Social Engineering attacks involve
manipulating the human psychology using various resources like phone
calls and social media to trick the employees of certain organizations
or individual users into revealing confidential or sensitive
information. This attack type tends to go unnoticed by the general
populace as there is not enough awareness about the methods of
infiltration implemented by hackers or a legitimate solution to the
problem such as investing in new technology. In this article, we will
explore the life cycle of social engineering attacks and briefly
describe the attack techniques and state safety measures against these
attacks.
It is a popular hacking technique as it is relatively easy to exploit human kindness, urgency, curiosity among other emotions.Also, it relies on the errors of legitimate human users, making it difficult to identify and prevent such an attack. People can be influenced easily to gain unauthorized access to a system or to disperse malware by following certain steps:
- Prepare the ground for attack: Attackers performs research on the intended target by tracking behaviours and patterns of the individual they’re after. If it is a company, they will first find out the internal operations and employee structure, accordingly, choose a target human and find out about them by going through their social media.
- Gather information: This is the engaging phase. Once there is sufficient background information on a user, attacker conceals their identity and poses as a trusted individual in order to get the required data.
- Plan attack: Based on the reconnaissance phase, hacker will design an attack including computer programs and tools to be used which will be most effective and will leave a minimum trail.
- Exit phase: Once a vulnerability is successfully exploited, social engineers need to cover their tracks to avoid any suspicions. They delete any trace of malicious code and try to bring things to a natural end.
Phishing:
As one of the most popular types of social engineering, phishing uses
emails and text messages disguised as a licit organisation. Attackers
try to trick users into opening malicious links or opening files that
contain malware by creating a sense of urgency or fear in a naive
computer user.
Scareware: Also referred to as deception software, target users are tricked into thinking that their device is affected with malware. They are bombarded with bogus threats and alerts about the safety of their device and prompt them to install certain software which has no real benefit or is malware itself.
Quid pro quo: Here, an attacker promises certain benefits in exchange of user information or assistance. They may pose as IT service people and pretend to provide quality service to their systems while actually doing the opposite. This social engineering method is very similar to baiting, the only difference being that baiting promises goods while quid pro quo provides services.
Tailgating: Often called as piggybacking, tailgating relies on the courtesy of a person who has access to the company entrance. Hacker gains entry to a restricted area by waiting outside the building and following an authorised employee when they get the chance.
Scareware: Also referred to as deception software, target users are tricked into thinking that their device is affected with malware. They are bombarded with bogus threats and alerts about the safety of their device and prompt them to install certain software which has no real benefit or is malware itself.
Quid pro quo: Here, an attacker promises certain benefits in exchange of user information or assistance. They may pose as IT service people and pretend to provide quality service to their systems while actually doing the opposite. This social engineering method is very similar to baiting, the only difference being that baiting promises goods while quid pro quo provides services.
Tailgating: Often called as piggybacking, tailgating relies on the courtesy of a person who has access to the company entrance. Hacker gains entry to a restricted area by waiting outside the building and following an authorised employee when they get the chance.
Preventing Social Engineering Attacks:
- Don't open emails and attachments from questionable sources
- Don't believe tempting offers
- Use secure email and web gateways
- Use multifactor authentication
- Use updated antivirus software
Organisations
must do their part in safeguarding themselves and thwarting social
engineering attacks by identifying which employees are prone to this
attack and providing security awareness training.
