Social Engineering: Stunning Attack Techniques and Amazing Prevention
What is social engineering? Stages of an attack
Social engineering is an attempt by attackers to trick humans into giving up access, credentials, bank details, or other sensitive information.
Social engineering occurs in four stages:
- Preparation — attackers collect information about victims through social media, telephone calls, email, text messages, the dark web, or other sources.
- Infiltration — attackers typically approach victims by masquerading as trusted contacts or authorities, and use information gathered about the victim to gain their trust – or even to acquire access to higher-value targets with increased “value” such as system administrators, IT helpdesk members, or executives.
- Exploitation — attackers “persuade” victims to give them sensitive information such as account credentials, payment account details, and other information that they can use to conduct a cyber attack. This persuasion can often be subtle, involving a link, an attachment, a website, even a social media quiz.
- Disengagement — the attacker stops communicating with the victim, carries out malicious activity, and disappears.
Top 8 social engineering techniques
According to the InfoSec Institute, the following five techniques are among the most commonly used social engineering attacks.
In a phishing attack, an attacker uses a message sent by email, social media, instant messaging clients, or SMS to obtain sensitive information from a victim or trick them into clicking a link to a malicious website.
Phishing messages get a victim’s attention and call to action by arousing curiosity, asking for help, or invoking other emotional triggers. They often use logos, images, or text styles to spoof an organization’s identity, making it seem that the message originates from a work colleague, the victim’s bank, or another official channel. Most phishing messages use a sense of urgency, causing the victim to believe there will be negative consequences if they don’t surrender sensitive information quickly.
Types of phishing attacks:
- Email phishing — this is the traditional method of phishing, which encourages the email recipient to respond or follow up via other means. The email might include malicious links or attachments.
- Voice phishing (vishing) — a phone call, which may be from an automated messaging system or from a living person. The attacker uses the phone to obtain sensitive information from the victim or convince them to perform certain actions.
- SMS phishing (smishing) — text messages or mobile app messages that might directly request sensitive information from the victim, or contain malicious links.
- Angler phishing — an attempt by an attacker to impersonate the social media account or customer service team of a trusted company. This allows the attacker to intercept communication with brands, turn conversations into private messages, and use them for phishing attacks.
- Search engine phishing — an attempt by attackers to place fake websites at the top of search results. This might be done through paid advertising, legitimate search optimization techniques, or “black hat” techniques.
- In-session phishing — an attempt by an attacker to interfere with normal web browsing during a client session. For example, the attacker may inject a fake login popup or redirect the user to a malicious site.
- Spear phishing or “whaling” — targeted phishing to a particular individual or department based on previous reconnaissance, using any of the above techniques.
Scareware is a malware tactic used to trick victims into downloading or purchasing software and updates that are infected with malware. Most commonly, scareware attacks trick users into thinking they need to buy or install software disguised as a cybersecurity solution.
The purpose of scareware is to threaten computer users to purchase fake software or further infect their device. Scareware shows users pop-up security alerts that appear to be warnings from real antivirus companies, usually claiming that files are infected or the device is in danger. Other variants include warnings of memory limits, clean-up services for unused applications, and other hardware- or software-based updates.
If the tactic works, the victim downloads fake software or visit the site that may steal credentials or other personal information, including password hashes. In some cases, this might be bloatware with no real value, while in others it could be harmful malware. Scareware can lead to compromise of the user’s device, infection of other connected devices, and theft of personal data potentially leading to identity theft.
3. Watering hole
A watering hole attack involves launching or downloading malicious code from a legitimate website, which is commonly visited by the targets of the attack. For example, attackers might compromise a financial industry news site, knowing that individuals who work in finance and thus represent an attractive target, are likely to visit this site. The compromised site typically installs a backdoor trojan that allows the attacker to compromise and remotely control the victim’s device.
Watering hole attacks are usually performed by skilled attackers who have discovered a zero-day exploit and/or are looking for a particular “type” of customer as per the warnings on Banks back in 2017 or employees of a certain company who use a particular HR resource or tool. They might wait for months before performing the actual attack to preserve the value of the exploit they discovered. In some cases, watering hole attacks are launched directly against vulnerable software used by the target audience, rather than a website they visit.
4. Spear phishing or whaling attack
Whaling, also known as spear phishing, is a type of phishing attack that targets specific individuals with privileged access to systems or access to highly valuable sensitive information. For example, a whaling attack may be conducted against senior executives, wealthy individuals, or network administrators.
A whaling attack is more sophisticated than a regular phishing attack. Attackers conduct meticulous research to craft a message that will cause specific targets to respond and perform the desired action. Whaling emails often pretend to be a critical business email sent by a colleague, employee, or manager of the target, requiring urgent intervention from the victim.
5. Cache poisoning or DNS spoofing
Cache poisoning is a network attack in which an attacker injects incorrect information into a web cache to serve malicious HTTP responses to users. A similar attack is DNS spoofing, in which attackers manipulate the Domain Name System (DNS) to divert traffic from legitimate servers to malicious or dangerous servers.
Cache poisoning and DNS spoofing are highly deceptive attacks that not only divert traffic away from legitimate websites, but leave users vulnerable to risks like malware infection and data theft.
In a pretexting attack, attackers create a fake identity and use it to manipulate their victims into providing private information. For example, attackers may pretend to be an external IT service provider, and request users’ account details and passwords to assist them with a problem. Or they might pretend to be the victim’s financial institution, asking them for confirmation of their bank account number or bank website credentials.
7. Baiting and “quid pro quo” attacks
In a baiting attack, attackers provide something that victims believe to be useful. This may be a supposed software update which in fact is a malicious file, an infected USB token with a label indicating it contains valuable information, and other methods.
A quid pro quo attack is similar to baiting, but instead of promising something that will provide value to the victim, the attackers promise to perform an action that will benefit them, but requires an action from the victim in exchange. For example, an attacker may call random extensions at a company, pretending to be calling back on a technical support inquiry. When they identify an individual who actually has a support issue, they pretend to help them, but instruct them to perform actions that will compromise their machine.
8. Physical breaches and tailgating
Tailgating is a physical breach social engineering technique in which unauthorized individuals track authorized individuals to gain access to secure facilities.
Tailgating is a simple social engineering-based approach that bypasses seemingly secure security mechanisms. For example, employees might hold the door for an attacker who closely follows them, allowing them to bypass authentication mechanisms.
Potential tailgaters include disgruntled ex-employees, thieves, and saboteurs, who seek to steal from or do harm to a company. Once they gain access to secured areas, they can cause business disruption, cause damage, steal data, and use the information they gathered to carry out additional attacks.
Social engineering prevention
The following measures can help preempt and prevent social engineering attacks against your organization.
Security awareness training
Security awareness education should be an ongoing activity at any company. Staff members may simply not be aware of the dangers of social engineering, or if they are, they may forget the details over time. Conducting, and continuously refreshing, security awareness among employees is the first line of defense against social engineering.
Employees of all levels in a company should be schooled to avoid giving out any information at all via email or phone to “sales” decoys on the topic of what hardware, software, applications, and resources are in common usage.
Antivirus and endpoint security tools
The basic measure is installing antivirus (AV) and other endpoint security measures on user devices. Modern endpoint protection tools can identify and block obvious phishing messages, or any message that links to malicious websites or IPs listed in threat intelligence databases. They can also intercept and block malicious processes as they are executed on a user’s device. While there are sophisticated attacks that are designed to bypass or disable endpoint and AV agents, those attacks tend to leave other tell-tale signs of successful attack.
There are countless creative ways of penetrating an organization’s defenses with social engineering. By using an ethical hacker to conduct penetration testing, you allow an individual with a hacker’s skillset to identify and try to exploit weaknesses in your organization. When a penetration test succeeds in compromising sensitive systems, it can help you discover employees or systems you need to focus on protecting, or methods of social engineering you may be especially susceptible to.
SIEM and UEBA
Social engineering attacks will inevitably happen, so you should ensure your organization has the means to rapidly collect data about security incidents, identify what is going on, and notify security staff so they can take action.
For example, the SOC Platform is a next-generation security event and information management (SIEM) system powered by user and entity behavior analytics (UEBA). collects security events and logs from across your organization, uses UEBA to identify normal behavior, and alerts you when suspicious activity occurs. Whether it is a user clicking through to an unusual web destination, or a malicious process executing on a user’s device, UEBA can help you identify social engineering attacks as they happen, and rapidly react with automated incident response playbooks to prevent damage.