Even the most secure systems — including blockchains — are prone to breaches. Professional hackers and cyber criminals carry out many of these breaches but you don’t need high-tech skills and equipment to penetrate a computer network. A little dose of social engineering would do.
We learn this lesson from ancient history to the latest news. The Trojan Horse, for example, is just a crude form of malware designed by the Greeks to destroy the city of Troy.
The U.S. National Security Agency (NSA) lost many of its guarded secrets because former contractors illegally copied and shared classified data. A Dutch bank’s complex defenses did not prevent a disguised con artist to steal $28-million worth of diamonds.
The common denominator that connects these classic attacks: the human factor. Humans represent the weakest link in otherwise near-impenetrable security systems. Because humans are subject to emotions and sometimes show irrational behavior, it’s easy to orchestrate social engineering attacks.
Social engineering attacks exploit chinks or “bugs” in human behavior for malicious goals. These goals include stealing money, identities, and classified information. Social engineering can also be used to damage or destroy critical networks.
Impregnable fortresses, hyper-secure banks, and clandestine espionage agencies are vulnerable. What makes your company any different? How safe is your business against social engineering attacks?
- Two in ten employees compromised their workstations in an experiment. This experiment involved ten types of penetration tests and 3,300 messages.
- In the real world, a malicious campaign — Operation Sharpshooter — launched a massive attack against nearly a hundred organizations in 24 countries.
Here’s how we’re breaking down this topic:
- What are social engineering attacks?
- How do they work?
- The types of social engineering attacks
- Real-world examples
- What you can do to prevent them [8 steps]
What Are Social Engineering Attacks?
Social engineering uses non-technical methods such as behavioral manipulation for malicious goals. They are often carried out using communication channels such as SMS, email, chat, and social media. Hostile entities use social engineering to extract confidential information from unwitting personnel or to coerce someone to do a series of damaging actions.
Unlike “computer hacking” where an attacker exploits weaknesses in software design, social engineering involves the exploitation of human vulnerabilities. Social engineers target irrational behavior, cognitive biases, distractedness, and emotions.
As a CIO, it’s important to prepare for cybersecurity attacks like these. Check out the CIO’s Action Plan for Disaster Preparedness
Examples of tactics social engineers use
Phishing is a common social engineering attack. “Phishers” use fraudulent email to steal sensitive data such as your credit card information. Sometimes, social media information is enough to orchestrate a social engineering attack.
What motivates these attackers?
Attacks are caused by greed, revenge, mischief/fun, monumental hacker ego, or advocacy. The goal of a social engineering attack can be any of these —
- Identity theft
- Financial benefits such as fund transfers
- Economic sabotage such as stealing classified documents
- Large-scale denial of service (DoS)
Do you have a data breach response plan in place? Get started here.
How Do Social Engineering Attacks Work?
Social engineering attacks usually happen via a flexible four-step process. These steps may vary depending on the intel on hand, attack method, target’s vulnerability, and other factors.
The key steps of social engineering are —
1) Gather information
The first step is to set up the scenario and prepare all the resources you need for a successful attack. Information gathering might be time-consuming but it is the most crucial element. Practitioners use a wide variety of tools to gather relevant information. This includes website crawlers for third-party services, search engines for social profiles, etc.
2) Build relationship
Here, the attacker attempts to establish rapport with a human target. The target may trust the attacker enough to perform a desired action or even execute the final goal. We’re talking transferring funds to a bank account, opt-in using credit card, etc. Relationship-building may occur in-person or via email, SMS, phone, or social media messages.
3) Exploit weakness
Once the attacker builds enough trust, it becomes easier to infiltrate the system. Exploitation may be in the form of a voluntary disclosure or the target launching a secure portal for the attacker. The target may also open an email attachment to install malware or introduce the attacker to others for sabotage.
4) Execute attack
This final step implements the sequence of direct actions to infiltrate the target. It may also include an exit strategy to blind or distract targets. After the attack, they may remove any clues tracing back to the attacker.
Is your Customer Service team ready to handle a security breach? Here are 21 phrases your reps use that can make or break your business.
Different Types And Techniques Of Social Engineering Attacks
There are four main types of social engineering attacks — phishing, smishing, vishing, and impersonation. However, the mechanics have evolved over time and there are now several specialized techniques to execute an attack.
This is the oldest form of social engineering attack. Ancient spies wore local disguises to access strategic positions or acquire information. The $28-million diamond theft at ABN Amro is an example of impersonation. Social engineers may pose as delivery or postal service personnel to enter an office. Once inside, they can gather information, plant malware, or steal confidential data.
Usually delivered via email. Phishers deceive targets into visiting a fake website or installing malware. They then enter sensitive information such as account passwords and credit card numbers. Phishing has become the most frequently used technique in social engineering.
Social engineers use a domain that resembles a legitimate site. They create fake websites and email addresses. For example, “goggle.com” may be used instead of “google.com”).
Security journalist David Bisson said most phishing attacks have the following characteristics:
- email appears to come from a trustworthy source such as your bank, cable TV provider, or tech support.
- aims to obtain personal data such as addresses and social security numbers
- main goal is to steal identity or money
- link shorteners such as bit.ly to conceal fake websites;
- suspicious urls (wrong spelling, strange punctuation marks, inaccurate domain extensions, etc. ) that lead to fake websites
- has warnings, emergencies or cash prizes to manipulate target’s emotions
- may use attachments with malware
Spear phishing describes a phishing attack aimed at a specific target. Whaling is a phishing attack that targets a person with a high corporate position.
This refers to phishing attacks that use the telephone (voice + phishing). Vishers use voice changers and other tools to impersonate a trusted individual. They steal social security numbers, employee ID numbers, passwords, and other sensitive information.
This is a combination of SMS and phishing. Fake SMS messages are used to trick recipients to visit a fraudulent website, download malware, or call a fake phone number. Social engineers use fake prizes, sensational news, and other bait to steal sensitive information.
Now’s the best time to create and update your business continuity plan. See how.
This is a phishing attack that targets a specific individual. Spear phishers gather open-source information about a target such as name, job, location, and hobbies. This delivers a higher success rate compared to ordinary phishing attacks.
This is a phishing attack that targets “big phish” such as executives and leaders. Social engineers research about the corporate leader before the actual attack. Whaling attacks cause huge damage because high-level leaders have access to trade secrets..
This technique uses flashy tricks. Baiters use web pop-ups and USB flash drives that are “left behind by accident.” Pop-ups usually display clickbaits linked to fraudulent websites. Suspicious devices sometimes contain malware that can hijack your systems.
This refers to a technique that sets up ideal ideal scenario for an attack. Social engineers use pretexting to steal money and identity. Social engineers act like trustworthy professionals. But they plan to steal sensitive info such as social security and bank account numbers.
This technique exploits people’s emotions. It uses shock, emergency, or threat messaging. A message can claim that a powerful virus has infected your desktop computer or your smartphone. You then make the mistake of running malware to scan your system.
Scammers pack scareware messages with phishing programs. They also use ransomware that grabs control of your computer/data. Targets end up paying money just to regain control of their devices.
Denotes the behavior of animals that gather around a water source. It targets a particular user group and attacks the websites they commonly visit. Malware can spread like wildfire across the group and infect the entire network. Attacks of this type can shut down entire government agencies and corporate departments.
This technique resembles impersonation. It is a trick that targets transport, shipment, or delivery companies. Social engineers may re-route or alter the goods being delivered. Alteration may include installing malware or spyware in electronic products. Physical rerouting usually ends in traditional theft. In cyberspace, social engineers use an accomplice to convince a target to share sensitive data.
Quid pro quo
This is also a form of impersonation. As the term implies, the core idea is to exchange something for something. Quid pro quo attackers usually target businesses with many employees. They begin by “helping” one employee. After gaining trust, attackers then convince the beholden employee to take an action. Such actions often compromise system security.
This technique plays on human emotions by focusing on sex and romance. Attackers pose as very attractive persons on social media and dating sites. They can also be found in adult-oriented websites. Attackers use charm, sex appeal, or blackmail to get personal data and financial information.
Also called “piggybacking.” Attackers access restricted areas or confidential data by “tailgating” an authorized personnel. For example, attackers disguised as tech support can convince an executive to access the company’s confidential data.
Rogue Access Point
This technique uses WiFi. Attackers exploit the demand for internet connection by seeking or creating rogue access points. These access points can be used to steal personal data, install malware in connected devices, and even start a DoS attack.
Real-world Examples Of Social Engineering Attacks
Infosec Institute published a list of infamous social engineering attacks. Here are some of the most interesting:
Hack of AP’s Twitter account by the Syrian Electronic Army
In 2013, the Syrian Electronic Army attacked employees of the Associated Press. Attackers used spear phishing emails and a fake website. On the fake website, employees entered login data for the news agency’s Twitter account. The Syrian Electronic Army gained access to the account.
It tweeted that the White House has been bombed and that then president Obama was injured. The tweet was live for three minutes. But it shook the markets and the DOW lost around $136 billion.
Sony Pictures Hack
North Korea’s cyber army hacked Sony Pictures because of a film about the country’s leader. In the film (The Interview), the leader is the target of an assassination attempt. The phishing attack used information from LinkedIn and Apple ID to steal passwords. Attackers used the stolen passwords to steal 100 terabytes of data from Sony.
Theft of Democratic National Convention (DNC) Emails by Russia/Wikileaks
Russian hackers breached the DNC email network. They stole 150,000 confidential emails from the Clinton campaign. The attackers used a spear phishing email that appeared to come from Google. The email contained a link to a fake site where victims shared their login info. The incident is still the subject to ongoing investigations.
How To Prevent Social Engineering Attacks
There’s no foolproof security solution for a a system that includes a human element. If social engineers can break into AP News, Sony Pictures, and the Democratic Party, how safe is your company?
Not very much. But you can still drive awareness and prepare for such attacks. Human error can be mitigated. Here are some steps you should consider.
- Improve awareness and knowledge about the threat (social engineering) and its different forms.
- Encourage personnel to screen messages they receive on computers and mobile devices.
- Clarify your protocols on social engineering attacks. Integrate such protocols into the overall policy on information security and data protection.
- Educate staff about cyber security. Train them how to counter each type of social engineering attack.
- Train staff on how to improve their emotional intelligence. Build their resistance to social engineering attacks.
- Encourage staff to to ask colleagues and tech support when they are unsure about an issue.
- Protect computers and other devices using updated anti-virus and other security software.
- Have an accessible, centralized, and updated knowledge base on social engineering.
The threat of social engineering intensifies as the world becomes more digital. Regardless of size or industry, no business or organization is exempt from the threat.
Even the most tech savvy professionals can still get blindsided and make a grave error. Amid this environment, companies need to adopt the best security solutions and build a culture of vigilance.