60% of enterprises were victims of social engineering attacks in 2016. There is common misconception that the cyber security is all about the hardware and software technology. It is of course the massive part of the information security. Robust cyber security requires three pillars secured as information security management system is built on people, processes and technology. People (employees for the enterprises) is always a weak link as we can protect our passwords, Endpoint protection software, strong firewall and defined processes but if people are not aware and skilled enough to deal with attacks we are more vulnerable. Social Engineering is major aspect of the security as whole sector of hacking has developed around it.
Social engineering is the act of manipulating a people into gaining access or sensitive data by preying on basic human psychological behaviour. This technique is more dangerous as no software or hardware can prevent it from happening. It is a nontechnical action to gain sensitive information that can assist attackers to carry out different type of attacks.
This paper defines the various methods used to achieve these attacks how vulnerable we are to social engineering. Furthermore, the essay shows how these attacks can be prevented.
Social Engineering Attacks
Social engineering attacks apply social skills to trick people it is non-technical or low-technology means such as lies, blackmail, bribes, and threat – used to attack information systems. 1
Obtain information such as passwords, sensitive information, system locations and data to be used in an attack against computer based systems 2.
The biggest threat to the security of a company is not a computer virus, an unpatched hole in a key program or a badly installed firewall. In fact, the biggest threat could be you. What I found personally to be true was that it’s easier to manipulate people rather than technology. Most of the time organizations overlook that human element 3.
Social engineering attacks requires information gathering in fact these attacks are for gather information from the user without raising suspension like reconnaissance attack. Once information is gathered attacker builds trust relationship with the user and then exploitation. The final phase is executing the attack to breach the system or steal the data. Due to human’s helpful nature, most of the time we tend to give out information willingly, exactly this nature gives advantage to attacker to preys on the user’s sympathy to get required information. Sometimes it could be user’s greed or fear are most likely driving factors and social engineer’s various skills and techniques, these techniques are discussed as below.
Hoaxing – To make false is genuine for people to believe in this technique is used. Hoax is a trick that social engineers use to create a fake story to change user’s decision on a certain matter.
Dumpster Driving – finding an information from physical or electronic junk. This search is to gather sensitive and private data/information to carry out identity theft.
Shoulder Surfing – Spying or looking over user’s shoulder to steal/guess user passwords and credentials.
Phishing and Emails – Temptation spam emails to steal valuable information, these type of emails are primary tool for social engineering attacks. Attacker uses fake URLs, fake attachments to capture user’s data and credentials. Fake URLs to spoof credit card data and bank account details. Malicious software that can be sending data to the attacker once user opens infected attachments. Malware pre-loaded APK files from Google Play Books were sent via phishing email. This is the perfect example of how attackers pair malware with phishing attacks in an effort to steal user’s information.
Social media – When you Google yourself you probably see your social media profiles, images and the information that you have posted online. All these personal details are not secure as they are publically available and can be used to victim’s privacy and account hacking. Fake social media profile can be made by the details of a legitimate user. That’s why we see multiple user profiles of celebrities on the Facebook and Twitter.
Pharming – Copied pages from a legitimate web site to a fraudulent web site to trick the user and capture confidential information such as user name and password. User can be directed to the fake website by phishing and DNS hijacking attack.
Vishing – voice and phishing combination makes vishing technique effective as it exploits users trust in phone calls. Attacker directs the user to the fake website.
Malicious software – Users are tricked to download and install malicious software unknowingly. These applications can be adware, Trojan horses, backdoors, key loggers and spywares. Software applications that gathers information about the users and computers 7. Some programs seem to be legit but performs illicit activity such as Trojan horse. Trojans can be deployed by email attachments to make system more vulnerable to future attacks and runs backdoor services in the background.
Impersonation of staff and identity theft – Pretending legitimate user in a very convincing way by creating a fake user id, email address or hiding identity and pretending to be another person on the phone. Clouting is one of the common technique for impersonation. By posing as a manager or senior officer social engineer can gain a lot of information to the organisation.
Windows popups – very much hidden attack, without user’s knowledge attacker deploy malicious software to generate a pop up window which prompt a user to enter his credentials. Information goes to attacker and he will have full access of the system.
Quid Pro Quo – These type of social engineering attacks promises a benefit in exchange for information. IT service people get impersonate by fraudsters, they offer IT assistance to each and every one of their victims. Attackers use much less sophisticated quid pro quo offers than IT issue resolution. For example, office workers easily willing to give away their passwords for a cheap pen or even a bar of chocolate.
Defence of the Social Engineer
Social engineering attacks are not technology such as software or hardware based attacks but by taking advantage of the human psychology to gather the needed information to attack to systems. Best way to respond these attacks is user awareness and good operational procedures to encourage users to respond accordingly to critical situation. Hackers prey off of human psychology and curiosity in order to compromise targets information. It is up to users and employees to counter these types of attacks.
Social engineering defences are mentioned as bellow to mitigate these attacks.
First line of defence in social engineering is employee awareness and acceptance of safeguard measures 13. All users/employees need to be educated on what social engineering is what are mitigation techniques are. Users should be aware of the damage are done or can be done due to such attacks. Employee awareness trainings should be frequently organised and included with employee teachings, security-awareness briefings, email reminders and periodic newsletters.