Author: Manny OG
Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.
What I mean, is those annoying unsolicited emails, those annoying pop-ups, click baits and stupid ads, they’re tools of social engineering.
Here’s 5 things about them you should be aware of:
Phishing scams might be the most common types of social engineering attacks used today. Most phishing scams demonstrate the following characteristics:
- Seek to obtain personal information, such as names, addresses and social security numbers.
- Use link shorteners or embed links that redirect users to suspicious websites in URLs that appear legitimate.
- Incorporates threats, fear and a sense of urgency in an attempt to manipulate the user into acting promptly.
Some phishing emails are more poorly crafted than others to the extent that their messages oftentimes exhibit spelling and grammar errors but these emails are no less focused on directing victims to a fake website or form where they can steal user login credentials and other personal information.
A recent scam sent phishing emails to users after they installed cracked APK files from Google Play Books that were pre-loaded with malware. This specific phishing campaign demonstrates how attackers commonly pair malware with phishing attacks in an effort to steal users’ information.
Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information. These types of attacks commonly take the form of a scammer who pretends that they need certain bits of information from their target in order to confirm their identity.
Unlike phishing emails, which use fear and urgency to their advantage, pretexting attacks rely on building a false sense of trust with the victim. This requires the attacker to build a credible story that leaves little room for doubt on the part of their target.
Pretexting attacks are commonly used to gain both sensitive and non-sensitive information. Back in October, for instance, a group of scammers posed as representatives from modeling agencies and escort services, invented fake background stories and interview questions in order to have women, including teenage girls, send them nude pictures of themselves.
Baiting is in many ways similar to phishing attacks. However, what distinguishes them from other types of social engineering is the promise of an item or good that hackers use to entice victims. Baiters may offer users free music or movie downloads, if they surrender their login credentials to a certain site.
Baiting attacks are not restricted to online schemes, either. Attackers can also focus on exploiting human curiosity via the use of physical media.
4. QUID PRO QUO
Similarly, quid pro quo attacks promise a benefit in exchange for information. This benefit usually assumes the form of a service, whereas baiting frequently takes the form of a good.
One of the most common types of quid pro quo attacks involve fraudsters who impersonate IT service people and who spam call as many direct numbers that belong to a company as they can find. These attackers offer IT assistance to each and every one of their victims. The fraudsters will promise a quick fix in exchange for the employee disabling their AV program and for installing malware on their computers that assumes the guise of software updates.
Another social engineering attack type is known as tailgating or “piggybacking.” These types of attacks involve someone who lacks the proper authentication following an employee into a restricted area.
In a common type of tailgating attack, a person impersonates a delivery driver and waits outside a building. When an employee gains security’s approval and opens their door, the attacker asks that the employee hold the door, thereby gaining access off of someone who is authorized to enter the company.
Tailgating does not work in all corporate settings, such as in larger companies where all persons entering a building are required to swipe a card. However, in mid-size enterprises, attackers can strike up conversations with employees and use this show of familiarity to successfully get past the front desk.
Hackers who engage in social engineering attacks prey off of human psychology and curiosity in order to compromise their targets’ information. With this human-centric focus in mind, it is up to users and employees to counter these types of attacks.
Here are a few tips on how users can avoid social engineering schemes:
- Do not open any emails from untrusted sources. Be sure to contact a friend or family member in person or via phone if you ever receive an email message that seems unlike them in any way.
- Whenever any such annoying pop-up shows on your screen, if just turn of your internet, it helps give you time sort it out.
- Do not give offers from strangers the benefit of the doubt. If they seem too good to be true, they probably are.
- Lock your laptop whenever you are away from your workstation.
- Purchase anti-virus software. No AV solution can defend against every threat that seeks to jeopardize users’ information, but they can help protect against some.