Have you ever gotten an email titled something like “You have an outstanding invoice” or “YOU ARE THE LUCKY WINNER!!!!” or “Payment Needed For Package”. Well, this is a type of social engineering and it takes many forms. The above example is one of the many ways attackers will try to exploit you, your computer, and your organization.
At key times of the year, especially Christmas and other massive holidays, hackers will flood as many inboxes as they can with malicious emails trying to infect their targets and fraud them out of money. Hackers will typically prey on the technically inept , however some hackers will craft an attack specific to their target so it is more believable and could fool even highly trained users.
While phishing(which will be described later) is easily the most common form of social engineering, it is not the only one. Hackers employ many methods to try to aide in their goal, whatever that may be. Not only will the attacks themselves be discussed, but how to spot them, prevent them, and the underlying tactics they prey on. With that being said, let’s dive in.
What is Social Engineering?
Social engineering at its core is about exploiting humans. Just as malware preys upon vulnerable parts of a computer, social engineering preys upon human vulnerabilities. CSO Online has a short video on social engineering which explains briefly what it is. The corresponding article is a great resource for finding more information as well.
There are also scenarios in which attackers can mimic to increase the chances of a social engineering attack being successful, and these scenarios utilize some key tactics. At the core of it, social engineering works off on several things which attackers use to fool their targets. These include
If used correctly, they can transform an ordinary attack into an attack which can fool or almost fool even a trained eye.
Recognizing these methods and when they are used is a critical step in defending yourself, your organization and family against hackers who attempt to social engineer you.
This tactic is simply scaring the target into giving you the data that they want. Intimidation is often direct threats, such as “I need $500 in iTunes gift cards, otherwise I will release all this data on you” or “Your account is about to be locked and deleted, I need your password to prevent this”. Attacks along these lines are common and threaten the user into doing what the hacker needs.
Human behavior likes to fit in, so attackers leverage this into making the victim think that everyone else is complying with them too. A typical attack here may be tricking the user into downloading a malicious application. On the website, a hacker may write fake positive reviews themselves using multiple accounts. This way, when the victim sees the product, they are more compelled to download it as other people seemingly have and liked it.
An attack using authority is when the attack involves using a position of power over a victim to get results. Impersonating a boss of a company in order to get passwords of users or gain access to a restricted area is an example of an attack utilizing this attack method. This ties in with intimidation, as the target will feel scared to react negatively in fear of consequences.
Social engineering attacks often do this when sending mass emails, hoping it will scare some users into performing their action. However more advanced phishing emails may use it as well.
Scarcity is used all the time in marketing and not just in social engineering attacks. When marketing agencies say “Only 10 products left at this sale price” people are more likely to purchase them. This can be leveraged in attacks as well. An attacker could craft a phishing email telling the victim they were selected to be part of a special test group for a program, and only 5 spots are left in it. So the user is compelled to download it without thinking so much and potentially infects themselves.
“Get this product now before our special deal expires, only 1 hour remains!!!!”. Urgency can be used in attacks be making the user act quickly so they do not think about whether the scenario makes sense or not. Another example would be “I need you to send $5000 to this account within 10 minutes, otherwise this important business transaction cannot go through. Please act quickly”. Social engineering attacks involving urgency always want to victim to act ASAP so they do not have time to think or contact others etc.…
Familiarity is when an attacker relates the situation to something the victim is familiar with and comfortable with. The attacker may impersonate a relative or close friend, or they may do research to make it seem like they are familiar with you.
Combination of Tactics
Typically, these methods are not done separately but combined together. Consensus, scarcity and urgency can both be combined well, an example of this being a limited time offer with good reviews and only 1 spot left. Familiarity is often used with urgency as well, most commonly being someone claiming to be a relative of the victim is hurt and needs money for care immediately. However, countless examples exist. Take this example
10:45 AM (1 hour ago)
I noticed that a user named securitybull72 (claiming to be an employee) in a security forum posted some negative comments about the company in general (executive compensation mainly) and you in specific (overpaid and incompetent). He gave detailed instances on his disagreements, and doing so, may have unwittingly divulged confidential company information regarding pending transactions.
The post generated quite a few replies, most of them agreeing with negative statements. While I understand that the employee has the right to his opinion, perhaps he should have vented his frustrations through appropriate channels before making this post. The link to the post is located here (it is the second one in the thread):
Could you please talk to him?
This attack is very sophisticated and the attack used lots of research. He impersonated a person from HR, generating some authority, and used lots of information which fosters familiarity and trust. The article says
“Nine out of ten would fall for something like this. The only thing that saved me was the fact that when I hovered over the link I saw that the domain was one I had created myself for simulated phishing attacks. But it was a close call! One more second and I would have been pnwned”
Below is another example from berkeley.edu and their “Phish Tank” which hosts phishing emails they get.
——– Forwarded Message ——–
Subject: UPDATE EMAIL: Don’t lose access to your account!!Date: 19 Feb 2021 05:37:51 -0800From: berkeley.edu(link is external) Support
Our security system has detected some irregular activity connected to youraccount. you will be unable to send and recieve emails until this issue hasbeen resolved
CLICK HERE TO VALIDATE NOW
To prevent further irregular activity we will restrict access to youraccount within 72 hours if you did not validate your account.Note: Mail Administrator will always keep you posted of securityupdates. Mail Admin
berkeley.edu(link is external) ©2021 Secured Service.
In this example, we can see urgency and intimidation are used. The account will be restricted within 72 hours, creating urgency, and the restriction of the account is intimidation.
We can see in these examples how attackers can mix all of these tactics to create very professional and crafty phishing emails and perform complex social engineering attacks.
Types of Attacks
Now that we have discussed what fuels social engineering attacks and allows them to continuously succeed, we can examine the actual attacks themselves.
This is the most common example of social engineering. It is the example that I gave at the start. Phishing is very common in todays interconnected age, and it appears to be a benign email. However, under the surface within the downloadable attachment or website to visit is a ton of malware waiting for your click or visit. In addition it also may be looking for your personal data like passwords etc…
Once clicked, this malware or site performs it’s devious task (which could be one of many things, including stealing your information, giving you a virus, turning your computer into a bot, the list goes on…).
Phishing also has many variants, like SMSing or vishing. Which have many similarities to phishing. They often employ the same techniques. Often the only difference is the means of communication. For SMSing they use texting, and for vishing they use the telephone.
Tailgating / Impersonating
Tailgating and impersonating are a very clever and often successful means of obtaining a goal. Tailgating is following a person (who actually is authorized) through an entrance into a restricted area. Impersonating is the act of pretending to be someone you are not, then using this fake persona to gain access.
These people have various goals in mind, from entering an office to steal sensitive files, to just wanting to sneak into a concert for free. Social engineering works its wonders around us everyday, it doesn’t just have to be with computers. Even though they are not a digital attack, the key traits of these attacks remain. Such as going into a place with a group to gain consensus.
Yes, even digging through the trash can be considered social engineering. Often people will throw away sensitive information without destroying it first, such as password on sticky notes or a USB or hard drive. Dumpster diving is relatively simple and can yield highly sensitive information if nor disposed of properly.
What often is nothing more than a friend who will not stop looking at your screen, attackers can use this method of social engineering to steal information.
They can watch as you input your social media password and username, only to re-input later and hack into your account. Another great example is your PIN number at an ATM machine, although these (thankfully) have safeguards such as the opaque block so people have a harder time seeing what you are entering.
To work towards safeguarding yourself against this attack, you can get a computer screen designed to make it hard to see from angles. Also you can avoid inputting sensitive information in places with a large number of people around, and if you must, check around you first.
Social engineering has been around for a long time and continues to be an issue today. As technology advances, it only grows.
These attacks rely on intimidation, consensus, authority, scarcity, urgency, familiarity.
Using these underlying methods, attackers can carry out many social engineering attacks such as phishing, dumpster diving, shoulder surfing and tailgating.
To prevent these attacks, make sure sensitive data is disposed of properly, train end users on what suspicious activity looks like and to report it, make sure no one watches you input sensitive data and have strict unavoidable policies to get into restricted areas.
As always, if you want to learn more, numerous sites go deeper into this topic and the various subtopics. Knowledge of the subject is the best way to start preventing it.