A Guide to Social Engineering Attack with Real Cases
Social Engineering attacks are getting common these days. Social engineering is usually taking advantage of human behavior. Hackers and cybercriminals use some common human feelings such as fear, urgency, and curiosity to fool users and revealing access to their computer, network, or other critical data.
Cybercriminals hide their true identity and intentions and present them as a trusted source. They use tricks to manipulate users to fell into the trap. It is easier to take advantage of user’s vulnerability than looking for software and networks weakness. We will look into social engineering attack in detail and how to prevent these attacks.
How Social Engineering Attack Works?
If a hacker wants to seek into any secured network, then his first choice is the social engineering attack. He first research about the network and user’s who have access to them. He will grab the information about the internal operations and employee hierarchy. Then he might try to mark users with limited access such as a receptionist, personal secretaries, or security guard. These types of users have low-security clearance, and they also have limited knowledge about such attacks.
Then the hacker will try to grab information about the marked user from shared information such as social media accounts. He can easily find the email address, mobile number, and other publicly shared data. Then he will use this information to personalize the attack. Once he gains the access of that user, he will use the same tactics for higher level users.
Some low-level social engineering attack is on malicious websites. It is designed to target a large user base who can relate to the message. For example, the site tries to tell users that their browser or software is out of date click on Update to continue. Once the user clicks on it, they get infected by malware.
Types of Social Engineering Attacks and How to Avoid
Phishing is the most common and popular social engineering attack. Usually, email or text messages or voice calls (Vishing) are used to do phishing. Hacker sends personalized email to the user to create a sense of urgency, fear, or curiosity. For example, a hacker may send a message telling that your account has been compromised pretending a bank, email, or social media account representative. You need to reset your password, click on the link to reset the password. This link looks like the official website address, or it can be in a shortened format.
The link will lead you to a fake website that looks just like the official website. When you enter your current login details, it will reach to the hacker. Such kind of phishing messages is sent to mass users, so it is easy to identify by your email service provider. They can identify such emails via threat sharing platform and move it to the spam folder. Thus, this social engineering attack is getting less effective over time.
How to Avoid?
If you receive such messages don’t panic, do not click on the link given in the email. Instead, visit the official website by entering the address manually. Check the address and match the signature of security padlock before entering your critical login details on any webpage.
2. Spear Phishing
Spear Phishing is similar to the phishing, but it is more personalized and targets a particular user or an enterprise. The hacker research about the target and collect information to personalize the attack. The hacker can include information like organization name, designation, and can impersonate as a co-worker. Such details are available on the company website. A hacker can pretend to be a co-worker from other department and can ask for confidential information or access to the secured network.
Another example is a hacker can send emails to one or all employees to reset their password pretending from the IT department. The format and text of the message look exact so that users don’t suspect anything. Such type of attack is less susceptible and has higher chances of success.
How to Avoid?
If you receive such emails from someone in your organization, then it is better to confirm before providing confidential information. Phone numbers of other members are available on the company website. If you see password reset requests, then match it with previous messages and compare the link. Even if it looks legitimate don’t click on the link instead visit the company website by entering the address manually and then reset the password from there.
Baiting is similar to a phishing attack; the difference is, in this type of attack hackers create a false sense of greed or curiosity. Out of greed user take the bait and get infected with severe threats. For example, the attacker could bait of downloading a movie or songs if the user enters their login details. A corporate employee can be lured with payroll file access or upcoming promotion file.
These kinds of attacks are not just happening online, but they can also be taken physically, for example, leaving a USB or CD on the campus of the organization where the user can find them. They can be labeled as payroll backup drive to create curiosity. When someone grabs it and insert into the computer, it can execute the malware.
How to Avoid?
The greed and curiosity is the prime reason for this kind of attack. Never fall in such type of trap especially when you have access to sensitive information. Wherever you need to enter your login details stop for a while and think about the necessity and consequences.
Pretexting is when someone builds fake stories to get the confidential information. The attacker befriends the user or creates a sense of urgency pretending some high official who needs information to confirm the identity. He could ask for social security numbers, bank account number, date of birth, secret information about your organization.
The motive of the attacker is to create trust with the user with false stories. The attacker could pretend to be a bank official, police, or tax officials and ask the user to provide information to complete a critical task.
How to Avoid?
It is not easy to get away from such an attack, but if you have some sensitive information, then you should think multiple times before providing it. Also, you can ask from the other party to follow the proper channel to get this information, or you could directly ask for their identification.
On the enterprise level, to avoid such attacks, appropriate monitoring is required. If there is some sensitive information, then the IT manager should monitor who accessed it. If some unusual user tries to obtain confidential information, then necessary actions can be taken.
5. Quid Pro Quo
Another Social Engineering attack is Quid Pro Quo. In this type of attack, the user is offered something in return to release some information or disable the security of their computer. The fraudster put the bait of some service, money, free stuff, subscription to paid services, etc.
For example, a fraudster can call or message users pretending a representative from a survey organization who is surveying how secure is your password, if user participates in the survey they will get $100. Another type of quid pro quo attack is, impersonating tech support executive. The fraudster can ask the user to provide free assistance to solve their issues if they turn off the antivirus and install a tool which is malware.
How to Avoid?
This attack is similar to baiting, where users didn’t bother about the security, and they provide sensitive information in the greed of some stuff. You should not take help from unknown IT representative who is asking to disable firewall or antivirus and asking for your login details. Also, never enter confidential information on any other page to get some free stuff.
6. Honey Trap
Social engineers create a fake profile of an attractive person to befriend the targeted user. They talk in a friendly way and create a false sense of relationship with the user and then trick them to reveal sensitive information such as passwords, financial details, or enterprise security details.
How to Avoid?
To avoid such a scam never share information that no one should know other than you. When someone asks for such information, then it is time to end that relationship.
The scareware is usually a malware tool that scares users about viruses and malware and tricks them to download the fixes for them. It typically happens when a user has an adware infection or when he browse some rogue website. A pop-up generates saying your computer has been infected with the virus, download the removal tool to fix it. When the user downloads this tool, he gets the real infection.
Another kind of scareware message is displaying that your PC has some errors download the fix.
How to Avoid?
Don’t fall into the trap of this kind of messages. If you doubt any infection, then only scan with trusted antimalware.
8. Watering Hole Attack
How to Avoid?
This kind of attack is difficult to detect and stop. To avoid it companies should completely block other websites in the office network, and users should not open any other sites.
Tailgating is used to fool users who have access to a physical location by letting the attacker enter the premises. The enterprises usually secure their network from outside attack, but if a hacker gets entry into the organization’s building, then it will be easy for him to breach the network and steal confidential information.
Such kind of attack usually happens when an employee or person who has access to a physical location opens the door by their access card, and someone else enters the premises with them. The attacker may impersonate as a delivery man and may ask some other employee to hold the door for him.
How to Avoid?
A person who has access to a physical location should pay attention that no one enters with them. The companies should install such entry passes that enable entering one person at a time. Also, they should establish and monitor CCTV camera. However, in real life, these are not enough. Companies should force a strict rule for employees to not providing access to anyone with their access card.
Cases of Social Engineering Attacks
Social Engineering attacks aren’t new; it starts a long time back with the intelligence of human minds. One such famous example is in the ancient Greece history. After several attempts in 10 years, Greece soldiers couldn’t penetrate the security of Troy city. Then, they adopt a misleading strategy to enter the city. They declare that they have lost the battle and left the battlefield leaving a big wooden horse. When the people of Troy city take the horse into the city to celebrate their victory, they found hidden soldiers who opened the gate from inside letting other Greece soldiers. Troy city gets destroyed due to this social engineering attack.
Now let’s take some real cases of social engineering attacks.
Steve Stasiukonis Baiting Attack to Assess Security
Steve Stasiukonis got hired to assess the security of a credit union. He wrote in his blog post about this baiting which is no longer on the website. He planted USB Flash drives infected with Trojan in the parking lot and smoking area of the organization. Out of 20 planted drives 15 were plugged in. The Trojan in the USB collected data like username, passwords, and other details and sent it via email. Steve said a little giveaway of flash drives reveals this much data that can put the organization in jeopardy.
€21m Worth Diamond Stealing using Pretexting
In 2007, a thief stole €21m worth diamond from ABN Amro Bank. The bank vault has high tech security system worth €1m still he got away. He didn’t use gun or violence instead he used most potent weapon his charm. The thief posed a successful businessman be friendly with the staff, gift them chocolates and gain the confidence. Then he got the original keys to make duplicates and the location of diamonds from the team. Philip Claes, spokesman for the Diamond High Council in Antwerp, said: "You can have all the safety and security you want, but if someone uses their charm to mislead people it won't help."
RSA SecurID Breach using Spear Phishing Attack
In 2011, hackers did send two different emails to two small groups of RSA employees. Uri Rivner said in his blog post, which is no longer on the site. This phishing email contains the subject line as “2011 Recruitment Plan”. The hackers personalize this email in a way that creates curiosity among users, and they pull this email from the spam folder. The phishing email contains an excel sheet naming “2011 Recruitment Plan.xls” infected with a zero-day malware that opens a backdoor using Flash's vulnerability. Although the affected users weren’t high-value targets, it opens a possibility that hackers could penetrate the security of a company who provide security solutions.
Associated Press Twitter Hijack using Phishing
In 2013, the Associated Press (AP) Twitter account was hacked using phishing email. The Syrian Electronic Army took the claim of this hack. They sent phishing email with the name of one AP Staffer to different employees. This email contains the subject as News and in the message area “Hello, Please read the following article, it’s very important: and the link to the news was a lookalike of Washington Post. The link took the user on a malicious site making them enter their login details.
The hackers posted a tweet saying two explosions in the white house and Barack Obama is injured. Within a few moments of this tweet, the stock market dropped causing $136 billion loss in value before rebounding.
US Department of Labor using Watering Hole Attack
Ubiquiti Network Scam using Pretexting
Another recent case of Pretexting is Ubiquiti Network scam. In this case, hackers impersonate themselves as an employee and sent emails targeting the finance department of the company. Ubiquiti reports this activity in their quarterly financial report submitted to the US Security and Exchange Commission (SEC). This email contains the wire transfer instruction from the other department which finance department usually receives. They didn’t bother to verify the information and initiated the transfer. This fraud activity resulted in $46.7 million of transfer into the hackers account. After this company was able to recover a few million but others were gone.
Quid Pro Quo Attacks
There are several malicious websites on the internet using quid pro quo method to exploit the security of computers. Some examples are – “Enter your Gmail Login Details to watch the Movie,” “Click on Allow button to access the content of the website,” or “Your website has blocked video playing, click on Allow to enable it.” These types of websites don’t target a particular user, but they are open to enter in any computer. When a user enters their login details on such site, his data gets stolen. Similarly, when a user clicks on Allow button, the websites start sending notifications of malicious web pages, which can further infect user with Trojan or malware.
There are several cases of social engineering attacks. Hackers use human behaviors to penetrate the security of networks and computers. The only thing that can help us is, always stay alert and observe the behavior of websites.