In this tutorial, we will introduce you to common methods of social engineering and how to protect systems against them.
459 
Have you heard about such types of information attacks as Baiting, Honey Trap, Scareware, Water Holing, Quid pro Quo? In this article, we will consider them and a number of others, including various types of phishing, as well as give high-profile examples of attacks and tell about effective means of protection against them. Criminals do all these actions with the sole purpose of obtaining personal data of users. And to begin with, what unites all these types of attacks. Understanding the mechanisms of social engineering will make you much less vulnerable to this type of manipulation. Social engineering is a multifaceted and complex way of obtaining confidential information from users using methods of persuasion and technological means. Anyone in today’s world is vulnerable to social engineering, and therefore must remain constantly aware of who they interact with, both online and face-to-face. Statistics show that a large number of people are careless about the use of their confidential information.
Social engineering is a method of manipulating people in order to obtain confidential information from them. The information that criminals are looking for can be different, but most often it is bank details and account passwords. In addition, criminals may try to gain access to the victim’s computer in order to install malware there that helps extract any information. And here criminals use a diverse arsenal of social engineering, because it is much easier to get what they want (personal data) from a person by gaining their trust. This is a much more convenient way than directly hacking someone’s account: exploiting user weaknesses is much easier than trying to find a service or software vulnerability. Attacks using social engineering tools often occur in two stages. First, scammers research the potential victim to gather the necessary background information. It is at this stage that the attacker tries to win the trust of the victim. And after successful attempts to establish a “good” relationship, the criminal, using various tricks, extracts confidential information (for example, passwords and IP addresses) from the victim. We will now talk about different types of such tricks.
There are different types of cyber attacks, such as injecting malicious code into website code or using malware (viruses, trojans, etc.). Attacks of this type prevent the damaged product from being managed or debugged. As far as social engineering is concerned, this type of attack does not directly target the computer system, but its users – the “weakest link” – and by bypassing the infrastructure designed to protect against malware, it achieves the same results as other types of cyber attacks.
Because such techniques are much more difficult to detect or prevent, this line of attack is much more effective than others. The main tactic of social engineering is to use psychological methods (for example, communicating on behalf of a service company or bank) to convince the user to reveal personal information (passwords, credit card numbers, etc.). More than ten types of such attacks are known, and if we take into account combined methods, some of which we will also consider, their number is already several dozen.
These attacks actively exploit the human factor to harvest credentials or spread malware. Phishing can be said to be the fraudulent use of electronic communications to deceive and take advantage of users. Most often, with the help of phishing attacks, attackers try to obtain such confidential information as logins and passwords, credit card data, network credentials.
Also, a phishing attack can be planned in such a way that after going to a fake site, the victim will experience other problems: for example, malicious spyware will be installed on the computer or the system will freeze due to a ransomware attack. In some cases, fraudsters are content to obtain the victim’s credit card information or other personal data for financial gain.
But it happens that phishing emails are sent to obtain employee registration information or other data for further advanced attack on a specific company. There are several types of phishing cyber attacks. These are such varieties as target, voice, SMS phishing, as well as whaling (from the description it will be clear why it is called that) and clone phishing.
Such attacks are similar to ordinary phishing, but they are aimed at a specific person or organization. Therefore, attackers first collect detailed information about their targets in order to send emails that look as believable as possible. People often have no idea that a phishing email has come from an unreliable source. Targeted phishing can be called a more advanced version of the usual, as it requires much more solid preparation. For this reason, it is extremely difficult to defend against such an attack by conventional technical means.
In addition, the person who is targeted for phishing is in most cases not the real target of the criminals – their ultimate target is usually the corporate network infrastructure, after gaining control of which the fraudsters will receive a financial benefit from it.
In this case, criminals use the phone to collect the victim’s personal and financial information. For example, an attacker can introduce himself as an employee of a bank or insurance company and, under the pretext of advertising new services, gradually find out the personal data of the interlocutor. Yes, “wishers” can catch their victims by surprise, offering them to get a loan on very favorable terms. And since such services are often associated with the disclosure of personal financial information, if the fraudster can convince the victim of the legitimacy of his offer, the person may not even suspect a scheme and give the criminal confidential information.
Some criminals target the sick or the elderly. And for such attacks, they unscrupulously use the unstable physical and/or mental state of the victim to convince the person that he has to hand over his personal data in order to receive help. In such cases, criminals use the promise of financial assistance as bait, but only after providing them with personal information. Another most common type of phishing attack: criminals report that something has allegedly happened to the victim’s loved ones, and demand a quick transfer of money to solve the problem.
An example that partially applies to “whale” phishing: in March 2019, the CEO of a British energy company received a phone call from a person who spoke in the same voice as his president. The interlocutor was so convincing that the CEO transferred $243,000 to the “Hungarian supplier” to a bank account that actually belonged to the fraudster.
Mobile devices are involved in this type of phishing attacks. The victim receives a message allegedly from a bank number. The message usually contains some scary information (see the Scareware section below) and then offers a solution to the problem. A classic example: an unintended withdrawal of funds was allegedly made from the victim’s personal account, so the person is invited to go to the link to the bank’s page (of course, fake) or call the indicated phone number (also controlled by fraudsters).
Also, people receive messages asking them to help victims of any natural disaster, but to help, you need to leave your personal data. Especially cunning hackers can thus “milk” their victims for months, regularly withdrawing small amounts so as not to alarm people.
This is a phishing attack aimed directly at the top manager of a large company. That is why it is called “whaling”, because the victim is highly valued, and the stolen information will be much more valuable than that which can be offered to fraudsters by ordinary company employees. And since the victims in this case are high-ranking officials, criminals act accordingly: for example, they send messages of a legal nature or offer to discuss serious financial issues.
The largest attack of this type, not only phishing, but also using social engineering tools in general, was carried out by Lithuanian citizen Evaldas Rimasauskas against two of the world’s largest web corporations: Google and Facebook. Rimasauskas and his team created a fake company and pretended to be a computer manufacturer that worked with Google and Facebook. Rimasauskas also opened bank accounts in the company’s name. As a result, the web giants suffered a total loss of more than 120 million dollars.
And here’s another high-profile case: Chinese aircraft parts maker FACC lost nearly $60 million in a scam in which fraudsters posed as high-ranking officials and tricked employees into transferring funds to them. After the incident, FACC spent several million more trying to wrest compensation from its CEO and CFO in court. Company officials alleged that managers failed to implement adequate internal security controls, but FACC’s claim was dismissed.
The principle of this phishing attack is that the hacker sends a fake e-mail, disguised as a normal one, and the address from which the e-mail was sent is very similar to one of those used by known and reliable sources (for example, Mail.crop instead of Mail) . corp). That is, phishing emails look like they’re from your bank or service provider, asking for your personal information.
Thus, fraudsters copy the form of a corporate e-mail, creating an almost identical sample: only such a letter is sent not from a real, but from a similar address. The body of the email looks the same as in emails the user has already received from this organization, but the links in the email are replaced with malicious ones. In addition, resourceful criminals can even explain to the victim why they are receiving “the same message” again.
In fact, such emails have one goal in mind: “social hackers” try to get the recipient to divulge personal or financial information by clicking on a link in the email, which redirects the user to a similar but criminal-controlled site designed to steal personal information.
A recent example of clone phishing: in January 2022, a large-scale attack was carried out, the goal of which was to steal credentials from the Office 365 service. The attackers successfully imitated messages from the US Department of Labor (DoL). This scam is a prime example of how effective phishing attempts are becoming. In this case, the addresses with the real domain dol.gov were replaced by addresses from the domains previously purchased by fraudsters, dol-gov.com and dol-gov.us. At the same time, phishing e-mails successfully passed through the security gateways of the target organizations.
The e-mails used official DoL attributes and the letters were professionally written, inviting recipients to bid on a government project. Bidding instructions were included in a three-page PDF file with an embedded “Apply” button. When clicking on the link, victims were redirected to a phishing site that looked identical to the real DoL site. The fake auction site prompted users to enter their Office 365 credentials and even displayed an error message after the first entry. In this way, it was guaranteed that the victim would enter their credentials twice, reducing the chance of a wrong entry. This situation would not have occurred if the target organization had implemented more effective email security measures.
The essence of this type of attack is that the victim is scared (most often by pop-up windows when visiting sites hacked by fraudsters), making them think that their computer is infected with malware or has accidentally downloaded illegal content. After some time, when the scammer realizes that the victim has matured, he offers a solution to this fake problem. However, in reality, the program offered to the victim under the guise of an antivirus is a malicious software whose purpose is to steal the user’s personal information.
Thus, the creators of “scarecrows” use the technology of suggestion, causing fear in the user and prompting him to install fake antivirus software.
A very original method of social engineering, when the calculation is made of one of the most common human vices – curiosity. The essence of baiting is that the attacker intentionally leaves infected with malware (for example, USB drives) in places where they will definitely be found (for example, in the smoking room of an office building). The victim swallows this simple bait and inserts the flash drive into the computer, as a result of which malicious programs are automatically installed in the system.
A very original method of social engineering, when the calculation is made of one of the most common human vices – curiosity. The essence of the bait is that the thief deliberately leaves infected with malicious software (for example, USB drives) in places where they will definitely be found (for example, in the smoking room of an office building). The victim swallows this simple bait and inserts the flash drive into the computer, as a result of which malicious programs are automatically installed in the system.
As for Water-Holing, the name fully reflects the essence of the attack, only the “water” here is poisoned. By exploiting network vulnerabilities, an attacker tries to compromise a specific group of people by infecting the sites they visit and trust. Popular sites, which are called the target group, often become the objects of “watering hole” attacks. Cybercriminals who practice Water holing (another name: Watering hole) call their victims “target prey”, and most often employees of government institutions or large organizations act as such prey.
Hackers study the vulnerabilities of the sites of the “target group” and introduce malicious software there, usually hidden in JavaScript or directly in the HTML code. This malicious code redirects the “mining” from the target group’s sites to another where the malware or ads are installed. Now viruses are ready to infect computers as soon as victims visit compromised sites.
The essence of the Pretexting attack is that one party simply lies to the other in order to gain access to privileged data. Scams are often initiated by an unscrupulous employee pretending to need confidential information from the victim to perform an important task. No hacking – a pure psychological effect that looks very natural.
An attack like Quid pro quo is usually carried out by fraudsters who do not have advanced hacking tools in their arsenal, but perform preliminary research on the targets. Using this type of attack, the attacker pretends to provide an important service to the victim. For example, a hacker finds someone with high network access privileges and calls them on the phone, pretending to be the company’s technical support staff. With successful negotiations and the victim’s agreement for “help” in solving the allegedly identified problems, the cybercriminal begins to control the victim, forcing him to perform certain actions. As a result, these actions lead to the launch of malicious software into the system or to the theft of registration data.
Do you remember the fable about the crow and the fox? The principle of Honey Pot attacks is the same. The fraudster gets to know the victim and pretends to feel some interest in her (for example, romantic or sexual attraction). Gradually, a virtual “relationship” is established, which the victim begins to take seriously. And an attractive criminal, without wasting time, gradually collects confidential information, which can then be used, for example, to hack into social network accounts or email inboxes. Also, a fraudster can get remote access to her computer from a gullible victim.
Another original technique from the arsenal of social engineering specialists, which is somewhat similar to the previous ones, is Tailgating or Piggyback. In this case, the criminal enters the protected premises by following someone with an access card. Of course, the hacker is already a “friend” of the employee with privileged access and follows him into the assembly area.
Rogue Attack is a variant of Scareware attacks. Malware is installed on the victim’s computer under the pretext of security, and the attacker convinces the victim that this software is completely legitimate and safe. The installed program creates pop-ups and alerts advising the user to download new “secure software”. Pop-ups often show the user several options for the deal (with different scenarios). However, there is no difference: by clicking “yes” on any of these options, the user downloads a dangerous program to his computer. Now the computer is at the disposal of the attacker.
In Theft with Subversion, “social engineers” trick a delivery service or courier into delivering fakes to unsuspecting buyers. And expensive things, of course, fall directly into the hands of fraudsters. It works as follows: criminals plant their accomplices in the delivery company, and the latter get easy access to a list of goods to be delivered, which can then be quickly replaced. This method of theft arose even before the advent of the Internet (its birthplace is London’s East End), but with the development of network technologies, it has become easier for criminals to manipulate information.
The most important step in protecting individual employees and the entire organization from social engineering attacks is to systematically and continuously inform all users (at all levels and in all departments) about the types of these attacks and what psychological techniques attackers use to obtain the desired data.
Penetration testing. Cybersecurity experts recommend that IT departments regularly test for possible attacks using social engineering techniques. This will help administrators know which users are most at risk for certain types of attacks. A penetration test is an artificially simulated cyber attack on a computer system or specific users to test for vulnerability. Such periodic tests are useful in that they allow you to determine the readiness of users and assess the possible scale of data leakage. You can simulate phishing tests using special programs. During the tests, employees are sent phishing emails and find out who falls for social engineering tactics. These workers can then be retrained.
Two-factor authentication (2FA). 2FA includes two methods of identity verification: for example, a password and a phone code. This is one of the most effective methods of countering attacks based on social engineering technologies.
Using anti-malware protection. Such protection should be comprehensive and include anti-virus software for web surfing, e-mail anti-virus and anti-spyware (antimalware). Some companies provide bundled protection, but you can use several good applications from different developers. One of the most important tasks of such protection is to prevent dangers when the user clicks on links from letters and in messengers. Therefore, if a user clicks on a link (in a browser, e-mail or messenger) and if the web page is suspicious from the point of view of network threats, the protection should prevent the page with malicious content from being loaded and block it.
Regular updates of the operating system. The operating systems of all the organization’s computers must be promptly updated, as developers often release fixes for the elimination of identified vulnerabilities.
Correct selection and periodic change of password. As an effective preventative measure, organizations should implement strict password management policies. Employees should be required to periodically change their passwords and, just as importantly, to write them correctly. The best option here: randomly generated complex passwords that are almost impossible to guess. Of course, it is necessary to train employees and the correct storage of such passwords.
Using a firewall. A good network firewall (WAF) blocks malicious requests, which may include social engineering attacks. Thus, before visitors reach your site, they are filtered by a WAF that determines whether the connection is secure and blocks the connection if it looks like a fraudulent attack.
Creating a positive atmosphere. Your employees should feel comfortable reporting their suspicions without shame if they believe they have been the victim of a social engineering attack: but they won’t do so if they feel threatened by punishment or public condemnation. This is important because if such attacks are reported as soon as they occur, the threat can be quickly remedied before too much damage is done to the company.
But these tips are intended primarily for company management and IT specialists, but what about users, including those with a high level of access, who also often lose their vigilance? We will also give them some advice, which with a certain probability will help prevent the creation of vulnerabilities.
Do not click on links from suspicious emails.
Avoid downloading suspicious email attachments.
To determine if an email is fake, carefully check the sender’s name and email address for errors.
Be suspicious of any unexpected messages, especially those you don’t know.
And finally, an eloquent statistic: the 2019 US Cybercrime Report says that phishing attacks caused about $58 million in damages to individuals and businesses. In addition, about 115 thousand people or organizations became victims of these attacks. And in order to adequately assess these numbers and the scale of the threat, it should be kept in mind that this report only applies to the United States.
459 
314 
289