Written by
Team Nucleus
Content
Written on
2nd March, 2020
SHARE ARTICLE
INTRODUCTION
Social engineering is one of the most widely utilised techniques by malicious actors within the cybersecurity industry today, with the recent annual Human Factor report by Proofpoint stating that social engineering is utilised in up to 99% of all cyber-attacks.
Social engineering is often a key element to the first stage of ethical hacking, or penetration testing, known as reconnaissance or information gathering. However, whilst it is a widely utilised and readily available technique, it is also generally easy to overlook for the unsuspecting victim who falls foul to such methods.
But to be able to identify or prevent social engineering attempts, first we need to understand what social engineering is.
SO WHAT IS SOCIAL ENGINEERING?
Social engineering is a term used to describe the manipulation of human psychology, a weakness that has the potential to be found and influenced in every individual within every organisation, from the contractors and service workers through to the front of house staff and directors. Third parties and contractors are just as likely to be exploited as someone who works directly for the company.
Successful social engineering attempts can result in the breaking of security procedures and best practices whilst enabling the extraction of valuable information from individuals, which can, in turn, be utilised to gain access to areas that would not be otherwise available.
Social engineering involves many different methods of gaining information from individuals.
WHAT ARE THE MOST COMMON SOCIAL ENGINEERING ATTACKS?
Baiting / Drop attack
This is generally carried out by leaving a USB/CD or some other form of storage device where someone will likely find it, for example on a seat in a train or in a lobby of an organisation. This will only ever be as effective if the person is not very cyber aware and actually inserts the device into their computer system, either at home or work. The device will then automatically install malware and reach back to the malicious actor for further exploitation.
Spear/ Phishing
Generally in the form of emails, text messages or phone calls, phishing is a fraudulent communication with a victim that intends to elicit a response of some kind, likely by clicking on a link provided in the message or giving up some personal details. Whilst phishing is fairly generic, spear phishing is much more targeted, focussing on specific individuals with a much more bespoke cover story, making it appear more realistic.
WHAT ARE THE MOST COMMON SOCIAL ENGINEERING ATTACKS?
Baiting / Drop attack
This is generally carried out by leaving a USB/CD or some other form of storage device where someone will likely find it, for example on a seat in a train or in a lobby of an organisation. This will only ever be as effective if the person is not very cyber aware and actually inserts the device into their computer system, either at home or work. The device will then automatically install malware and reach back to the malicious actor for further exploitation.
Spear/ Phishing
Generally in the form of emails, text messages or phone calls, phishing is a fraudulent communication with a victim that intends to elicit a response of some kind, likely by clicking on a link provided in the message or giving up some personal details. Whilst phishing is fairly generic, spear phishing is much more targeted, focussing on specific individuals with a much more bespoke cover story, making it appear more realistic.
Image 1 A phishing attempt through text message with a malicious email made to appear legitimate.
Image 2 Link has been copied and pasted into virustotal.com showing the real link.
Pretexting
The victim is generally compelled to provide information or access to sensitive data by the malicious actor pretending to be someone and explaining a reasonable need for the data. For example, the attacker could claim to be new to an organisations’ IT department and request passwords and usernames to allow remote updates by the team.
Tailgating
Utilised to gain access into ‘secure’ areas, or areas in which security cards of some description are required. The attacker will follow an unsuspecting victim into an area directly behind them before the door can shut.
Alternatively, they may be as transparent as asking a victim to open the door for them, claiming they ‘left their card at home.’ This can be very successful as people do not like to say no or challenge an individual due to the possibility of confrontation.
Shoulder Surfing
This is as simple as looking over someone’s shoulder when they are typing in a password on their laptop, a number sequence on a secure door keypad or even their pin number when they are using a cash machine.
With a wealth of techniques in the social engineers’ arsenal, it is no wonder as to why they are used so commonly.
Utilising the techniques
One of the most enticing elements of social engineering is its versatility; it can be used during the reconnaissance stage and potentially throughout almost any attack to ensure that your attacks are achieving the desired outcome.
The specific technique can be altered depending on the scenario, organisation and the individual or even the information the malicious attack is inevitably looking to achieve. For example, tailgating will be utilised where physical access is required, whereas baiting is more likely looking to achieve remote access. Additionally, these techniques can be used alone or in conjunction with one another, being tailored on the fly to suit a specific scenario.
HOW CAN WE PROTECT OURSELVES?
Social engineering is a technique that relies on the victim being unaware that they are being targeted. However, there are several factors that individuals can practice in order to make themselves less susceptible to social engineering, such as:
- Increased cyber awareness
- Identifying fake emails
- Avoiding clicking links or opening attachments
- Utilise up to date cybersecurity tools
Increased Cyber Awareness
This can be gained through individual interaction or ideally through the introduction of company training during employee induction and routinely throughout their employment. Training should discuss the different elements of social engineering and highlight the risk posed by introducing USBs into local networks, for example.
Identifying Fake Emails
It is always important to check where an email is coming from. The sender can often be the first indication that an email is malicious as it would likely be from a strange email address, or a slightly edited one. An example would be www.amaz0n.com, where the letter ‘o’ is replaced with the number ’0.’ Whilst a small change, users will often not notice this and continue to open the email.
Avoiding Clicking Links or Opening Attachments
This is commonly exploited within phishing attempts as the link often redirects the user to a malicious page that will download malware, or could even prompt the user to enter their username and password, which will be recorded and provided the attackers with the user’s details. Additionally, if a link is opened within an organisations’ network, it could allow the attacker to gain access to many sensitive files.
Utilise Up-to-Date Cyber Security Tools
Many cybersecurity suites today will identify and prevent malicious attempts before they reach the end-users, reducing the overall risk. These tools should be maintained and kept up to date however, as vulnerabilities could be exploited in out of date software.
SUMMARY
It is important to approach social engineering holistically and try to increase overall awareness for everyone, as personal computers are just as vulnerable as company infrastructure.
Whilst it is almost impossible to prevent these types of attacks from happening in the future, having a basic understanding of how they work and what to look out for will allow individuals to potentially mitigate attacks or even prevent them completely.
The next time someone you don’t recognise tries to follow you into a secure area, don’t be afraid to challenge them for their ID/ security pass and encourage them to visit the relevant desk if they have ‘forgotten’ it. Or maybe don’t pick up the shiny 64Gb USB stick from the floor and take it home for formatting because you need one. It is always better to be safe than sorry.