There's no single security device that can guard against an attacker's use of social engineering techniques. Only through continuous training and educating employees on how to identify and respond to social engineering attempts can an attacker's chances of succeeding be reduced.
We will explore the many aspects of social engineering and the ways attackers use it to accomplish their purposes, as well as how to better identify and respond to and educate and protect ourselves and our organization from its purposes.
In this chapter, we will discuss the following:
Before proceeding with this subject, let's review some of the basic concepts of social engineering.
So, what is the definition of social engineering?
Social engineering is the skill of persuading others to give up sensitive information to use it for malicious purposes. By using social engineering to take advantage of people, attackers can breach an organization's sensitive information even with security policies in place. Employees are often unaware of security lapses and may unknowingly give out or divulge crucial information about the organization.
Examples are answering strangers' questions or responding to spam emails without realizing it.
A social engineer's most powerful tool is the vulnerability of people. People generally trust others and find enjoyment in helping and assisting people. An attacker is skillful and will take advantage of a person who is helpful.
Let's discuss some of the most common targets of social engineering in an organization:
To succeed, attackers take a special interest in developing social engineering skills and can be so proficient that victims might not even notice the fraud. Attackers are always looking for new ways to access information. They also ensure they know the organization's frontline contacts, such as security guards, receptionists, and helpdesk workers, to exploit people's vulnerabilities. People have conditioned themselves to not be overly suspicious, and they associate specific behaviors and appearances with known entities.
People are naturally cautious with strangers and identify certain behaviors and appearances. A man in a uniform carrying a stack of parcels for delivery could be mistaken for a delivery person. By tricking and using human vulnerabilities, attackers can get confidential information, authorization, and access data from people via social engineering tactics.
Social engineering is a serious issue and can result in significant losses for a business.
The following are some of the effects of a social engineering attack on an organization:
Now that we have covered the basics of social engineering and how it impacts an organization, let's look at the types of approaches used to achieve this.
When we think about attack-vulnerable behaviors and what this means, we're talking about the natural, intrinsic feelings and responses of people. These can be exploited by an attacker using the following:
Attackers take advantage of this by building websites and posting fictitious customer testimonials regarding the benefits of certain items, such as anti-malware software (rogueware). As a result, when users search the internet for rogueware, they come across these websites and believe the fake testimonials. Furthermore, attackers may install malware alongside the malicious goods if people download it.
For example, if Apple announces a new product that quickly sells out, attackers can take advantage of the situation by sending phishing emails to the target customers, enticing them to buy the goods by clicking on a link supplied in the email. The users will be forwarded to a malicious website controlled by the attacker if they click on this link. As a result, the user may wind up disclosing account information or downloading harmful software, such as trojans.
Ransomware, for example, frequently employs the urgency principle, which forces the victim to take immediate action within a set timeframe. The victims notice a countdown meter running on their infected systems and realize that failing to make the required decision within the allotted time may result in the loss of critical data.
Similarly, attackers can send phishing emails claiming that a specific product is on sale and that the consumer should click the Buy Now link to purchase it. A user is duped, and they've clicked on the link to act right away. As a result, they are routed to a malicious website, where users are forced to give personal information or download a virus file.
People are more willing to allow someone to glance over their shoulder if they like or are familiar with them. If the person is disliked, the shoulder surfing attack is easily recognized and avoided. Similarly, if they like or are friendly with someone, they will typically allow them to tailgate them. In some circumstances, social engineers trick someone with charm and pleasant conversation to get a person to like them.
An attacker may, for example, pose as a competitor and offer a substantial reward, to persuade the target staff to provide important information.
Next, let's discuss some of the factors that leave a business or organization open to being attacked.
Companies are vulnerable to social engineering attacks due to a variety of circumstances, including the following:
Next, we're going to discuss what makes social engineering work and be successful.
Social engineering, like other techniques, does not deal with network security; rather, it deals with psychological manipulation and exploitation of a human being to obtain desired information.
The following are some reasons social engineering is effective:
Next, we'll talk about the attack phases in which social engineering may occur.
To carry out a successful social engineering attack, attackers perform the following steps:
An attacker acquires enough information to infiltrate the target organization's network before attacking it. One strategy that aids in knowledge extraction is social engineering. The attacker begins by gathering basic information about the target company, such as the nature of the business, its location, and the number of employees. The attacker engages in activities such as dumpster diving, browsing a company's website, and discovering employee information.
The attacker selects a target for extracting sensitive information about the company after completing their research. Attackers frequently attempt to contact dissatisfied employees because they are often willing to share information about the target company and are easier to manipulate.
Once the target has been identified, the attacker establishes a working relationship with that individual to complete their objective.
The attacker takes advantage of the relationship to obtain sensitive information about the company's accounts, finances, technologies in use, and future strategic plans.
An attacker may use several methods to carry out an attack. Let's talk about some of them next.
Attackers use a variety of social engineering methods to collect sensitive information from individuals or organizations that could be used to perpetrate fraud or other criminal acts.
This section will cover people-based, computer-based, and mobile-based social engineering approaches, all with examples to help you understand them better.
Human contact is a part of people-based social engineering. Pretending to be a real person, the attacker interacts with a target organization employee to obtain sensitive information, such as corporate strategies and networks, that will aid them in launching their attack. The attacker can simply access the server room by impersonating an IT support technician, for example.
An attacker can use the following methods to execute human-based social engineering.
Impersonation is a frequent people-based social engineering method in which the attacker poses as a legitimate or authorized individual. Attackers may carry out personal impersonation attacks or use a phone or another communication medium to deceive victims into divulging information.
The attacker could pose as a courier or delivery person, a janitor, a salesman, a customer, a technician, or a guest. By scanning terminals for passwords, searching for critical documents on employees' desks, rummaging through dumpsters, and other methods, the attacker acquires sensitive information. The attacker may even try to shoulder surf for sensitive information by listening in on private chats.
Impersonation techniques used in social engineering include the following:
The human nature of trust, fear, and moral obligation are exploited by some impersonation methods used by attackers to gain sensitive information about the target company.
An attacker may impersonate an employee and then use unethical means to acquire access to sensitive information. To gain sensitive information, they may use a bogus identity.
Another example is when an employee's friend requests they retrieve information that a bedridden employee reportedly requires. A well-known social interaction concept is that a favor begets a favor, even if the original favor is given without the recipient's request. This is referred to as reciprocation. Reciprocity is a common occurrence in business settings. One approach for social engineers to make use of this social trait is through impersonation.
Consider this case: "Hi! I'm Paul, and I work in the finance department. I've forgotten my password. Is it possible to get it?"
Another behavioral trait favoring a social engineer is a person's tendency to not question authority. People regularly go out of their way to help people they believe are in positions of power. Impersonating a high-ranking figure, such as a vice president or director, might easily deceive an unprepared employee.
Attackers who take impersonation to the next level by impersonating a high-ranking employee add a layer of fear. In this case, where lower-level personnel may go out of their way to assist a higher authority, the reciprocation factor comes into play. For example, a help-desk staffer is less likely to refuse a request from a vice president who is pushed for time and requires critical information for a meeting.
If an employee refuses to reveal information, social engineers may use their position of power to intimidate them, including threatening to report their misconduct to their superiors. This strategy is now more important than ever.
Consider the following scenario: "Hello there! I'm Kevin, the secretary to the CFO. I'm working on a deadline and have forgotten my system password. Are you able to assist me?"
Another strategy involves an attacker impersonating a technical assistance agent, which is particularly effective when the target lacks technical knowledge. The attacker could pose as a hardware seller, a technician, or a computer vendor. During one demonstration at a hacking group, a speaker called Starbucks and asked whether their broadband connection was working properly. The confused staffer said that the problem was with the modem. Without providing any credentials, the hacker proceeded to have him read out the credit card number from the previous transaction. In a business setting, the attacker may require employees to provide their login information, including passwords, to fix a problem that does not exist.
Consider the following scenario: "Sir, this is Mathew from X Company's technical assistance department. We suffered a system crash here last night, and we're looking for missing data. Could you tell me your username and password?"
An attacker usually wears office attire, or the same type of clothing others are wearing. They walk into a company's building while posing as a contractor, client, service technician, or another authorized individual. Then they go around unobserved looking for passwords trapped on terminals, extracting vital data from wastepaper bins and papers on desks, and gathering other data. Other social engineering techniques, such as shoulder surfing (observing users typing login credentials or other sensitive information) and eavesdropping (purposefully overhearing confidential conversations between employees) may be used by the attacker to gather sensitive information that could be used to launch an attack on the company.
Pretending to be a repairman
Generally, computer technicians, electricians, and telephone repairmen are trustworthy. Attackers could penetrate the organization by impersonating a technician or repair person. They'd go about their business as usual while searching for concealed passwords, crucial information on desks, information in garbage bins, and other relevant information; they may even place snooping equipment in secret spots. I've personally used this technique to walk out of an organization with full computer systems in hand.
Vishing (also known as voice or VoIP phishing) is a type of impersonation scam in which the attacker employs Voice over IP (VoiP) technology to mislead people into disclosing sensitive financial and personal information. The attacker makes money off the information by impersonating someone and using caller ID spoofing. Vishing frequently includes prerecorded communications and instructions that appear to be from a real financial institution. The attacker uses vishing to deceive the victim into submitting bank account or credit card information over the phone for identity verification.
The attacker may send the victim a phony SMS or email message instructing them to call the financial institution for credit card or bank account verification; in some situations, the victim gets a phone call from the attacker. When the victim dials the phone number mentioned in the message of the attacker, they hear a recorded instruction requiring personal and financial data, such as name, date of birth, Social Security Number (SSN), bank account number, credit card information, or credentials such as usernames and passwords. The recorded message confirms that the victim's account has been verified when the victim submits the information.
There's a reason why help desks are routinely targeted for social engineering attempts. Staff workers are trained to be helpful, and they frequently divulge critical information, such as passwords and network details, without first validating the caller's identity.
To be effective, the attacker must know the identities of employees as well as information about the person they are attempting to impersonate. Pretending to be a senior official, the attacker may call a company's help desk to extract important information.
For instance, a person might contact a company's customer service department and claim they can't remember their password. Their supervisor may fire them if they miss a deadline on a major advertising project.
The help desk employee pities the caller and promptly resets their password, unintentionally allowing the attacker access to the company network.
Pretending to be someone with third-party permission
Another common tactic employed by attackers is to pose as a person authorized by a senior-level leader in the organization to gather information on their behalf.
For example, if an attacker knows the identity of an employee at the target organization who is permitted to access the required information, they keep a close eye on them to gain access to the data they need in the absence of the employee in question. In this situation, the attacker can approach the help desk or other people and say the employee (authority figure) has asked for the information.
Even if there is doubt about the request's legitimacy, people tend to disregard it in favor of being helpful in the workplace. When someone mentions an important person and provides the necessary information, people tend to believe they are being truthful.
This method works well when the authority figure is on vacation or traveling and immediate verification is unavailable.
An example is as follows: "Hello, my name is John, and I chatted with Mr. XYZ last week before he left. He's on vacation and indicated you'd be able to provide me with the information while he's away. Could you please assist me?"
An attacker can employ vishing to impersonate a technical support staff member of the target organization's software vendor or contractor to obtain sensitive information, like the impersonation of a tech support agent described previously. The attacker may pose as a network technician and request the user ID and password for a computer to determine the issue. The user would submit the essential information, believing them to be a troubleshooter.
An example is as follows: (Attacker) "Hello, my name is Mike, and I'm with tech support. The system and networks have been running slower than usual at your office, according to certain employees. Is this correct?"
"Yes, it's been a little slow recently," says the employee.
(Attacker) "So, we've transferred you to a new server, and your service should now be significantly better. I can check your service if you provide me with your password. From now on, everything should be improved."
Posing as a trustworthy authority figure is the most effective way of social engineering.
To collect sensitive information from the target, an attacker may pose as a fire marshal, superintendent, auditor, director, or another key individual over the phone or in person.
Some examples are as follows:
Yes, they're very interested in the security measures we've implemented. One of the reasons they're contemplating our firm is because their website was hacked a while back."
Using phrases with a professional ring to them, such as HVAC (Heating, Ventilation, and Air Conditioning), may provide an intruder with just enough credibility to give them entry to the target secure resource.
Eavesdropping is when someone listens in on a discussion or reads other people's messages without their permission. It includes intercepting any type of communication, whether audio, video, or written, across channels such as phone lines, email, and instant messaging. Passwords, business plans, phone numbers, and addresses are among the sensitive data that can be obtained by an attacker.
Dumpster diving is rummaging through trash bins for sensitive personal or organizational information. Attackers look for user IDs, passwords, network diagrams, policy numbers, and other confidential information that can be extracted.
Attackers can find account numbers, calendars, bank statements, payroll information, source code, sales projections, access codes, phone lists, credit card numbers, and organizational charts. As a result, attackers could exploit this information to carry out a variety of malicious attacks. Ploys, such as impersonating a repair person, technician, cleaner, or other professional, are sometimes used by attackers to promote their dumpster diving efforts.
The following is information that can potentially be collected by going through garbage:
Reverse social engineering is a challenging task because its execution necessitates a great deal of planning and skill. A perpetrator engages in reverse social engineering and plays the position of a knowledgeable professional so employees will seek information from them.
The social engineer will first create a problem by causing an incident, and then will portray themselves as the solution through general chat, enticing employees to make inquiries.
Here are some methods of reverse social engineering:
Piggybacking usually entails entering a building or a secure area with the permission of an authorized individual. An attacker might, for example, request that an authorized individual unlock a security door, claiming that they have misplaced their ID badge. The authorized person will allow the attacker to pass through the door as a matter of courtesy.
Tailgating is when someone enters a building or a secured location without permission. It is the act of discretely following an authorized person through a protected entryway.
An attacker using a badge can try to gain access to a restricted area by closely following an authorized person through a keyed or locked access or entry door. They attempt to enter the restricted area while posing as an authorized individual.
This is another one of my personal favorites. One time I piggybacked into a building that may or may not have been a federal location, but that's a story for another time.
An attacker could use diversion theft to target delivery workers or transportation companies. The main goal of this strategy is to deceive a person in charge of making a delivery into sending the package to the incorrect location, causing the transaction to be disrupted. For instance, if the victim is a package delivery driver, they may be convinced to drive to a location different than the delivery site. The theft is made possible by subjecting the van driver to a series of social engineering techniques.
On the internet, social engineers can use diversion theft to persuade victims to transmit sensitive or confidential files to an unrelated individual who is not supposed to get them.
The honey trap is a tactic in which an attacker poses as an attractive person online and establishes a phony online relationship to collect confidential information. In this case, the victim is an insider who has access to sensitive information about the target company.
Baiting is a strategy in which attackers entice end users to provide sensitive information, such as login credentials and other personal information, in exchange for valuable information. The end user's curiosity and greed are exploited. Attackers use this strategy by leaving a physical device holding malicious files, such as a USB flash drive, in places where people can easily find it, such as parking lots, elevators, and bathrooms. End users are duped into trusting and opening this physical device since it is tagged with a reputable company's logo. When the victim connects to the device and opens it, a malicious file is downloaded. It infects the system and allows the attacker to seize control.
An attacker might, for example, leave some bait in an elevator in the form of a USB drive labeled Employee Salary Information 2019 and a valid company's logo. The victim picks up the device out of curiosity and opens it on their computer, where the bait is downloaded. When the bait is downloaded, malicious software is installed on the victim's computer, granting the attacker access.
The Latin term quid pro quo means something for something. Attackers use this approach to phone random numbers within a corporation, claiming to be from technical support. This is a baiting tactic in which attackers offer their services in return for personal information or login credentials from end users.
An attacker might, for example, collect random phone numbers from a target organization's personnel. They then begin dialing each number while impersonating the IT department.
The attacker ultimately locates someone who is experiencing a genuine technical problem and offers their assistance in resolving it. The attacker can then instruct the victim to follow specific steps and enter in certain commands to install and run malicious files containing malware designed to access sensitive data.
The practice of eliciting specific information is known as elicitation.
By engaging a victim in an ordinary conversation, you can get specific information from them. To take advantage of professional or social opportunities to communicate with people who have access to sensitive information, attackers must have good social skills. The goal of elicitation in social engineering is to extract useful information to acquire access to the target assets.
If an attacker's goal is to get the victim's login and password, but all they get out of the chat is stuff they enjoy, the attacker will have to focus more on the elicitation process to get the necessary information.
Let's talk about computer-based social engineering next and what it's about.
Attackers utilize harmful software, such as viruses, trojans, and spyware, as well as software applications, such as email and instant messaging, to undertake computer-based social engineering.
The following are some examples of computer-based social engineering attacks.
Popups persuade or force users to click a link that leads to a phony web page that requests personal information or downloads dangerous software, such as keyloggers, trojans, or spyware.
One way to get a user to click a button in a pop-up window is to warn them about a problem (for example, by showing a realistic OS or application error message) or to offer them more services. A window shows on the screen, urging the user to re-login or showing a warning of a host connection interruption and the necessity to re-authenticate the network connection. When a user follows these instructions, a malicious program is installed, which takes sensitive information from the target and sends it to the attacker's email address or a remote site. Trojans and viruses are used in this form of attack.
A hoax is a message that warns recipients of a computer virus threat that does not exist. To expand its reach, it uses social engineering. Hoaxes usually do not result in physical harm or data loss, but they do result in a loss of productivity and the usage of an organization's precious network resources.
A chain letter is an email offering free goods, such as money or software, in exchange for the user forwarding the email to a certain number of people. Emotionally compelling stories, get-rich-quick pyramid scams, spiritual beliefs, and superstitious threats of bad luck are all common techniques utilized in chain letters. Chain letters depend on social engineering to be passed along.
An attacker uses instant chat features to communicate with selected online users to obtain personal information, such as their date of birth or maiden name. They then use the information they've gathered to break into users' accounts.
Spam consists of irrelevant, undesired, and unsolicited emails that are sent with the intent of collecting information that can be used for financial gain, such as SSNs and network information. Spam communications are sent to the target to obtain sensitive information, such as bank account numbers. Email attachments containing hidden and dangerous programs, such as viruses and trojans, may also be sent by attackers. By giving the attachment a large filename, social engineers try to hide the file extension.
Scareware is a sort of malware that entices people to visit malware-infested websites or download or purchase potentially harmful software. Scareware is frequently encountered in popups informing users that their computer has been compromised with malware. These popups look to be from a reputable source, such as an antivirus business. Furthermore, these pop-up advertisements always convey a sense of urgency, instructing a victim to download the program as soon as possible to be free of the alleged infection.
Phishing is a method of obtaining a user's personal or account information by sending an email or providing a link that falsely claims to be from a reputable site. The attacker registers a phony domain name, creates a spoof website, and then sends the URL to users via email. When a user clicks on the email link, they are taken to a bogus home page where they are enticed to share personal information, such as their address and credit card number.
Users' lack of awareness, being visually fooled, and failing to pay attention to security signs are all factors that contribute to the success of phishing schemes.
The following are the types of phishing methods used.
Instead of sending out thousands of emails, some attackers utilize spear phishing to acquire sensitive data, such as financial information and trade secrets, by sending customized social engineering content to a single employee or a small group of employees in a business.
Phishing emails appear to come from a reputable source with a legitimate-looking website. The email also looks to be from someone in the recipient's workplace, usually someone in a senior position. The communication was sent by an attacker aiming to gather sensitive information about the receiver and their company; login credentials, credit card numbers, bank account numbers, passwords, confidential documents, financial information, and trade secrets are all examples of sensitive information. Because it looks to be from a trusted company source, spear phishing delivers a higher response rate than a standard phishing attempt.
A whaling attack is a type of phishing attack that targets high-profile executives, such as CEOs, CFOs, politicians, and celebrities, who have complete access to highly confidential and valuable information. It's a social engineering trick in which the attacker convinces the victim to reveal critical corporate and personal information (such as bank account details, employee details, customer information, and credit card numbers). Whaling is different than phishing in that whaling is meticulously prepared, and it's focused on someone in executive leadership.
Pharming is a social engineering technique in which an attacker installs malicious software on a victim's computer or server, which automatically redirects the victim's traffic to an attacker-controlled website when the victim types in any URL or domain name. The attacker steals personal information, such as passwords, banking information, and other data related to web-based services.
There are two ways to carry out a pharming attack:
Malware such as trojan horses and worms can also be used in pharming attacks.
Spam over Instant Messaging (SPIM) takes advantage of instant messaging networks to disseminate spam. A spimmer is a spammer who sends spam via instant messenger. Spimmers typically acquire instant message IDs and send spam messages to them using bots (an application that performs automated activities via the network).
SPIM messages, like email spam, frequently include attachments or embedded hyperlinks that contain ads and viruses. When the user opens the attachment, they are routed to a malicious website that collects financial and personal information, such as login passwords, bank account information, and credit card information.
Attackers can employ phishing tools to create bogus login pages to steal usernames and passwords, send faked emails, and collect the victim's IP address and session cookies. The attacker can then use this information to impersonate a legitimate user and launch other attacks against the target organization:
Let's discuss another aspect of social engineering, mobile-based.
Mobile applications are used by attackers to conduct mobile-based social engineering.
Attackers deceive users by copying popular apps and creating harmful mobile apps with appealing features, which they then upload to the major app stores under the same name. Users download the dangerous program unwittingly, allowing the malware to infect their smartphone.
The following are some of the methods used by attackers to undertake mobile-based social engineering.
In mobile-based social engineering, the attacker uses malicious mobile apps to carry out a social engineering attack. The attacker first produces the malicious program—for example, a game app—and then publishes it on major app stores under well-known brands. Unaware of the malicious program, a user will install it on their phone, assuming it to be legitimate. The device is infected with malware once the software is installed, which sends the user's credentials (usernames, passwords), contact information, and other information to the attacker.
To accomplish mobile-based social engineering, attackers may send a false security application. In this attack, the attacker sends something bad to the victim's computer to infect it.
Next, they upload a malicious app to an app store. When the victim logs into their bank account, malware in the system displays a pop-up message instructing them to download an app to their phone to receive security messages. The victim believes they are getting a legitimate app when they download it from the attacker's app store. The attacker collects confidential information, such as the user's bank account login details (username and password), after which the bank sends the victim a second authentication by SMS. The attacker uses this information to gain access to the victim's bank account.
In SMS Phishing (SMiShing), the SMS text messaging system is used to lure users into taking instant action, such as downloading malware, visiting a malicious web page, or calling a fraudulent phone number. SMiShing messages are crafted to provoke instant action.
Consider Tracy, a software developer at a reputable firm. She receives an SMS supposedly from her bank's security department. It's an urgent request for Tracy to call the phone number mentioned in the SMS right away. Being concerned, she calls to check on her account, assuming the phone number to be a legitimate bank's customer service. Her credit or debit card number and password are requested in a recorded message. Since Tracy considers it to be a legitimate message, she shares her personal information.
A message may say the user has won money or been chosen at random as a lucky winner, and all they must do is pay a small price and disclose their email address, phone number, or other personal information.
Another important aspect of social engineering is threats that come from within an organization or business. Let's talk more about that next.
An insider is a trusted employee who has access to an organization's most valuable assets. An insider attack entails the use of privileged access to intentionally harm an organization's data or information systems. Insiders can easily circumvent security measures, tamper with valuable resources, and get access to sensitive data. Insider attacks could cost the organization a lot of money. They're also harmful because they're simple to launch and hard to detect.
Insider attacks are generally performed by the following:
Credit card firms, healthcare companies, network service providers, and financial and exchange service providers are all targets for insider attacks.
The following are a few reasons for these attacks:
Insider threats can be divided into four categories:
Here are some reasons an insider attack is so effective:
Let's understand this with the help of an example.
The Dissatisfied Employee
This individual tends to be introverted, cannot manage stress, is in conflict with management, is frustrated with their job or office politics, wants respect or a promotion, or may have been transferred or demoted or issued an employment termination notice. Employees who are dissatisfied with their jobs may sell company secrets and intellectual property to competitors for monetary gain, causing the company to suffer.
Disgruntled employees can use steganography applications to hide company secrets and then send the information to competitors via a work email account as an innocuous-looking communication, such as a photograph, image, or sound file. Because the attacker hides the stolen important information in a picture or image file, no one suspects them.
Insider threat behavioral indicators are things that are typically unusual for the individual and often contrast with their standard behavior and work activity. These atypical patterns need to be investigated further to determine whether they are malicious motives. A lack of employee awareness about security procedures is the most typical indicator of insider threat.
Insider dangers can be identified in a variety of behaviors:
Let's elaborate a bit more on the last point that we have discussed.
Because social networking sites, such as Facebook, Twitter, and LinkedIn, are so popular, attackers utilize them to impersonate people. An assailant can attack in two ways:
Because people post personal and professional information on social networking sites, such as name, address, cell phone number, date of birth, project details, job designation, company name, and location, attackers have a gold mine of information to work with. The more information people reveal on social networking sites, the more probable an attacker will be able to impersonate them and conduct attacks against them, their associates, or their company. They may also attempt to extract corporate data by joining the target organization's employee groups.
Organizational facts, professional details, contacts, connections, and personal details are among the types of information that attackers obtain through social networking sites, which they then use to carry out other types of social engineering assaults.
Facebook is a popular social networking platform that brings people together. It's popular among friends who post comments and upload images, videos, and links. Attackers employ nicknames or aliases instead of real identities to spoof Facebook members. They create fictitious identities and try to add friends to access other people's profiles and obtain sensitive information.
Some methods taken by an attacker to persuade a victim to give sensitive information are as follows:
Attackers can also make a false account and scan the information on various targets' profile pages on other social networking sites, such as LinkedIn and Twitter, to engage in spear phishing, impersonation, and identity theft.
Private and corporate users should be aware of the following social and technical security threats before sharing data on a social networking site or expanding their channels, groups, or profiles:
So, now that we understand some of the threats that we face, let's next talk about how attackers use the information they gather to steal someone's identity.
Many consumers today are victims of identity theft, so much so, that some state legislators in the United States have passed legislation prohibiting the use or disclosure of an person's SSN during the recruitment process. Identity theft is constantly mentioned in the news. Companies should be educated about identity theft so their own anti-fraud activities are not jeopardized.
Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain.
The Identity Theft and Assumption Deterrence Act of 1998, enforced by the Federal Trade Commission, makes the theft of personal information with the intent to commit an unlawful act a federal crime in the United States with penalties of up to 25 years' imprisonment and a maximum fine of $250,000.
Identity thieves steal the following types of personally identifiable information:
The attacker steals people's identities to commit fraud, such as the following:
Let's look at the various forms of identity theft.
Identity theft is on the rise, and thieves are continually devising new methods and tactics to obtain various types of target data.
Some of the methods by which attackers steal targets' identities to allow them to commit fraud and other criminal activities are as follows:
People don't recognize they've been the victim of identity theft until they start having unanticipated and unauthorized problems. As a result, it is critical that people are aware of the warning signals that their identities have been compromised.
Some of the indications of identity theft are as follows:
So, what can we do to protect ourselves and minimize our vulnerability to social engineering? Let's discuss that next.
To get access to the targeted company's information resources, social engineers may exploit and use human behavior (such as politeness, excitement for work, laziness, or being naive). Social engineering attacks are difficult to detect since the victim may be unaware that they have been deceived. They're extremely like the other types of attacks used to get access to a company's sensitive data. To protect itself from social engineering attacks, a corporation must assess the danger of various types of attacks, calculate potential damages, and raise awareness among its staff.
Social engineering techniques are used by attackers to persuade people to give secret information about their businesses. They employ social engineering to commit fraud, identity theft, industrial espionage, and other nefarious activities. Organizations must build effective policies and processes to protect themselves from social engineering attacks; yet, simply developing them is not enough.
To be effective, a company should do the following:
User awareness, effective internal network controls, and security policies, procedures, and processes, are the major goals of social engineering defense methods.
Users can make the best security decisions with the support of official security rules and procedures. The following safeguards should be included.
Password rules that have the following guidelines aid with password security:
Password security policies frequently contain recommendations for effective password management, such as the following:
The following areas are covered by physical security policies:
To maximize effectiveness against social engineering attacks, we must be intentional and deliberate about having a strong plan in place:
Insiders are responsible for most data breaches, making them even more difficult to detect and prevent. Insiders are usually aware of the organization's security flaws, which they exploit. Insider threats can be used to steal confidential information, thus it's critical to handle them cautiously. They are difficult to stop and can result in significant financial losses and company disruptions.
The following are some ways of detecting insider threats.
For security professionals, insider data risk adds another degree of complication. It necessitates the creation of security infrastructure that allows for effective monitoring of user permissions, access controls, and user actions.
The security framework for the organization must include safeguards, follow employee and IT professional recommendations, establish a separation of roles, and assign privileges. The security risks to the organization's key assets are eliminated or minimized by these security policies.
Data Loss Prevention (DLP) is one of the deterrence controls that security professionals must have in place to prevent insider threats. Identity and Access Management (IAM) is another tool that is also available.
The following are some of the deterrent controls.
DLP tools:
IAM tools:
Insider hazards can be prevented or minimized by implementing the following safety measures:
The following are several safeguards that, if implemented, will lessen the likelihood of identity theft:
The following are some additional anti-identity theft safeguards:
Here are some additional ways and tools to protect yourself from attacks.
Netcraft: https://toolbar.netcraft.com
The Netcraft anti-phishing community is a massive neighborhood watch program that empowers the most vigilant and knowledgeable members to protect everyone in the community against phishing assaults. The Netcraft toolbar helps keep users up to date and aware of security issues on the sites they visit on a regular basis and filters harmful sites. The toolbar has a lot of useful information about famous websites. This information will assist you in making an informed decision about the website's integrity.
PhishTank: https://phishtank.com
PhishTank is an online collaborative storehouse for phishing data and information. Developers and researchers can use an open API to integrate anti-phishing data into their programs.
Social Engineering Toolkit (SET): https://www.trustedsec.com
SET is an open source, Python-based application for social engineering penetration testing. It's a general exploit that can be used to carry out advanced attacks against humans to breach a target and force them to disclose sensitive information. Email, online, and USB attacks are all classified as SET attacks based on the attack vector utilized to deceive humans. Human vulnerability is exploited by the toolkit, which takes advantage of people's trusting, scared, greedy, and helpful natures.
The goal of initiating phishing campaigns against client employees is to examine employees' sensitivity to phishing attacks and to assist the client company in reducing the risks that result when employees fall prey to phishing attacks.
OhPhish: https://ciso.eccouncil.org/phishing-solutions/
OhPhish is a web-based tool for determining whether employees are vulnerable to social engineering attacks. It's a phishing simulation tool that gives businesses a platform to run phishing simulation campaigns on their staff. The platform records the responses and gives management information.
OhPhish may be used to check an organization's security for phishing attacks utilizing a variety of phishing techniques, such as enticing to click, credential harvesting, sending attachments, training, vishing, and smishing.
You have been given some great tools and insight into identifying and countering social engineering attacks. Having a plan and educating your employees is critical to raising awareness of all the different ways a social engineer can attack.
This chapter covered the fundamentals of social engineering as well as the many stages of a social engineering attack. It also covered a variety of people-based, computer-based, and mobile-based social engineering strategies. Insider threats, including the different kinds of insider threats, were explored here. We presented an outline of social networking site impersonation and also went over the many sorts of identity theft. The chapter concluded with a detailed explanation of numerous warning indicators to look for and actions to take to protect yourself from social engineering attacks, insider threats, and identity theft.
In the next chapter, we will be discussing the process of sniffing.
As we conclude, here is a list of questions for you to test your knowledge regarding this chapter's material. You will find the answers in the Assessments section of the Appendix:
If you want to dive further down the rabbit hole with social engineering, I suggest you visit the Security Through Education website at https://www.social-engineer.org/, which is a great online resource for frameworks, podcasts, and other resources.