Social Engineering

 

SOCIAL ENGINEERING

Sakshi Kanani

Falcon Cyber Tech Company, Shivang Patel

 

ABSTRACT:

Social engineering has posed a serious threat to cyberspace security. To protect against social engineering attacks, a fundamental work is to know what constitutes social engineering.  Presently, one of the most practiced and effective penetration attacks are social rather than technical, so efficient in fact, that these exploits play a crucial role to support the greatest majority of cyber assaults. Social Engineering is the art of exploiting the human flaws to achieve a malicious objective.

 

INTRODUCTION:

Social Engineering remains a popular method of compromising the security of computing systems. According to Thornburgh (2004) social engineering has gained profound acceptance in the information technology community as an effective social and psychological tool for exploiting the IT security mechanism of a target organization. Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer.

Scams based on social engineering are built around how people think and act. This attack especially useful for manipulating a user’s behaviour.

 

 

 

 

 

 

Lifecycle
:

 

How Social engineering attack works?

The attack cycle gives these criminals a reliable process for deceiving you. Steps for the social engineering attack cycle are usually as follows:

1. Prepare by gathering background information on you or a larger group you are a part of.
2. Infiltrate by establishing a relationship or initiating an interaction, started by building trust.
3. Exploit the victim once trust and a weakness are established to advance the attack.
4. Disengage once the user has taken the desired action.

 

Examples of this type of attack include:

• The LoveLetter worm that overloaded many companies’ email servers in 2000. Victims received an email that invited them to open the attached love letter. When they opened the attached file, the worm copied itself to all of the contacts in the victim’s address book. This worm is still regarded as one of the most devastating, in terms of the financial damage that it inflicted.

 

 

How to Spot Social Engineering Attacks:

Defending against social engineering requires you to practice self-awareness. Always slow down and think before doing anything or responding.

• Did this message come from a legitimate sender? Inspect email addresses and social media profiles carefully when getting a suspect message. There may be characters that mimic others, such as “[email protected]” instead of “[email protected].” Fake social media profiles that duplicate your friend’s picture and other details are also common.
• Did my friend actually send this message to me? It’s always good to ask the sender if they were the true sender of the message in question. Whether it was a coworker or another person in your life, ask them in-person or via a phone call if possible. They may be hacked and not know, or someone may be impersonating their accounts.
• Does the website I’m on have odd details? Irregularities in the URL, poor image quality, old or incorrect company logos, and webpage typos can all be red flags of a fraudulent website. If you enter a spoofed website, be sure to leave immediately.
• Can this person prove their identity? If you cannot get this person to verify their identity with the organization, they claim to be a part of, do not allow them the access they are asking for. This applies both in-person and online, as physical breaches require that you overlook the attacker’s identity.

 

Ways to Protect Yourself:

• Delete any request for financial information or passwords.If you get asked to reply to a message with personal information, it’s a scam.
• Reject requests for help or offers of help.Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, etc., a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizations on your own to avoid falling for a scam.
• Set your spam filters to high. Every email program has spam filters. To find yours, look at your settings options, and set these to high–just remember to check your spam folder periodically to see if legitimate email has been accidentally trapped there. You can also search for a step-by-step guide to setting your spam filters by searching on the name of your email provider plus the phrase ’spam filters’.
• Secure your computing devices. Install anti-virus software, firewalls, email filters and keep these up-to-date. Set your operating system to automatically update, and if your smartphone doesn’t automatically update, manually update it whenever you receive a notice to do so.  Use an anti-phishing tool offered by your web browser or third party to alert you to risks.

 

 

SOCIAL ENGINEERING ATTACKS:

 

Social engineering attacks can be performed from anywhere where there is even the slightest chance of human interaction. Here are a few different forms of social engineering attacks that everyone must know about.

 

A) Baiting

It is one of the most prominent examples of social media engineering. In baiting, the attacker piques the curiosity or greed of the victim by using a false promise. Their attacks help lure users into a trap that hack their systems, install malware, or steal their personal information. Baiting’s most reviled form disperses malware using physical media. Baiting takes place both in the physical and virtual worlds, resulting in a loss for the victim.

Example: The attackers carry out this attack by leaving a bait, which can be in the form of malware-infected flash drives in ambiguous areas. The potential victims see these areas as it looks very authentic. Once clicked, it results in the installation of malware on the system.

B) Scareware

In this type of social engineering attack, victims are constantly bombarded with fictitious threats and false alarms. Potential victims are deceived, and they start thinking that their system is malware-infected. This results in the installation of no real-benefit software, fraudware, or rogue scanner software.

Example: The most common way of scareware attack is legitimate-looking pop-up banners coming up in the browser while surfing the net. It may display messages like “Your computer may be affected with severe malware.” It then offers to install tools to remove this malware.

C) Pretexting

In this type of attack, the attacker gets information on a potential victim through several well-crafted lives. The perpetrator initiates a scam pretending to need sensitive information necessary to perform a vital task. The scam begins with attackers establishing a sense of trust with the victims. It can be done by impersonating police, co-workers, tax or bank officials, or people with authority. They ask a series of questions on the pretext of confirming the identity of the victim. It helps them to collect personal data, which helps them to pull off an attack.

Example: In this example of social engineering cyber attacks, the attacker may call the potential victim as a bank official and ask him questions in a way to find out the identity and other details of the victim. They find out the account details, which are then used to rob them of their money.

D) Phishing

It is one of the most prominent types of social engineering attacks. In such a scam, the attacker sends a text or email message campaign that aims at creating curiosity, a sense of urgency, and fear in victims. This results in the victims clicking on malicious website links, revealing sensitive information, opening malware attached attachments, and more.

Example: In such a scam, the attackers send an email or a text message to the potential victims alerting them of a specific policy violation. They need to change their password. They may send an illegitimate link clicking on which the victim is prompted to enter new password details that reaches the attacker.

E) Spear Phishing

It is a focused or targeted form of phishing. In this scam, the attacker targets specific enterprises or individuals. They personalize the messages based on job positions, characteristics, and contacts that belong to the victims making the attack less ambiguous. This type of phishing requires more effort on the attacker as it may take months together to pull it off. Its success rate is high and  is tough to detect.

Example: In this case of social engineering threat, the attacker may impersonate an Information Technology Consultant and send an email to employees signed and worded exactly like the authentic person. This message results in the victim changing his password or click on a link that leads them to a malicious website.

 

 

 

SOCIAL ENGINEERING tools:

 

1)      Maltego: Maltego is an OSINT (open-source intelligence) investigation tool that shows how different pieces of information are interlinked. With Maltego, you can find relationships between people and various information assets, including email addresses, social profiles, screen names and other pieces of information that link a person to a service or organization.

 

2)      Wifiphisher is a unique social engineering tool that automates phishing attacks on Wi-Fi networks to get the WPA/WPA2 passwords of a target user base. The tool can choose any nearby Wi-Fi access point, jam it (de-authenticate all users) and create a clone access point that doesn’t require a password to join.

 

3)      SET: Social Engineering Toolkit (or SET) is an open-source, Python-driven toolkit aimed at penetration testing around social engineering. SET has various custom attack vectors that enable you to set up a believable attack in no time.

 

4)   Metasploit MSF: Metasploit Framework is a penetration testing tool that can help you identify, exploit and validate vulnerabilities. It delivers the content, tools and infrastructure to conduct extensive security auditing along with penetration testing.