Techniques used by Social Engineers and Countermeasures

The previous article " The Art of Social Engineering!! ", what is the social engineering attack and how attackers exploit human elements to traps victims into believing the authenticity of attacker was discussed. Also the popular social engineering attacking techniques were listed, continuing more from the topic, below are some more approaches that attackers uses.

Popular Social Engineering Attacking Techniques

Vishing: Also known as voice phishing is a fraud where individuals are tricked into revealing critical financial or personal information to unauthorised entities over a phone call or VoIP. It works like phishing but can occur over the Internet or can be executed using voice technology like VoIP voice over IP, voice email, landline, mobile phone or cellular telephone. Attackers can also manipulate background voice by playing pre-recorded background noise of crafted scenario. The victim can also receive a message, indicating that suspicious activity took place in their credit card account, bank account or another financial service. The victim is fooled as to call on the specific telephone number, to backup their data, retrieve their account, or to verify identity and to ensure that fraud does not occur again.
Tailgating: Popularly known as piggybacking, it involves the following employee in the restricted area by someone who lacks the proper authentication. Tailgating might not work all corporate settings, like larger companies where a swipe of identity card is mandatory, but still, there is the scope. Moreover, in mid-size enterprises, where attackers can strike up conversations with employees and use this show of familiarity to successfully get past the front desk. An example includes an attacker that impersonates a delivery driver and waits outside a building.
Scareware: It includes tricking the victim into thinking his computer is infected with malware or has accidentally downloaded illegal content. The attacker thereafter offers the victim a solution that will fix the bogus problem, in reality, the victim is simply tricked into downloading and installing the attacker's malware.
Spear phishing: It is a targeted phishing in which attackers trick employees into providing remote access credentials or opening a malicious attachment containing an exploit or payload. It is crafted tailored for a specific individual or organization, it uses the employee to target organization. It only takes one employee to click on either a malicious attachment or a link, and it gave attackers the desired access. It is an email spoofing where attacker targets a specific organization or individual, seeking unauthorised access to sensitive information. These attempts are not initiated by random hackers, but are pre-planned and conducted for trade secrets, financial gain or military information. In 2014, yahoo faced a massive attack for such type, where 500 million Yahoo user accounts were compromised.
Watering hole: It involves compromising a website that the targets are expected to visit or visits regularly and placing malware on it. Once the user is infected, the attacker can use the malware to steal information. The attacker exploits vulnerabilities in the websites and injects malicious HTML codes or JavaScript that redirects the victim to a different site where the malware is placed. It is reported that the in February Chinese APT10 hacking group implanted a piece of malware on the "Events" page on the website of US National Foreign Trade Council (NFTC). This attack against the NFTC site is considered as an attempt to conduct surveillance on the lobbyists and main industry players which were related to U.S trade policy activities.
Instead of penetrating the network, Breaching the people who run it.

How to protect yourself and your organisation from social engineering attack?

  • Slow down, as the attacker wants target to act first and think later. If the message conveys a sense of urgency,  fear, or something attractive, never let these factor influence you and complete your careful review.
  • Research the facts, always be suspicious of unsolicited messages and emails. Do the research, use search engines or phone directories to get real phone numbers of company u got mail from. Curiosity can lead to careless clicking. Without knowledge of email content, the links should not be opened and the attachment should not be downloaded.
  • Delete any request for financial information or passwords. If being asked for personal information, it’s a scam, also report the scam and phishing mail.
  • Reject requests for help or offers of help. Legitimate companies and organizations do not contact you to provide help.
  • Beware of any download. If you don’t know the sender personally and not expecting a file from them, downloading anything is a mistake.
  • Foreign offers are fake, like an email from a foreign lottery which you never participated. Or money from an unknown relative or person, or requests to transfer funds for a share of the money it is guaranteed to be a scam.
  • Computing devices should be secured, by installing antivirus software, email filters firewalls. Software's must be patched and kept up-to-date. Also, the anti-phishing tool must be used which are offered web browser or third party.
  • Spam filters must be set to high. Spam folder or emails whose recipients you do not know must not be opened.
  • System should be locked when not being used, Moreover password sharing should be strictly prohibited.
  • Employees should be educated on what they can do and what attackers can make them do. Employees should be trained so they do not fall prey to attackers, which can use them to target organization.
  • Receiving the phone call, in the case of doubt ask the person concerned to mail everything he is asking for from authorized mail ID.

To sum up

Social engineering should be dealt cautiously by the organization and every individual, ss attackers have recently found easier ways to get into the organization without breaking into software.
Authored By - Shefali Singh
TCS Cyber Security Practice
Rate this article: 
Average: 4.6 (33 votes)
Article category: