1. Author: VINAY BHARGAV
Social Engineering – “A Game of Con”
90% of the people we ask will provide you not just the spelling of their names but their email
addresses without confirming our identity
67% of the people we ask for birth dates will give out their place of birth and marital status.
Today, social engineering is recognized as one of the greatest security threats facing
organizations. Social engineering attacks can be non-technical and don’t necessarily involve
the compromise or exploitation of software or systems. When successful, many social
engineering attacks enable attackers to gain legitimate, authorized access to confidential
information.
SOCIAL ENGINEERING ATTACK CYCLE
Attacker Target
Common Social Engineering Attacks:
Baiting – The old school way still works:
“It’s Simple Yet Powerful”. Attackers leave malware infected USB, flash drive or a CD
in a place that is easily viewed and fetched by anybody. The one who finds it and inserts
to the system and unknowingly install the malware. Once installed, the malware allows
attackers to gain access to the complete system.
Scenario - Steve Stasiukonis, VP and founder of Secure Network Technologies, Inc., back in 2006
wanted to assess the security of a financial client, Steve and his team infected dozens of USBs with
a Trojan virus and dispersed them around the organization’s parking lot. Curious, many of the
client’s employees picked up the USBs and plugged them into their computers, which activated a
keylogger and gave Steve access to a number of employees’ login credentials.
Phishing –You’ve Got (bad) e-Mail:
“That click changed my life”. Phishing attack is to trick the recipient into taking the
attacker’s desired action, such as providing login credentials or other sensitive information.
Phishing attempts most often take the form of an email that seemingly comes from a
company the recipient knows or does business with. For Instance, recipient gets an email
from his Bank requesting for immediate password change by clicking on the link; An email
from a known name asking for Bank account credentials
Information
Gathering
Developing
Relationship
Exploiting
Relationship
Execute
the Attack
2. Author: VINAY BHARGAV
Scenario: PayPal scammers might send out an attack email that instructs them to click on a link
in order to rectify a discrepancy with their account. Actually, the link leads to a fake PayPal login
page that collects a user’s login credentials and delivers them to the attackers.
Pretexting – Should I trust You?
“I am not ME”. Pretexting is a false motive. It involves a scam where the liar establishes
trust with the targeted individual and ask a series of questions designed to gather key
individual identifiers such as account number, DOB etc.,
Scenario: A Pretexter may call, claim he’s from a survey firm, and ask you a few questions.
When the Pretexter has the information he wants, he uses it to call your financial institution. He
pretends to be you or someone with authorized access to your account. He might claim that he’s
forgotten his checkbook and needs information about his account.
Preventing Social Engineering Attacks:
No matter how strong your network security is, end-users will often be the weakest link
in the security chain. Hackers exploit employees to execute hacking techniques and
phishing scams via social engineering tactics.
NEVER provide confidential information or, for that matter, even non-confidential data
and credentials via email, chat messenger, phone or in person to unknown or suspicious
sources.
BEFORE clicking on links both in emails and on websites keep an eye out for
misspellings, @ signs and suspicious sub-domains.
BLOCK USB devices in order to reduce the risk of Baiting. Baiting is the digital equivalent
of a real-world Trojan Horse, where the attacker tempts users with free or found physical
media (USB drives) and relies on the curiosity or greed of the victim – if they plug it in,
they are hacked!
Follow the ATE – AWARENESS, TRAINING and EDUCATION security concept for all
employees, no matter what level and what position they hold in the organization. While
C-level employees are great targets, their admins can be even more powerful vectors for
attack!