Common Social Engineering Tactics used by Attackers

We run on our emotions because we are humans…

But the attackers who are good at Social Engineering, can exploit us by manipulate our emotional responses to further their own agenda. Being a cybersecurity professional you would endorse the fact that the weakest link of entire cybersecurity chain is the HUMAN…

Let us have a look at some common social engineering tactics used by attackers:

1. PRETEXTING
Pretexting is used in almost every other type of social engineering attack. It is the ART OF LYING to obtain privileged data, typically by researching a person to impersonate them. This may include knowing personal details such as their social security number, date of birth, or their wife’s name. The idea behind pretexting is to establish legitimacy early in an attack.

2. PHISHING
Phishing is one of the MOST common social engineering techniques today and it relies on sending out high numbers of emails. This type of attack is based on tricking people into personally giving away their money or data. For example in 2017 , there was a surge of Netflix users receiving emails saying that their accounts had been suspended due to a billing error. In the body of the email there was a link that directed users to a site looking eerily similar to that of Netflix’s login page. The result was that a large number of Netflix users unknowingly handed over their login credentials and credit card information to the attackers.

3. SPEAR PHISHING
Spear phishing is a selective form of phishing, typically using pretexting to individualize an email before sending it out to a HAND-PICKED person or group of people. It is quite well targeted phishing attack. Spear phishing requires much more effort on behalf of the perpetrator and may take weeks and months to pull off. They’re much harder to detect and have better success rates if done skillfully.

These e-mails are being spoofed to appear as if they are coming from a known contact. For example, in some attacks, employees have received emails seemingly coming from none other than the CEO of the corporation the employee works for.

A common mode of impersonation attacks is Business Email Compromise (BEC) or "CEO fraud" that continues to manipulate companies by using false identities. This can severely damage a company’s reputation.

4. VISHING
Vishing is one of the most famous (or infamous) social engineering tactic. It is the practice of using phone calls and voice messages to obtain access or data. Impersonation is much easier on a phone than in real life and malicious actors are aware of this. Most banks advise their customers to be beware of such calls or voice messages on frequent basis.

5. WATERING HOLE
Watering Hole (or waterhole attack) is the act of placing malicious code into public websites that targets tend to visit. The attacker will scout potential sites the target will visit and look for vulnerabilities in those sites. Once the vulnerabilities are found and compromised, the site can be used to upload a backdoor to the target’s device.

6. BAITING
Baiting is typically seen as a type of phishing attack, but differs in that the bait is commonly an offer for an item or good the target desires. The item or good being promised can be anything - free music, movies, or other media. To claim their prize, the target only needs to enter their login credentials. Whenever attackers have done right profiling they know a lot more about their targets and set an appropriate bait to lure them.

The most reviled form of baiting uses physical media to disperse malware. For example, attackers leave the bait—typically malware-infected flash drives—in conspicuous areas where potential victims are certain to see them (e.g., bathrooms, elevators, the parking lot of a targeted company). The bait has an authentic look to it, such as a label presenting it as the company’s payroll list.

Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in automatic malware installation on the system.

Baiting scams don’t necessarily have to be carried out in the physical world. Online forms of baiting consist of enticing ads that lead to malicious sites or that encourage users to download a malware-infected application.

7. Quid Pro Quo
Quid Pro Quo attacks are the promise of something, a good or benefit, in exchange for information. The information is commonly the target’s password(s), but additional information may include personally identifiable information (PII), physical location layouts, or network architecture. These attacks elicit some greed or need from their target to succeed.

8. TAILGATING / PIGGYBACKING
Tailgating occurs when access is controlled by an electronic device and an attacker simply walks behind an individual with legitimate access. The media OR films commonly portrays this kind of attempts to gain entrance through the front door, where an employee scans their badge, gates open as access is granted, and two people pass through before the gates close. However, in the real world, this can be as simple as carrying a large box, or tray of catered food, to a back door where employees are known to linger. Human decency opens the door for the attacker, regardless of that door requiring privileged access.

-

 What Can You Do To Handle Social Engineering Tactics?

• Be cautious when opening attachments. If you do not personally know the sender or have not requested the information, there is rarely a case when an attachment needs to be sent without valid pretext. If in doubt, it’s worth the extra time to research it before you open it. Contact an information security specialist in your company. VirusTotal.com is another great place to start.

• Use multifactor authentication – One of the most valuable pieces of information attackers seek are user credentials. Using multifactor authentication helps ensure your account’s protection in the event of system compromise.

• Find the URL from links on your own. Hovering over a link will show you the direct path for the URL. If you have any suspicions to the legitimacy of the URL, use a search engine to manually find the site yourself.

• Delete and block unsolicited requests for passwords or financial information. No one should ask you for this information in an email. Don’t give it to them, ever.

• When it comes to security, if it sounds too good to be true, it probably is. If an offer sounds too enticing, think twice before accepting it as fact. Googling the topic can help you quickly determine whether you’re dealing with a legitimate offer or a trap. All foreign offers are fake... If you receive an email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country for a share of the money it is guaranteed to be a scam.

• Beware of any download.

• Routinely train end users on security. Companies should employ, at minimum, a bi-annual training geared towards each user group (end-users, IT staff, managers, etc.) so that everyone is aware of the latest attacks.

• Secure your devices. Lock your workstation when you walk away from it, every time. Install email filters, anti-virus software, and firewalls. Make sure to apply recommended patches and keep your applications up-to-date.

• Every email program has spam filters. Set your spam filters to high. DO NOT open emails in the spam folder or emails whose recipients you do not know.

• Attackers love to play off a sense of urgency. Don’t give in to it. Take a breath and slow down. It’s only after you give out your password that you’ll regret doing so. The IT guy doesn’t need to know your password and it is a rare occasion when your actions on a computer are a life and death situation. Slow down. RELAX!

-

My advice to you is that you implement a SIEM and UEBA….

Because Social engineering attacks will inevitably happen, so you should ensure your organization has the means to rapidly collect data about security incidents, identify what is going on, and notify security staff so they can take action.

Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.

 Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.