The Art of Social Engineering!!

The Art of Social Engineering!!
What comes first in our mind after here the word is "Social Engineering", I am too smart to be fooled, but in reality is it so!! Completing master in information security and thereafter working in the same profession for some time now, I used to think the same. Not until a few days back when I got a strange call and I saw myself going with the flow. Realizing something fishy only after few minutes, I stopped myself without revealing any personal or important information. But what made me, or anyone go with the flow, moreover fall into attackers trap, knowingly or unknowingly!! 
 
We are smart so are our attackers, they definitely think a step ahead. Regularly targeting human psychology. Social Engineers exploit human emotions and behaviors like Fear, Greed, Acquiescence, Helpfulness. It exploits human tendency to get involve and how they react to the various situation.
 
Social engineering can be considered as an art, where victims are manipulated so they reveal their confidential information. It is gaining popularity as fooling someone is easier than hacking software. While most of the organizations and businesses exhaust of money on the latest products that commit to fixing their security issues, humans are giving hackers the easiest way to get through. The human element is the weakest part of a system and most prone to mistakes. Attackers try to lure, pressuring, constantly keep on empathizing victim, or they show urgency, unusual care, scare them. Above are some of the alarming signs requiring full validation check, authentication before revealing any important information.
 
Currently, the world is witnessing the ransomware attacks, mostly this attack is spread through computer virus using spam, phishing emails and malicious download links are specially designed to lock up the files on a computer until the victim pays the ransom demand bitcoins. Meanwhile, wannacry ransomware is spreading by exploiting the vulnerability in implementations of Server Message Block (SMB) on Windows systems.
 

Popular Social Engineering Attacking Techniques

Pretexting: Attackers fabricate the scenarios through which they try to steal victims personal information. Then pretends that they need certain information from their target in order to complete some proceedings. Moreover, they try to manipulate their targets into performing an action that enables them to exploit the structural weaknesses of an organization or company. It can involve researching a target before the attack and later use of gathered data to impersonate or manipulate. An example includes attacker who imitates an external IT services auditor and manipulates the company security. These attacks rely on building a false sense of trust with the victim to gain sensitive and non-sensitive information. This requires the attacker to build a believable story that leaves scanty of the doubt.
 
Baiting: Attacker dangle something generally people want so that people will take the bait. Victims take the bait and get infected with malicious software that can generate any number of new exploits against themselves and their contacts. These schemes are also found on social networking sites or on malicious websites. The plot lures by showing up as an amazingly great deal on sites, auction sites, also the seller is given good rating all crafted and planned ahead of time.  A similar attack took place in March where attacker starts by spamming the email inboxes of active GitHub users with fake job offers. The messages tricked the victims into running an attached malicious .doc file which contains embedded macro code, which if allowed, executes a PowerShell command to download and install the Dimnie trojan malware that can be remotely controlled. Thereby enabling attackers to hijack infected PCs and install additional malware.
 
Phishing: Attacker sends an e-mail, instant message, comment, or any type of text message that appears to come from a legitimate user, bank, institution, school or popular company. It can be combined along with a fake phone call (vishing attack), and typosquatting(using mail address domain names that are similar to other popular domain names, but are different by a character or two, or Gmail/Hotmail/Yahoo domain names with manipulated front name). The message may ask for help. Or may notify you that you’re a ’winner’. Seek to obtain personal information The message may explain there is a problem. Time should be taken to read the e-mail also heck sender id before replying should be checked. These email may have malicious attachments or links or redirects should not be opened. A few days back in early may world witnessed Google Docs phishing scheme, hitting employees at multiple organizations and media outlets that use Google for email, as well as thousands of individual Gmail users. Sending malicious OAuth phishing email which on being clicked redirects to a page which says, "Google Docs would like to read, send and delete emails, as well access to your contacts," asking your permission to allow access.If access is granted, hackers instantly get permission to manage victim Gmail account with access to all victims emails and contacts, without the need of Gmail password.To which Google replied in a tweet, "We are investigating a phishing email that appears as Google Docs. We encourage you to not click through & report as phishing within Gmail,". Google also said that this phishing campaign affected fewer than 0.1% of Gmail users, which is around one million people were affected by it by handing over their email access to attackers.
 
Phishing scams are the regular types of social engineering attacks used today. Recently there is an increase in the use of ransomware being delivered along with phishing emails. These are usually sent through attachments with the double file extension of '.PDF.zip' or '.PDF.rar'. Thereafter it encrypts the full hard disk, the documents and requires a bitcoin in exchange of unlocking it.
 
Quid pro quo: Attacker promises a benefit in exchange for information. This benefit usually assumes the form of a service, whereas baiting frequently takes the form of a good. This promise a quick fix in exchange for the employee for installing malware disabling their AV program and so on their computers that assumes the guise of software updates. Rival attackers can even ask for confidential information in exchange for better job opportunity. 
 
Dumpster Diving: It equivalent to looking for treasure in someone else's trash. It is used to retrieve information that could be used to carry out an attack in future. It includes searching through access codes, passwords written down on sticky notes or saved in auto filled. Other information like phone list, calendar, or chart can be used by the attackers in carrying out social engineering attack to gain access.  Disposal policy should be established for all waste paper from Xerox or printouts, is shredded in a cross-cut shredder before being recycled, all storage media is securely erased after usage, and proper education must be provided to all employee about the danger of untracked trash.
 

Conclusion

As illustrated by an old saying "There are only two people in the world I trust: you and me- and I'm not so sure about you". This is the better attitude one should take, as trust can be harmful. In the next article will consider more social engineering attacking techniques, also how to protect oneself and organization from these attacks.
 
Authored By - Shefali SIngh
TCS Cyber Security
Rate this article: 
0
No votes yet
Article category: