Social engineering is called the science and art of human hacking. This has become popular in recent years given the exponential growth of social networks, email and other forms of electronic communication. This term is widely used to reference an array of techniques used by criminals who obtain sensitive information or to convince targets to [...]

The Sunday Times Sri Lanka

Top 5 Social Engineering attacks

View(s):

Social engineering is called the science and art of human hacking. This has become popular in recent years given the exponential growth of social networks, email and other forms of electronic communication. This term is widely used to reference an array of techniques used by criminals who obtain sensitive information or to convince targets to perform actions that could compromise their systems. Last year, an accounts payable executive at a multinational organisation received an email referencing an invoice hosted on a file sharing server.

A few minutes later, the same accounts payable executive received a phone call from a vice president within the company, instructing her to examine and process the invoice who spoke with authority. However, the invoice was a fake and the vice president who called her was an attacker. The supposed invoice was actually a remote access Trojan (RAT) that was configured to contact a command-and-control (C&C) server located in a country in Eastern Europe. Using the RAT, the attacker immediately took control of the administrative accounts payable executive’s infected computer. They logged keystrokes, viewed the desktop, and browsed and exfiltrated files. These tactics, using an email followed up by a phone call, are highly unusual and are a sign of aggressive social engineering.

Organisations have deployed several security products to address various security risk but it´s the end user who is the weakest link. Be it a set of login credentials such as username and password, a credit card number or bank account, most of the time the weakest link in the chain is not technological but human and when psychological manipulation takes place it is extremely important to know what types of tricks are being used and how to prevent them. Hence, the cyber criminals will not spend much time trying complex technological hacks when they know it is much easier to use social engineering for their purposes. However, the attackers exercise additional aggressive social engineering tactics to defeat each of the defensive practices. Several local businesses have been victims of such attacks where funds have been transferred to an attacker’s account for legitimate invoices.

Phishing
Today, one of the most common methods used to obtain confidential information is known as Phishing. Phishing can be characterised as a type of computer abuse or fraud that leverages social engineering principles with the aim of obtaining private information from the victim via ads and email media. The cybercriminal usually relies on email, instant messaging or SMS to deliver the phishing message which will persuade the victim to either reveal information directly or perform an action which will unknowingly allow the attacker to carry out their ill-intentioned plan. Phishing happens several thousands of times a day across the world and is the most common form of social engineering attacks for businesses. Phishing emails use fear and urgency to their advantage.

Baiting
Baiting is in many ways similar to phishing attacks. However, what distinguishes them from other types of social engineering is the promise of an item or good that hackers use to entice victims. Baiters may offer users free music or movie downloads, if they surrender their login credentials to a certain site. 419 scams are also a form of baiting. In a clickbait attack, the attackers go after the sites most visited by their target group and entice the users to click on recent eye-catching headlines to look at their stuff. The cyber criminals collect information about their targets; browsing habits tell a lot about a person. Once they discover a particular website is popular with their targets, they infect the site itself with malware.

In addition, the information you post publicly online (Facebook, Twitter, Foursquare, etc) might give criminals a clue on how to connect the dots on where you are and your real identity. A targeted attack called spear-phishing is not common but, if you provide valuable information without a second thought, you could be making the lives of cyber-criminals much easier. Another example is: “Did you see this video/picture of you? Check out this link!” This is a fake Facebook email notification, which leads to malware. Malware installed from a scam can log typing and keystrokes to save passwords, track purchases, email and browsing history, control computer remotely, access all documents and files on a computer. Even an Amazon wish list could be the gateway to an epic social engineering hack.

Pretexting
Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information. These types of attacks commonly take the form of a scammer who pretends that they need certain bits of information from their target in order to confirm their identity. These attacks rely on building a false sense of trust with the victim. This requires the attacker to build a credible story that leaves little room for doubt on the part of their target and is commonly used to gain both sensitive and non-sensitive information.

In a recent reported case overseas, the scammers posed as representatives from modeling agencies, invented fake background stories and interview questions in order to have women, including teenage girls, send them nude pictures of themselves. Further, many interesting malware samples can be found that rely on social engineering to effectively deliver their attack to the victim. Amongst the most popular are the fake Flash Player updates, embedded executable files in Word documents, low quality copies of legitimate browsers such as Internet Explorer and many more.

Low tech attacks
Shoulder surfing is simply looking over someone’s shoulder, writing down or memorising logins or passwords, or taking video of key strokes, which is all very common amongst employees. In a common type of tailgating attack, a person impersonates a courier delivery man and waits outside a building. When an employee gains security’s approval and opens their door, the attacker asks that the employee hold the door, thereby gaining access off of someone who is authorised to enter the company.

Human nature
Social engineers disguise scams as well known or trusted sources. Criminals know its human nature to follow what others are doing making you more inclined to trust their lies. Victims are more likely to give out information via mediums they are unfamiliar with. Customised and personalised emails catch peoples’ attention. Using names, locations and other personal information makes people think its more legitimate. Criminals know we take our security measures for granted and feed off that dependency. Hackers who engage in social engineering attacks prey on human psychology and curiosity in order to compromise their targets’ information. With this human-centric focus in mind, it is up to users and employees to counter these types of attacks.

Here are a few tips on how users can avoid social engineering schemes:

  •  Do not open any emails from untrusted sources. Be sure to contact a friend or family member in person or via phone if you ever receive an email message that seems unlike them in any way. Beware of links to overly graphic terrorist attack images, natural disasters and other tragedies
  •  Do not give offers from strangers the benefit of the doubt. If they seem too good to be true, they probably are Purchase anti-virus software. No anti-virus solution can defend against every threat that seeks to jeopardise users’ information, but they can help protect against some
  •  Read your company’s security and privacy policy to understand under what circumstances you can or should share information or let a stranger into the building
  •  Lock your laptop and smartphones whenever you are away from your device
  •  Remember that all the technological gadgets and defense mechanisms mean next to nothing if you don’t know how to use them and are aware of what the bad guys are currently up to. Crime evolves, so should you

Case study
Attackers can retrieve various information from an organisation’s network, such as disaster recovery plans, bank and telecom provider details, and point of contacts with both providers and its bank and telecom account data. Using these data, the attacker can impersonate a company representative and call the organisation’s telecom provider, claim that a physical disaster had occurred and request all of the organisation’s phone numbers to be redirected to attacker-controlled phones. Immediately following the phone number redirection, the attacker could send a request to the organisation’s bank, requesting multiple large-sum wire transfers to numerous offshore accounts. As this is an unusual transaction, the bank representative could call the organisation’s number on record to validate the transaction. This call will be redirected to the attacker who will approve the transaction. The funds will be successfully transferred to multiple offshore accounts, which will then be subsequently laundered further through other accounts and monetary instruments.

(The writer is a Governance, Risk and Compliance professional and Director at Layers-7 Seguro Consultoria (Pvt) Ltd. He is the founding member and Secretary of the (ISC)2 Chennai Chapter, Founder/President of Information Security Professional Associates (iSPA) and a board member of the (ISC)2 Colombo Chapter. He can be emailed at sujit@layers-7.com)

Advertising Rates

Please contact the advertising office on 011 - 2479521 for the advertising rates.