{jistoc} $title={Table of Contents}
What is social engineering?
Social engineering is a malicious practice that aims to manipulate an individual or a company. The goal is for the latter to carry out actions without being aware of the consequences.
Being persuasive and installing trust in the exchange is essential to reduce the vigilance of the victim.
Hackers use this practice regularly. These attacks can take place through several channels, such as SMS, emails, or even phone calls to make them credible.
Types of social engineering attacks
There are various types of social engineering attacks, some of which have existed since the dawn of time. Scammers did not wait for technological advancements before putting their schemes into action.
In this section, we will discuss the techniques commonly used in the context of cyberattacks.
- Direct contact
Some attacks may involve direct contact with the victim. During a physical exchange, the latter will be more vulnerable and confident.
This attack can be combined with other channels of communication (email, SMS, phone) to give credibility to the individual's identity.
A malicious individual can infiltrate your premises under the pretext of a job interview or usurping the identity of a new recruit.
- Postal mail
Social engineering can also be accomplished through the use of postal mail. In order to compromise you, the hacker sends a false letter impersonating a person or company. The spoofed company's address and logo may appear on the letter you receive.
Imagine receiving a letter from your bank accompanied by the logo and all the information relating to the agency. You will certainly place more trust in this letter.
- Phishing
Phishing is a fraudulent practice involving extorting personal information such as identity documents, bank details, and passwords. The hacker impersonates a company whose services you use (Ex: Google, Binance, LinkedIn).
Phishing is typically carried out via email, with the recipient being asked to open an attachment or click on a link.
- Smishing
Smishing or SMS-phishing is a type of phishing in which the hacker conducts the attack via SMS rather than email. Smishing is also associated with the use of instant messaging apps.
- Vishing
Vishing or voice-phishing is also a type of phishing; it is a practice that aims to collect sensitive information or have the victim perform compromising actions through a phone call or voice message.
Principles of social engineering
Social engineering uses human psychological resources to encourage you to perform the actions necessary for the attack, such as opening an email or a link.
The hacker uses his relational skills to circumvent the victim's rational side. We offer you some attack scenarios to identify the different psychological action levers used.
- Altruism or the desire to help: Imagine a person, arms loaded with an impressive cardboard box, waiting outside your company's door. He asks for your help to open the door for him because he can't do it while carrying his package which looks heavy and cumbersome. This technique allows the person to gain access to normally secure places by taking advantage of your desire to help.
- Curiosity: You receive an email with the title "Annual increases". These bonuses of which you were unaware arouse your curiosity which unconsciously encourages you to click on the booby-trapped links contained in the email.
- Sense of responsibility: Imagine receiving an email notifying you of an important update for a critical software you are using. The email emphasizes the importance of deploying this update for the good and integrity of your company, stating unequivocally that everyone is responsible for the security of their workstation. Because you feel responsible, you will be more inclined to open the attachment and install this update.
- Emergency: You receive an SMS indicating that your password is about to expire. It indicates that without change, you will lose your access. Like many people, if you lose access to your emails, you could lose a considerable amount of time from your already busy workday. Some people act without thinking in the face of an emergency by forgetting to apply safety procedures.
- Hierarchical pressure: Imagine that you receive a call from your angry superior who tells you that he has problems and therefore asks you exceptionally to make a transfer to an external account. Your caller insists on the urgency of the situation, stating that if he is unable to board his flight, a sale with a significant client may be jeopardized. Faced with the pressure exerted by your superior and the exceptional situation, you are likely to go beyond the protocols.
- Pride: Imagine receiving an email from the human resources department thinking of showcasing you following your results for the month. The email indicates that they need some information on your sales process and asks you if you can answer a few questions to explain to your employees your techniques for being as efficient. Answering the various questions is taking the risk of having information about your sales process stolen from you.
- Trust in the interlocutor: Clothing, body language and the environment are factors that arouse trust or mistrust. A person in a suit, blending in with a group of bankers returning from their coffee break, can pass through the bank's security gate by blending in with the crowd.
- Fear: You receive an email asking you to change your password following recent cyberattacks. These are very common in many areas, and you have probably read several articles describing the serious consequences they can have. The fear of being attacked will potentially make you change your password in a hurry without checking the veracity of the email.
The attack is more likely to succeed when the victim is isolated, such as working from home. Indeed, it is more difficult for an isolated person to request verification or confirmation from a colleague without using a potentially already compromised communication channel.
During a targeted attack, the hacker learns about his target and his schedule, and can choose a time when he will be more vulnerable by being isolated.
Examples of social engineering attacks
Social engineering attacks are many and varied. There are multiple possible scenarios.
- Delivery of infected CDs
In Japan, hackers used a delivery service to send infected CDs to individuals. They first stole a database from a Japanese bank before harvesting customer addresses. Then, the hackers delivered the CDs, only they contained a Trojan horse designed to recover the bank details of individuals.
- The exceptional attack on an American journalist
In 2012, an American journalist, Mat Honan, was hacked on several different channels. First, the hacker called Amazon customer service to add a credit card to his Amazon account. Because this operation did not pose a significant risk, Amazon added the card without much suspicion.
From there, the hacker called the company back, explaining that he had lost access to his account. Amazon asked him a few questions as proof of identity, including the last 4 digits of a credit card associated with the account. The hacker simply gave the last digits of the card he had just added.
Once the hacker gained full access to the Amazon account, he was able to retrieve additional information such as the numbers of other bank cards present, secondary emails, and so on.
He then reset the iCloud account credentials using information collected through Amazon. The hacker used the email, the last 4 digits of the credit card and the billing address of the account.
The hacker gained access to the journalist's Google and Twitter accounts via the iCloud account, allowing him to post racist and homophobic remarks. He then erased data from Mat Honan's iPad, iPhone and Macbook.
From a trivial action, the hacker hacked accounts of increasing criticality, with disastrous consequences.
- Associated Press and the Dow Jones stock market crash
In 2013, a group of hackers attacked the Associated Press using social engineering. The attack caused the US stock market to fall by $136 billion.
The attack was a phishing email; an employee clicked on a link contained in a fraudulent email.
The hackers gained access to the Associated Press Twitter account. They then published a fake article about an explosion at the White House, causing the Dow Jones to fall 150 points.
A Syrian group called "Syrian Electronic Army" later claimed responsibility for the attack without providing any evidence.
Tips to protect yourself from social engineering attack
It should not be forgotten that humans are the first line of defense against any social engineering attack. Several practices should be put in place to protect your employees and your company:
- Have strict security protocols for the various actions presenting a potential danger, such as the installation of software, a contact presenting an emergency, security operations and the sharing of confidential information.
- Check the source of the various contacts. Are the domain names and the location of the email data consistent with the message received?
- Train and educate employees through social engineering simulations such as phishing or smishing tests. They must learn how to identify a malicious contact and escalate it to the company's security department. Doing tests with conditions identical to a real attack allows you to create reflexes and apply security protocols even in the event of a strong emotional response.
Post a Comment