What is Social Engineering Attacks?

A social engineering attack leverages the weakest link in an organization, which is the human user. If an attacker can get a user to reveal information, it is much easier for the attacker to cause harm than it is by using some other method of reconnaissance. Social engineering can be accomplished through email or misdirection of web pages and prompting a user to click something that leads to the attacker gaining information. Social engineering can also be done in person by an insider or an outside entity or over the phone.

A primary example is attackers leveraging normal user behavior. Suppose that you are a security professional who is in charge of the network firewalls and other security infrastructure equipment in your company. An attacker could post a job offer for a very lucrative position and make it very attractive to you, the victim. Suppose the job description lists benefits and compensation far beyond what you are making at your company. You decide to apply for the position. The criminal (attacker) then schedules an interview with you. Because you are likely to “show off” your skills and work, the attacker may be able to get you to explain how you have configured the firewalls and other network infrastructure devices for your company. You might disclose information about the firewalls used in your network, how you have configured them, how they were designed, and so on. This would give the attacker a lot of knowledge about the organization without requiring the attacker to perform any type of scanning or reconnaissance on the network.

Email Phishing

With phishing, an attacker presents to a user a link or an attachment that looks like a valid, trusted resource. When the user clicks it, he or she is prompted to disclose confidential information such as his or her username and password. Example 4-1 shows an example of a phishing email.

Example 4-1  Phishing Email Example

Subject: PAYMENT CONFIRMATION

Message Body:

Dear sir,

We have discovered that there are occasional delays from our 

accounts department in making complete payments to our suppliers.

This has caused undue reduction in our stocks and in our 

production department of which suppliers do not deliver materials on time.

The purpose of this letter is to confirm whether or not payment has been made for

 the attached supplies received. Kindly confirm receipt and advise.

Attachment: SD_085_085_pdf.xz / SD_085_085_pdf.exe

MD5 Checksum of the attachment: 0x8CB6D923E48B51A1CB3B080A0D43589D

Spear Phishing

Spear phishing is a phishing attempt that is constructed in a very specific way and directly targeted to specific groups of individuals or companies. The attacker studies a victim and the victim’s organization in order to be able to make emails look legitimate and perhaps make them appear to come from trusted users within the company. Example 4-2 shows an example of a spear phishing email.

In the email shown in Example 4-2, the threat actor has become aware that Chris and Omar are collaborating on a book. The threat actor impersonates Chris and sends an email asking Omar to review a document (a chapter of the book). The attachment actually contains malware that is installed on Omar’s system.

Example 4-2  Spear Phishing Email Example

From: Chris Cleveland

To: Omar Santos

Subject: Please review chapter 3 for me and provide feedback by 2pm

Message Body:

Dear Omar,

Please review the attached document.

Regards,

Chris

Attachment: chapter.zip

MD5 Checksum of the attachment: 0x61D60EA55AC14444291AA1F911F3B1BE

Whaling

Whaling, which is similar to phishing and spear phishing, is an attack targeted at high-profile business executives and key individuals in a company. Like threat actors conducting spear phishing attacks, threat actors conducting whaling attacks also create emails and web pages to serve malware or collect sensitive information; however, the whaling attackers’ emails and pages have a more official or serious look and feel. Whaling emails are designed to look like critical business emails or emails from someone who has legitimate authority, either within or outside the company. In whaling attacks, web pages are designed to specifically address high-profile victims. In a regular phishing attack, the email might be a faked warning from a bank or service provider. In a whaling attack, the email or web page would be created with a more serious executive-level form. The content is created to target an upper manager such as the CEO or an individual who might have credentials for valuable accounts within the organization.

The main goal in whaling attacks is to steal sensitive information or compromise the victim’s system and then target other key high-profile victims.

Vishing

Vishing (which is short for voice phishing) is a social engineering attack carried out in a phone conversation. The attacker persuades the user to reveal private personal and financial information or information about another person or a company.

The goal of vishing is typically to steal credit card numbers, Social Security numbers, and other information that can be used in identity theft schemes. Attackers may impersonate and spoof caller ID to hide themselves when performing vishing attacks.

Short Message Service (SMS) Phishing

Because phishing has been an effective tactic for threat actors, they have found ways other than using email to fool their victims into following malicious links or activating malware from emails. Phishing campaigns often use text messages to send malware or malicious links to mobile devices.

One example of Short Message Service (SMS) phishing is the bitcoin-related SMS scams that have surfaced in recent years. Numerous victims have received messages instructing them to click on links to confirm their accounts and claim bitcoin. When a user clicks such a link, he or she may be fooled into entering sensitive information on that attacker’s site.

You can help mitigate SMS phishing attacks by not clicking on links from any unknown message senders. Sometimes attackers spoof the identity of legitimate entities (such as your bank, your Internet provider, social media platforms, Amazon, or eBay). You should not click on any links sent via text messages if you did not expect such a message to be sent to you. For example, if you receive a random message about a problem with an Amazon order, do not click on that link. Instead, go directly to Amazon’s website, log in, and verify on the Amazon website whether there is a problem. Similarly, if you receive a message saying that there is a problem with a credit card transaction or a bill, call the bank directly instead of clicking on a link. If you receive a message telling you that you have won something, it’s probably an SMS phishing attempt, and you should not click the link.

Universal Serial Bus (USB) Drop Key

Many pen testers and attackers have used Universal Serial Bus (USB) drop key attacks to successfully compromise victim systems. This type of attack involves just leaving USB sticks (sometimes referred to as USB keys or USB pen drives) unattended or placing them in strategic locations. Oftentimes, users think that the devices are lost and insert them into their systems to figure out whom to return the devices to; before they know it, they are downloading and installing malware. Plugging in that USB stick you found lying around on the street outside your office could lead to a security breach.

Research by Elie Bursztein, of Google’s anti-abuse research team, shows that the majority of users will plug USB drives into their system without hesitation. As part of his research, he dropped close to 300 USB sticks on the University of Illinois Urbana-Champaign campus and measured who plugged in the drives. The results showed that 98% of the USB drives were picked up, and for 45% of the drives, someone not only plugged in the drive but clicked on files.

Another social engineering technique involves dropping a key ring containing a USB stick that may also include pictures of kids or pets and an actual key or two. These types of personal touches may prompt a victim to try to identify the owner in order to return the key chain. This type of social engineering attack is very effective and also can be catastrophic.

Watering Hole Attacks

watering hole attack is a targeted attack that occurs when an attacker profiles websites that the intended victim accesses. The attacker then scans those websites for possible vulnerabilities. If the attacker locates a website that can be compromised, the website is then injected with a JavaScript or other similar code injection that is designed to redirect the user when the user returns to that site. (This redirection is also known as a pivot attack.) The user is then redirected to a site with some sort of exploit code. The purpose is to infect computers in the organization’s network, thereby allowing the attacker to gain a foothold in the network for espionage or other reasons.

Watering hole attacks are often designed to profile users of specific organizations. Organizations should therefore develop policies to prevent these attacks. Such a policy might, for example, require updating anti-malware applications regularly and using secure virtual browsers that have little connectivity to the rest of the system and the rest of the network. To avoid having a website compromised as part of such an attack, an administrator should use proper programming methods and scan the organization’s website for malware regularly. User education is paramount to help prevent these types of attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *