Social Engineering: The Art of exploiting humans

What is Social Engineering

Social engineering is an attack type that heavily relies on human actions. This type of attack lets the attackers manipulate fake environments and break regular security measurements in order to gain unauthorized access to devices, systems, networks, or physical locations.

Attackers use social engineering techniques to hide their true identities and intentions while presenting themselves as trusted individuals. The objective of using social engineering is to trick legit users into exposing sensitive information or access within an organization. Social engineering often get advantage of people’s kindness and fears. For example, a hacker can pose as a member of a charity organization and trick victims into clicking a malicious link.

The weakest link in any chain of security is not the technology itself, but the person operating it.

A.J. Darkholme

Social engineering is popular among hackers since it is easier than other hacking methods. As we all know it is easy to exploit human mistakes that exploiting or bypassing a network or a system directly. Other than that social engineering is used as the initiating step of large-scale hacking processes since social engineering let the attackers collect information effectively.

Social Engineering methods

Baiting — An attacker keep malicious hardware such as a flash drive in a place where anyone can notice. Then the victim surely gets confused and picks up the device, and plugs it into their computer in order to see what is inside that device while that device installs malware inside the victim’s computer.

Phishing — Attackers send malicious emails disguised as legitimate emails. The objective of phishing is to trick the recipient into sharing financial details such as credit card numbers or personal information. Apart from that this kind of email also has the ability to install malwares inside victims’ devices.

Spear phishing — This is also a type of phishing attack. The difference between phishing and spear phishing is that spear phishing targets only an individual or a system while normal phishing attacks send a bulk of malicious emails.

Vishing — Also known as voice phishing. This method performs social engineering attacks over the phone in order to have more interaction with the victim.

Whaling — Whaling is another type of phishing attack. This targets high-level employees such as chief executive officers or chief information officers. Whaling is also known as CEO fraud.

Scareware — An attacker tricks the victim into thinking that their device is infected with malware or they install malicious content from the internet. Then the attacker also introduces a solution for that issue. Then the victim was tricked into downloading that malware that is disguised as a solution for the fake problem built by the attacker previously.

Diversion Theft — This kind of attack is performed by attackers by tricking the delivery or courier companies into going to the wrong pickup or dropoff locations in order to fulfill their personal purposes.

Honey Trap — In this attack, the attacker pretends to be an attractive person and interacts with people online building fake relationships. While the relationship buildup, attackers gather sensitive information about the victim as much as possible.

Tailgating — Tailgating allows attackers to gain access to password-protected physical locations. In order to achieve that goal, the attacker closely follows a person who has legitimate access to the location. While that person enters the location, the attacker also tries to enter the location immediately. In most of situations, the legitimate user who enters first is courteous enough to hold the door open for the attacker assuming that the attacker is also a legitimate user.

Dumpster diving — In this kind of attack, the attacker searches the targeted organization’s trash in order to find sensitive information as most of the employees still write their passwords on physical notepads or on sticky notes.

The 1st Record of Social Engineering

Fun Fact! 😄 What is the world’s first social engineering attack? Well, all of us know about that attack mentioned in the famous novel Odyssey. It is the Trojan horse attack. Lately (Early 1980s) a virus is also named as “Trojan” based on that historical event.

Prevention Methods

There is a number of prevention methods to mitigate social engineering attacks. Here are some other prevention methods.

• Regularly carry out penetration tests to find out the weaknesses of the organization.
• Conduct security awareness programs for employees.
• Implement web gateways to scan malicious emails and other malicious traffics.
• Keep antivirus software up to date.
• Implement 2-factor authentication to key accounts.
• Ensure that employees renew their passwords after a considerable time period. (Maximum 90 days)
• Implement Data leakage prevention systems and privilege access management systems.

Yet the most important fact is to act wisely and think twice before doing anything inside your organization. And remember the fact that,

Sometimes the only person you can trust is yourself 🔒

Thanks For Reading, Cheers! ✌️