SOCIAL ENGINEERING
Sakshi Kanani
Falcon Cyber Tech Company, Shivang Patel
ABSTRACT:
Social engineering has posed a serious threat to cyberspace security. To protect against social engineering attacks, a fundamental work is to know what constitutes social engineering. Presently, one of the most practiced and effective penetration attacks are social rather than technical, so efficient in fact, that these exploits play a crucial role to support the greatest majority of cyber assaults. Social Engineering is the art of exploiting the human flaws to achieve a malicious objective.
INTRODUCTION:
Social Engineering remains a popular method of compromising the security of computing systems. According to Thornburgh (2004) social engineering has gained profound acceptance in the information technology community as an effective social and psychological tool for exploiting the IT security mechanism of a target organization. Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer.
Scams based on social engineering are built around how people think and act. This attack especially useful for manipulating a user’s behaviour.
Lifecycle
:
How Social engineering attack works?
The attack cycle gives these criminals a reliable process for deceiving you. Steps for the social engineering attack cycle are usually as follows:
Examples of this type of attack include:
How to Spot Social Engineering Attacks:
Defending against social engineering requires you to practice self-awareness. Always slow down and think before doing anything or responding.
Ways to Protect Yourself:
Social engineering attacks can be performed from anywhere where there is even the slightest chance of human interaction. Here are a few different forms of social engineering attacks that everyone must know about.
It is one of the most prominent examples of social media engineering. In baiting, the attacker piques the curiosity or greed of the victim by using a false promise. Their attacks help lure users into a trap that hack their systems, install malware, or steal their personal information. Baiting’s most reviled form disperses malware using physical media. Baiting takes place both in the physical and virtual worlds, resulting in a loss for the victim.
Example: The attackers carry out this attack by leaving a bait, which can be in the form of malware-infected flash drives in ambiguous areas. The potential victims see these areas as it looks very authentic. Once clicked, it results in the installation of malware on the system.
In this type of social engineering attack, victims are constantly bombarded with fictitious threats and false alarms. Potential victims are deceived, and they start thinking that their system is malware-infected. This results in the installation of no real-benefit software, fraudware, or rogue scanner software.
Example: The most common way of scareware attack is legitimate-looking pop-up banners coming up in the browser while surfing the net. It may display messages like “Your computer may be affected with severe malware.” It then offers to install tools to remove this malware.
In this type of attack, the attacker gets information on a potential victim through several well-crafted lives. The perpetrator initiates a scam pretending to need sensitive information necessary to perform a vital task. The scam begins with attackers establishing a sense of trust with the victims. It can be done by impersonating police, co-workers, tax or bank officials, or people with authority. They ask a series of questions on the pretext of confirming the identity of the victim. It helps them to collect personal data, which helps them to pull off an attack.
Example: In this example of social engineering cyber attacks, the attacker may call the potential victim as a bank official and ask him questions in a way to find out the identity and other details of the victim. They find out the account details, which are then used to rob them of their money.
It is one of the most prominent types of social engineering attacks. In such a scam, the attacker sends a text or email message campaign that aims at creating curiosity, a sense of urgency, and fear in victims. This results in the victims clicking on malicious website links, revealing sensitive information, opening malware attached attachments, and more.
Example: In such a scam, the attackers send an email or a text message to the potential victims alerting them of a specific policy violation. They need to change their password. They may send an illegitimate link clicking on which the victim is prompted to enter new password details that reaches the attacker.
It is a focused or targeted form of phishing. In this scam, the attacker targets specific enterprises or individuals. They personalize the messages based on job positions, characteristics, and contacts that belong to the victims making the attack less ambiguous. This type of phishing requires more effort on the attacker as it may take months together to pull it off. Its success rate is high and is tough to detect.
Example: In this case of social engineering threat, the attacker may impersonate an Information Technology Consultant and send an email to employees signed and worded exactly like the authentic person. This message results in the victim changing his password or click on a link that leads them to a malicious website.