Social Engineering
“Amateurs Hack Systems, Professionals Hack People”Bruce Schneier
You’ve all probably heard about the recent Uber data breach and how these unicorn companies with great levels of security were exploited. In this example, the hacker targeted a corporate employee and gained access to his machine before moving on to the main server, This is Social Engineering. On Twitter, the hacker admitted that they got access to the company’s internal VPN by tricking an employee into handing it over. The hacker claimed to be a corporate information technology expert who required the password. In addition, the threat actor gained access to credentials that allowed them to access Uber’s AWS and G Suite accounts.
Social engineering is one of the most widely used cybercrime strategies nowadays. According to Firewall Times, “98% of cyber attacks involve some type of social engineering.” Why can social engineering work against even the most secure organizations? It’s straightforward. Social engineering strategies exploit our natural kindness and trustworthiness to benefit the people-savvy hacker — the social engineer.
“Social Engineering is a major problem because there is no patch for human stupidity. “
How Do Social Engineering Attacks Happen??
A social engineer must first understand about their target before they can begin. During an attack, a social engineer may act as someone else, such as a kind IT person or a company employee.
After conducting research on a target, the engineer will engage in an encounter. This could be an internet attack, such as a phishing email or a physical attack in which the social engineer seeks to interact in person or over the phone with their target. At this point, the social engineer will exploit human emotions to acquire the trust of their victim, frequently through pretexting, which includes just enough real information to make the entire discussion seem credible.
The attack is carried out without the victim being aware that anything is wrong, frequently as soon as the victim has performed the desired action or provided the essential information. In rare situations, the social engineer may even trick the victim into believing that the problem has been handled.
Once the attack is carried out, social engineering does not stop. They will delete any evidence of questionable behavior to avoid being discovered in the future. This might be as simple as deleting an infected USB stick from the office computer before leaving. The social engineer has everything they were looking for once the attack has been performed from beginning to end (usually data or money)
Types Of Social Engineering Attacks
Pretexting -
Pretexting is a type of social engineering technique that manipulates victims into giving out information. For example, someone may call an employee and claim to be someone in authority, such as the CEO or a member of the IT team.
Phishing, Vishing and Smishing -
Everyone is aware of what phishing is, Phishing is the practice of impersonating a trustworthy person in communications such as emails or text messages in order to steal sensitive information such as credit card numbers and passwords. Pretexting and phishing are independent categories, however they can be mixed. You can read this blog to learn how to execute phishing attacks. Voice phishing (or vishing) is a type of social engineering. Phone calls are used in this type of attack to trick victims into disclosing sensitive information or granting attackers remote access to the victim’s computing device. SMS phishing (also known as smishing) is a type of social engineering that is similar to vishing and phishing. It utilizes the same tactics but is carried out via SMS or text messaging.
Baiting -
Diversion Theft -
In this form of attack, social engineers trick a delivery or courier company into going to the wrong pickup or drop-off location, intercepting the transaction.
Some other social engineering techniques are -
“Using Protection Is Better Than Regretting Later”
How To Protect??
It is a serious threat to you, your employees, and your company. Even if a business has top-tier cybersecurity solutions in place, social engineers can cause operational disruption, data breaches, and financial losses. Protect your company by providing security training, enforcing security processes, and conducting penetration testing.
Some precautions to take :
- Delete any request for financial information or passwords.
- Reject requests for help or offers of help.
- Set your spam filters to high.
- Secure your computing devices.
