The threat of social engineering scams has grown more than ever due to so many business employees working remotely out of the office, and social engineering comes in many forms. The most commonly spoken about is phishing but it gets much more intricate than that. We know about the hackers that use their technical skills to access and infiltrate a hapless victim’s computer and steal sensitive data.
There are other types of cybercriminals, however, who use techniques to undermine their victim’s cyber defenses. They ‘re called social engineers and they exploit the greatest liability in any and every industry: human beings. They use social media, phone calls and emails to trick people into willingly giving them valuable or desired information.
You may have heard stories of people getting calls offering credit card deals or one-time promotions. They try to take their targets information by claiming to be a representative of this or that company and requiring you to give them credit card information. This is social engineering.
In this article, we’ll focus on the most common types of social engineering attacks used to target victims into divulging information.
Scareware involves victims being flooded with false emails and threatening notifications. Users are made to believe their computers are infected with malware or viruses, which encourages them to download software that infects the user’s computer with malware and viruses. Other names for scareware include deception software, fraudware and deception software.
Some of you could have encountered scareware at some point. They come in the forms of banner ads or pop ups that warn you about having an infected computer. It offers to install the software for you and direct you to a malware-infected site where your computer becomes vulnerable.
It can even spread through spam email so be weary of the messages you open.
In the past worm attacks have exploited the philosophy behind scareware, aiming to attract user attention to a malicious link or file. Worms were used most in the late 1990’s and early 2000’s but it’s still important to be aware of how they were so successful.
In 2000, the “Iloveyou” worm was spread in email attachments that managed to infect tens of millions of windows computers throughout the US. It started in the Philippines and spread to the west via corporate email systems, causing an estimated 5.5-8.7 billion in damages.
Victims received an email inviting them to open a love letter. When they opened the file, the worm copied itself to all the contacts in victim’s address book. Notice, social engineering is about manipulating human emotion to gain advantage over someone and their information.
Malware links, as mentioned above, contain provocative words or graphics that compel you to open them, bypassing any anti-virus filters your mail could have.
Baiting is what it sounds like, baiting the victim by appealing to greed or personal interests. This is particularly insidious because it often discourages the victim from reporting an attack. An unsuspecting user will read an email offering fake deals and shortcuts like free internet or other illegal benefits.
When these emails are opened, the trojan virus attached to the email or file corrupts the computer and encrypts the computer or spreads further through the entire system.
The victim will most likely be too embarrassed to disclose their reasons for opening the email in the first place, so it goes unreported.
A perfect example of this technique was when a trojan virus was sent to the corporate email addresses of employees in the form of a recruitment website. The criminals knew that the employees would be reluctant to tell their employers they were infected with a virus while looking for other jobs.
This type of attack isn’t limited to email, either. Cyber criminals have also used USBs infected with viruses also. The USBs are left lying around and all it takes is one person curious enough to plug it into their machine to ruin everything.
Pretexting is a social engineering technique that uses cleverly developed lies and deceptions to obtain information. In the case of pretexting, it’s usually done through the phone as opposed to online. The attacker will pose as an important figure, perhaps a CEO of an IT company, or a vender and use that as a pretext to gain desired information from the victim or victims.
This also requires the social engineer to develop a friendship with the victim through this impersonation. The impostor asks the target a series of questions as an authority figure, lulling the victim into a false sense of security.
The key in pretexting is manufacturing a scenario that the social engineer uses to engage their victim. A famous case dates to the 1970’s when Jerry N. Schneider used old invoices and manuals obtained by scavenging trash to start a profitable business. He got the invoices by looking through the Pacific Telephone and Telegraph dumpsters. He then used that information to acquire new telephone equipment posing as high-ranking member of the company and sold it back to PTT through his own company.
Phishing is the most common type of social engineering scheme. The attacker creates a fake version of an existing website of a highly regarded or renowned company and sends the link to targets through email or social media. The reason it’s so low on the list is because it’s been discussed at length in other blogs.
As we’ve discussed, social engineers don’t always use the internet to gather information. Vishing is the use of Interactive Voice Response IVR to trick their target. They attach the IVR to a toll free number and trick people into calling that number and enter their information.
Tailgating is when a person uses an authorized person to gain access to a restricted area where some form of identification is required to get through.
This doesn’t work with large companies with advanced security features that require bio-metric scanning, for example, to get into the building.
What tends to happen is, the social engineer impersonates a delivery driver and when an employee is entering the building the person passing as a driver will quickly ask the employee to hold the door so that they might make it through. This occurs more often in smaller sized businesses that have comparatively lax security.
Quid Pro Quo
Quid pro quo attacks offer benefits in exchange for information. The most common type of quid pro quo attack involves impostors pretending to be IT service providers and make direct calls to as many members of a company as possible. These criminals offer their IT expertise to all their targets and ask the victim to disable their antivirus program to fix whatever issue present at the time.
Preventing Social Engineering Attacks
Now that we’ve discussed the types of social engineering techniques, you might be wondering how to defend against these types of attacks. If you’ve made it this far then congratulations you’ve taken the first step, which is knowing about them.
With the emergence of smartphone technology, which puts powerful computers in the hands of so many people, information is very easy to come by. Unlike the days of Mr. Schneider, you don’t have to peruse through company dumpsters to access valuable data.
You, your company, employers or employees need to be more conscientious about what is posted online. Whether it be on a website, a social media page or via email.
To keep your devices and accounts safe, it’s important to implement strong passwords and two-factor authentication. Invest in IT, take the necessary measures to add anti-virus software firewalls and the like.
This is by no means a comprehensive overview of all types of social engineering, some are more detailed in nature and varied in scope. Tactics are changing with technology and cyber attacks are becoming more and more laser focused on specific targets. Instead of going for a large pool of potential targets, the social engineers and cyber criminals will go for one or two individuals. They gather such specific information that distinguishing a phishing scam from a legitimate email is getting harder and harder.
Getting help from an IT service provider you can trust might mitigate the risks of falling for any one of these tricks.
For more information on phishing and other social engineering tactics, visit our website or call us for more information.