Social Engineering : Attacks, Techniques & Prevention
Social Engineering: Attacks, Techniques & Prevention
- Social engineering is the art of exploiting the human elements to gain access to un-authorized resources.
- Social engineers use a number of techniques to fool the users into revealing sensitive information.
- Organizations must have security policies that have social engineering countermeasures.
What is Social Engineering?
Social engineering is the art of manipulating users of a computing system into revealing confidential information that can be used to gain unauthorized access to a computer system. The term can also include activities such as exploiting human kindness, greed, and curiosity to gain access to restricted access buildings or getting the users to installing backdoor software.
Knowing the tricks used by hackers to trick users into releasing vital login information among others is fundamental in protecting a computer system
How social engineering Works?
- Gather Information: This is the first stage, he learns as much as he can about the intended victim. The information is gathered from company websites, other publications, and sometimes by talking to the users of the target system.
- Plan Attack: The attackers outline how he/she intends to execute the attack
- Acquire Tools: These include computer programs that an attacker will use when launching the attack.
- Attack: Exploit the weaknesses in the target system.
- Use acquired knowledge: Information gathered during the social engineering tactics such as pet names, birthdates of the organization’s founders, etc. is used in attacks such as password guessing.
Common Social Engineering Techniques:
Social engineering techniques can take many forms. The following is the list of the commonly used techniques.
- Familiarity Exploit: Users are less suspicious of people they are familiar with. An attacker can familiarize him/herself with the users of the target system prior to the social engineering attack. The attacker may interact with users during meals, when users are smoking he may join, on social events, etc. This makes the attacker familiar to the users. Let’s suppose that the user works in a building that requires an access code or card to gain access; the attacker may follow the users as they enter such places. The users are most like to hold the door open for the attacker to go in as they are familiar with them. The attacker can also ask for answers to questions such as where you met your spouse, the name of your high school math teacher, etc. The users are most likely to reveal answers as they trust the familiar face. This information could be used to hack email accounts and other accounts that ask similar questions if one forgets their password.
- Intimidating Circumstances: People tend to avoid people who intimidate others around them. Using this technique, the attacker may pretend to have a heated argument on the phone or with an accomplice in the scheme. The attacker may then ask users for information that would be used to compromise the security of the users’ system. The users are most likely to give the correct answers just to avoid having a confrontation with the attacker. This technique can also be used to avoid been checked at a security checkpoint.
- Phishing: This technique uses trickery and deceit to obtain private data from users. The social engineer may try to impersonate a genuine website such as Yahoo and then ask the unsuspecting user to confirm their account name and password. This technique could also be used to get credit card information or any other valuable personal data.
- Tailgating: This technique involves following users behind as they enter restricted areas. As a human courtesy, the user is most likely to let the social engineer inside the restricted area.
- Exploiting human curiosity: Using this technique, the social engineer may deliberately drop a virus-infected flash disk in an area where the users can easily pick it up. The user will most likely plug the flash disk into the computer. The flash disk may auto-run the virus, or the user may be tempted to open a file with a name such as Employees Revaluation Report 2013.docx which may actually be an infected file.
- Exploiting human greed: Using this technique, the social engineer may lure the user with promises of making a lot of money online by filling in a form and confirm their details using credit card details, etc.
Social Engineering Counter Measures
Most techniques employed by social engineers involve manipulating human biases. To counter such techniques, an organization can;
- To counter the familiarity exploit, the users must be trained to not substitute familiarity with security measures. Even the people that they are familiar with must prove that they have the authorization to access certain areas and information.
- To counter intimidating circumstances attacks, users must be trained to identify social engineering techniques that fish for sensitive information and politely say no.
- To counter phishing techniques, most sites such as Yahoo use secure connections to encrypt data and prove that they are who they claim to be. Checking the URL may help you spot fake sites. Avoid responding to emails that request you to provide personal information.
- To counter tailgating attacks, users must be trained not to let others use their security clearance to gain access to restricted areas. Each user must use their own access clearance.
- To counter human curiosity, it’s better to submit picked-up flash disks to system administrators who should scan them for viruses or other infections preferably on an isolated machine.
- To counter techniques that exploit human greed, employees must be trained on the dangers of falling for such scams.
Top 5 social engineering techniques
According to the InfoSec Institute, the following five techniques are among the most commonly used social engineering attacks.
1. Phishing
In a phishing attack, an attacker uses a message sent by email, social media, instant messaging clients or SMS to obtain sensitive information from a victim or trick them into clicking a link to a malicious website.
Phishing messages get a victim’s attention and call to action by arousing curiosity, asking for help, or pulling other emotional triggers. They often use logos, images or text styles to spoof an organization’s identity, making it seem that the message originates from a work colleague, the victim’s bank, or other official channel. Most phishing messages use a sense of urgency, causing the victim to believe there will be negative consequences if they don’t surrender sensitive information quickly.
2. Watering hole
A watering hole attack involves launching or downloading malicious code from a legitimate website, which is commonly visited by the targets of the attack. For example, attackers might compromise a financial industry news site, knowing that individuals who work in finance and thus represent an attractive target, are likely to visit this site. The compromised site typically installs a backdoor trojan that allows the attacker to compromise and remotely control the victim’s device.
Watering hole attacks are usually performed by skilled attackers who have discovered a zero-day exploit. They might wait for months before performing the actual attack to preserve the value of the exploit they discovered. In some cases, watering hole attacks are launched directly against vulnerable software used by the target audience, rather than a website they visit.
3. Whaling attack
Whaling, also known as spear phishing, is a type of phishing attack that targets specific individuals with privileged access to systems or access to highly valuable sensitive information. For example, a whaling attack may be conducted against senior executives, wealthy individuals, or network administrators.
A whaling attack is more sophisticated than a regular phishing attack. Attackers conduct meticulous research to craft a message that will cause specific targets to respond and perform the desired action. Whaling emails often pretend to be a critical business email sent by a colleague, employee or manager of the target, requiring urgent intervention from the victim.
4. Pretexting
In a pretexting attack, attackers create a fake identity and use it to manipulate their victims into providing private information. For example, attackers may pretend to be an external IT service provider, and request user’s account details and passwords to assist them with a problem. Or they might pretend to be the victim’s financial institution, asking them for confirmation of their bank account number or bank website credentials.
5. Baiting and quid pro quo attacks
In a baiting attack, attackers provide something that victims believe to be useful. This may be a supposed software update which in fact is a malicious file, an infected USB token with a label indicating it contains valuable information, and other methods.
A quid pro quo attack is similar to baiting, but instead of promising something that will provide value to the victim, the attackers promise to perform an action that will benefit them but requires an action from the victim in exchange. For example, an attacker may call random extensions at a company, pretending to be calling back on a technical support inquiry. When they identify an individual who actually has a support issue, they pretend to help them but instruct them to perform actions that will compromise their machine.
Social engineering prevention
The following measures can help preempt and prevent social engineering attacks against your organization.
Security awareness training
Security awareness education should be an ongoing activity at any company. Staff members may simply not be aware of the dangers of social engineering, or if they are, they may forget the details over time. Conducting, and continuously refreshing, security awareness among employees is the first line of defense against social engineering.
Antivirus and endpoint security tools
The basic measure is installing antivirus and other endpoint security measures on user devices. Modern endpoint protection tools can identify and block obvious phishing messages, or any message that links to malicious websites or IPs listed in threat intelligence databases. They can also intercept and block malicious processes as they are executed on a user’s device.
Penetration testing
There are countless creative ways of penetrating an organization’s defenses with social engineering. By using an ethical hacker to conduct penetration testing, you allow an individual with a hacker’s skillset to identify and try to exploit weaknesses in your organization. When a penetration test succeeds in compromising sensitive systems, it can help you discover employees or systems you need to focus on protecting or methods of social engineering you may be especially susceptible to.
SIEM and UEBA
Social engineering attacks will inevitably happen, so you should ensure your organization has the means to rapidly collect data about security incidents, identify what is going on, and notify security staff so they can take action.
For example, the Exabeam Security Management Platform is a next-generation security event and information management (SIEM) system powered by user event and behavior analytics (UEBA). Exabeam collects security events and logs from across your organization and uses UEBA to identify normal behavior and alert you when suspicious activity occurs. Whether it is a user clicking through to an unusual web destination, or a malicious process executing on a user’s device, UEBA can help you identify social engineering attacks as they happen, and rapidly react with automated incident response playbooks to prevent damage.