or threats. A wide variety of methods are used by social engineers to sensitive information from an organization or an individual. The sensitive information includes the access credentials like passwords, proprietary information and other confidential information. In this article we present to you the most common methods used by Social Engineers.
Also known by other names such as Bohoing and Blagging , Pretexting is the act of deliberately creating a scenario and using it to achieve the desired goal. The task is to engage the target in such a manner that the chances of the victim divulging information are increased significantly. The target might not divulge the same information in normal circumstances. Therefore a crisis kind of situation is created which necessitates the disclosure of information by the target.
This technique has been used to fool a business into disclosing customer information as well as by private investigators to obtain information such as telephone records, and banking records. The gained information can then be further exploited to establish even greater legitimacy with a higher officials and gain more sensitive information.
It is a technique of obtaining sensitive information through fraudulent means. The Phisher starts by sending an e-mail. The e-mail is designed to give it some legitimacy. Usually it appears to be from some legitimate business like a credit card company, a telephone company, a bank etc. The contents of the e-mail are written in a manner to encourage the target to click on an attachment. This attachment infact an malicious file. Once the user clicks on the attachment, a malicious code is executed and a Trojan is installed in the device. The Trojan establishes contact with the remote server and starts sending data to the hacker. In certain cases the Trojan can give complete control of the device to the hacker. Additionally, the user is also motivated to click on a link which takes him/her to a fraudulent webpage resembling the bank or any other legitimate business. The user is asked to login through his/her credentials. Once the user enters the credentials, they are stored by hacker. Nowadays, the hackers have created a new type of phishing known as Spearphishing in which the email appears to be from a known person.
3. IVR Phishing
Also known as Phone Phishing or Vishing, this method involves a rogue IVR system to recreate a legitimate sounding copy of an institution’s IVR system. The institution can be anyone like a bank, or a credit card company. The victim is prompted to call in to the institution on a toll free number provided in order to “verify” information. A typical “vishing” system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker/defrauder, who poses as a customer service agent or security expert for further questioning of the victim.
This was one of the most popular topics of BlackHat 2016. In Baiting, the attacker leaves a malware infected USB flash drive in a sure to be found location such as bathroom, elevator, parking lot etc. The aim is to bait the curiosity of the target. Further, the attacker might label the flash drive with a sensitive heading e.g. “New Project Details”. The target after picking up the USB flash drive will most likely insert it into his/her system to satisfy the curiosity. Once the USB drive is connected to the system, a malicious code is executed and installed in the system giving the hacker access to the system. The BlackHat 2016 conference showed high success rates for this hack.
In Tailgating, the attacker aims to seek entry into a restricted area. The attacker simply walks behind a person who has a legitimate access. Once the person uses his RFID card to pass through the door controlled by electronic access, the attacker quickly walks behind him. The person following common courtesy holds open the door until the attacker has passed through it. Not always does the legitimate person ask attacker for his/her identification. Even if asked, the attacker simply provides excuses such as “he/she forgot the card, is a new recruit and card has not been issued yet”.
Well these are the 5 types of Social Engineering ploys which every cyber security professional and a general internet user should be aware of.