Jo Blitz A. Escotal
CEO/CISO
Escotal.com
Social engineering is the art of manipulating or tricking people or employees of companies so that they give up confidential information. There is a common saying that “Amateurs hack systems” but “Professionals hack people!”.
Social engineering consists of 1st gathering intelligence known are reconnaissance. The 2nd phase consist of the actual attack of hacking the people to get valuable sensitive information.
Where do I get information about who, where, when, why what and how of social engineering in performing attacks against people and their companies?
Google
Company website
Maltego Paterva
Whois
Social Media Footprint (Facebook, Instagram, LinkedIn, YouTube, Twitter)
Google Images and Maps
Shodan
Tin Eye
Archive.org
Job Boards (Monster.com, Indeed, Career Builder, Zip Recruiter and Glassdoor)
People are the weak link in many organizations, and I blame most companies by not properly training their people on what to look for when it comes to social engineering attacks. Most individuals and organization are reactive instead of proactive when it comes to computer security. Most individuals and organization will wait till something bad really happens before they do something about security. In some cases, it might be too late!
Cyber criminals are trying to access your computer and accounts by targeting them by using various social engineering techniques which is known as people hacking. Most hackers can manipulate people by enticing them to click on a link so that they can install the malware to take over their computer, phone or networks. Cyber criminals can use vishing where they spoof their phone number pretending to be a trusted source so that they can gain valuable information from the victims they are targeting.
Social engineering tactics are easier to exploit because people in nature are very trustworthy.
For example, it is much easier to trick someone into giving you their password or guessing their password since most users have weak passwords, than it is for you to try to hack their password. Criminals can also install keyloggers remotely or locally by sending the victim a bogus application to install and execute so that they get information about the victims’ computer and phones. In the world known as the Internet the largest networks in the world, it is hard to trust someone or something.
Cybersecurity is all about knowing what and who to trust. In the case of building a website, you may need to look for reliable and reputed web designers in melbourne (or wherever you live) who can build an interactive website and incorporate all the necessary security protocols into your website so that it is safe from a cyberattack. The same is true of online activities. You must figure out if the website your visiting and the information their giving is legit.
Famous Social Engineering Attacks include the Bangladesh Bank Cyber Heist which hackers illegally transferred close to $1 Billion Dollars. The 2014 Sony Pictures Hack when a group of North Korean hackers took over Sony Pictures in hope that they would not release a movie by Seth Rogen called the Interview about assassination of their Supreme Leader of North Korea Kim Jong Un. The 2011 RSA SecurID Phishing Attack which hack the RSA SecurID 2 factor authentication tools. 2013 Department of Labor Watering Hole Attack when a US Department of Labor servers were compromise using a zero-day Internet Explorer exploit which was used to install a RAT Remote Access Trojan named Poison Ivy.
Here are examples of different types of Social Engineering Attacks
Link Attacks
A hacker will get your email and they will email the victim with a legitimate looking link to click. The victim does not know that the link has a hidden malware which will then execute and take over the victim’s machine.
Download Attacks
A hacker will trick you into downloading a photo, music, document, file and a movie that has a malware embedded. If the victim click on the downloaded file it has a malware executable which will then load which and infect the target victims’ machine which will give the hacker full access to the device that has the download files and they can now spread the attacks to other machines.
E-Mail Attacks
An email attack is if a hacker gets your email, they can run a malicious program that will access the victims email list which will then send email to the contact list and they can pretend to be you.
Phishing
Phishing is the fraudulent attempt to obtain sensitive information such as credit card information and username and passwords by pretending to be a legit entity such as your bank and credit card company.
Spear Phishing
A type of phishing which attacks a specific person or an organization by creating customized information that the victim will solely believe that is from a trustworthy source.
Whaling
A type of social engineering attack where you attack a high-level person such a CEO, CISO or an Administrator or Root User in order to gain valuable information.
Vishing
Voice phishing is a social engineering type of attack by using a telephone system to gain access to the victims’ personal and financial information.
Smishing
Short Message Service is a social engineering type of attack by using text messaging in tricking the victim by clicking on a malicious link or divulging sensitive information.
Pretexting
Another social engineering attack is pretexting in which a person lies to obtain sensitive information. A pretext is a false motive. A person can pretend to be whoever they want to be to deceive the victim into enticing them to give valuable information which they can use against the victim.
Examples of Pretexting
Phishing attempt pretending to be a credit card company, bank, popular company, social media, school, email or text messages to gain access to ones’ valuable information.
Pretending you need help in an urgent manner
You are stuck in a foreign country and you call someone with a sob story that you lost everything and was robbed and beaten so you ask the victim to help by sending you money.
Charity Scam
You ask the victim to donate to worthy causes such as the red cross, go fund me page, disaster relief, charity and political campaign institutions.
Winner Scam
You get an email or a phone call that you won something, the catch of course is you need to give valuable information such as your email to the hacker or you will have to fill out a form or click on link that has malware which will then take over your machine.
Trustworthy verification Scam
A bank or a social media page such as Facebook will ask you to verify information by filling out the form with your valuable information.
Work Scam
A hacker will ask you to update an important information by posing as a boss or a company worker. They can pretend their tech support and will ask you to install something such as a malware
Click and Bait Scam
Hackers will dangle something that people want and see if they are gullible enough to fall for this type of scam.
- Get Rich Quick
- Mail Order Bride
- Great Deals with a sense of urgency to act quickly
- Nigerian 419 Scam
Shoulder Surfing
The hacker will look over your shoulder, use binoculars or have a hidden camera to get valuable information such as banking, stocks or personal information such an ATM pin number when typing that information.
Expert Scam
The hacker will pretend to become a policeman, clergy, doctor or Subject Matter Expert in order to gain the trust of the victim.
Impersonation Scam
Pretending to be a trustworthy person with the goal of gaining access to physical building or a system. Examples impersonate that you’re in a wheelchair because of an accident and the people will start feeling sorry for you and they will start letting you in.
Waterhole Attack
A targeted type of social engineering attack that will capitalizes on the trust users have in the websites they regularly visit. A Lion will hang out in a watering hole because all their prey will have their guard down and they will need water to drink.
Baiting
You will bait the users for example by putting a flash drive on a parking lot with a corporate logo. The goal here is the hacker is hoping the intended victim will pick it up and bypass security in their company. The malware installed in it that is stealth from the victim.
- Flash Drive
- CD/DVD/Blu-ray
- Floppy Disk
- USB Hard Drive
- Thunderbolt Hard Drive
Con Man aka Confidence Tricksters
Con Men deliberately deceive and manipulate people, by exploiting the human weakness to be trustworthy in order to gain personal benefit.
Quid pro quo means something for something:
A hacker will pretend to be tech support and call the unsuspecting victim thinking they are there to help. They will trick the victim into installing a malware in their computer and have the victim give them their password or IP address so that can access the machine remotely.
Hoax
A false warning to try to trick people into acting on the hoax.
Piggy Backing aka Tail Gating
A hacker will follow a person from behind into entering the facility.
They will have plenty of grocery bags so the legitimate user will let them enter the facility.
They will pretend to be nice and open the door of the legitimate person who has a lot of groceries thus gaining the trust in coming in the facility.
A hacker will be in a wheel chair because most people will let them in by feeling sorry for them.
Dress like you’re from Orkin the security people don’t want to be bothered by such things.
A delivery person will often get in such a UPS driver.
A maintenance or ISP provider will usually get in.
Hang out at the smoker section of the company and wait till the real employees come out. Gain the trust of the employees by shooting the breeze and you be surprise how they will let you in.
Just walk with a lot of confidence, you will be surprise how people just assume you belong.
How to not become a victim in these types of social engineering attacks
Be Aware
Social engineers can also try to take advantage of the emotional part of people’s brains. They might try to take you on a guilt trip, make you nostalgic, or even try to impact negatively. You be amazed how people open in these types of situations.
Check your Surroundings
You are what you do in Social Media.
A hacker will go online and find clues and glance your Facebook, Instagram and Twitter Profiles. They might figure out a security questions by obtaining all the personal information by befriending you or following you in Social Media.
Do not give out too much personal information about your personal life and your company
I am amazed on what people give out in the Internet.
Be there personal information, where they live what schools their kids go to.
Showing up to people on Social Media that there on vacations which means there not home, which will give the hackers the ability to get in your place because you’re not home
Complaining about how there working late and divulging information about the company top secret projects.
Political agendas which can be used against them.
Showing picture of their young kids on the bathtub it seems so innocent but there is a lot of pedophiles hanging out online.
Keep devices and accounts secure
With the abundance of IoT Internet of Things most companies do not perform due diligence in securing these devices. There priority is they want things to work. However, most hackers will have the ability to hack Alexa, cars, television, wireless networks, refrigerators, webcams, pacemakers and common household devices known as IoT.
Make sure you have complex passwords and they cannot be easily obtained physically by locking such devices from prying eyes. This holds for all online accounts for your business as well. If you are aiming to do some social media marketing, say, and recently procured a Facebook agency account for the same (from reputable sources of course), double-checking security measures on it is also very important.
Furthermore, if you are a small business that runs its accounts and other business particulars digitally, then you have to make sure that they are protected against cyber-attacks even when they are outside of your network. For example, when outsourcing critical services such as accounting or taxes, make sure that you hire reputable and reliable bookkeeping services so that you avoid the risk of your financials being leaked by hackers or other similar means.
Many companies, often small ones, let their security and technological aspects loosen while they are going through a period of dormancy. This is an opportune period for hackers and other cyber attackers to strike as the company’s defenses are down. For example, if a business owner is unaware of answers to questions like “do you have to file accounts for a dormant company?” (knowing how to do it through the right online portals), they might end up being scammed, have their financials leaked, or something worse. Therefore, keeping your business secure at all times is essential.
Counter Measures against Social Engineering Attacks
Take your time
Think before you act spammers want you to act quickly by creating a sense of urgency or they use high pressure sales tactics. Take your time and gather all the facts before being influenced to do something they will regret later.
Research and perform due diligence
Research, research, research. Make sure you do your due diligence if the company your dealing with is legit. Research the website, call the company and ask for references before doing anything.
Do not click on anything
Do not click on a link or install an application without 1st making sure that the information is from a legit entity.
Download with caution
Only download from a secure site or from people you trust.
Organizations reduce their security risks by:
Training your employees about the latest security policies.
Follow Security Framework by performing a check list of what acceptable user policy that everyone will perform.
Establish Security Protocols
- ISO 27001/IEC
- NIST Risk Management
- ITIL
Pen Testing
- White Hat – Ethical Hacking
- Grey Hat
- Black Hat – Highly Illegal
Honeypot and Honeynet
Setup a trap to get evidence on hackers trying to access sensitive information on the networks.
Review the following:
- Physical Security (Do not let them in)
- Technical Security (Firewall, Antivirus, Proxy, IDS/IPS, Encryption etc.
- Procedural Security (Dumpster diving make sure you shred everything you throw in the garbage)
- Social Engineering (People are the weak link make sure their educated about the latest security incidents.)
How to protect yourself:
- Delete anything that ask for your password
- Delete anything that ask for your social security or give up sensitive financial information.
- Setup web filtering and spam email filter.
- Download all the hot fix, patches and service packs.
6 key principles of social engineering influence
- Reciprocity – you rub my back I will rub your back. If I do you a favor how will you return the favor?
- Commitment & Consistency – People tend to commit if things are done by mouth or in writing.
- Social proof – People will do things if they see other people doing the same things. If I look down to pretend, I lost my contact lenses people in general will help me and do the same thing. Another principle of this is peacocking we tend to hang out with people that are beautiful or have power or have money. In the world of dating a person that hangs out with a bunch of beautiful women all around them will have more social proof that someone who is alone with a drink in their hand.
- Authority – People tend to respect and obey authority figures such as a policeman who is consider an authority figure in our society.
- Liking – People then to hang out with people they like. Viral Marketing is an example of this phenomena and we tend to buy from people we like or trust.
- Scarcity – Demand are usually cause by perceived scarcity such diamonds. In Sales, customers are enticed by the word “limited time only” or “one of a kind”
Conclusion
Social engineering attacks are still the most dangerous because of the human element. It is clearly very important that companies train there people effectively against such attacks. It seems common sense but once again companies wait till something damaging happens before they react and fix it. Most people are nice in nature and do not have the skill set to analyze if there dealing with legit or dangerous entities. What good are your firewalls, proxy servers, 2 factor authentication methods, locked doors when your people will just let me in.