Most cyber criminals and hackers are master of human manipulation
and deception before they are experts in hacking and technology, because if
someone gives you their own password, it's much easier than trying to hack it. This is the idea of social engineering. So, let's see what social
engineering is. And what are the common techniques? And how do we prevent
ourselves from its attacks?
In general, protection and security means who you trust and
what you trust. It is important to know when you trust someone and how you know
that the person is really the person they claim to be. The same is true for
social networks and websites. When do you trust a website that is real, and you
can really share your information with them?
Social engineering is a set of techniques to influence and
deceive human beings to give you their important and confidential information by
their own hands. This means that unlike other cyber-attacks that focus on vulnerabilities
of the system, network and devices, social engineering targets human
weaknesses, so it is often called human hacking.
The cyber criminals who use social engineering are called
social engineers whose aim is to obtain private, important, and confidential
information, whether to steal or manipulate or corrupt them, and even to delete
them.
Like most types of manipulation and deception, social
engineering is based on trust, a false trust. After that, persuasion comes, we
generally have four stages in each social engineering attack:
1. Preparation: The social engineer collects information
about the victims, for example where he/she can access them, such as social
networks, e-mails, SMSs, etc...
2. Infiltration and personalization: The social engineer
approaches the victims, presenting themselves as a trusted and legal person and
to prove that they use the information they have already collected on the
target.
3.exploitation: The social engineer uses his/her ability to
persuade the victim to ask for information such as passwords, payment methods, contact
information, and anything else that is useful for them.
4. Disengagement: The social engineer breaks communication with
the target after the data is obtained and the data is accessed.
According to the type of attack, each of these steps can
take from hours to months.
tactics of social engineering attack
Social engineering can occur everywhere, whether online or
offline, unlike common cyber-attacks that occur secretly and without notice,
attacks by social engineers occur directly before your eyes.
1. A friend sends you a strange message: Social engineers
can present themselves as trusted people in your life as your friends, your
manager, your colleagues, and even your bank organization. they will send you a message on their behalf containing harmful links.
2. Working on the emotional side: the less our feelings are
under our control the more our defense will be weaker in front of social engineering,
feelings such as fear, excitement, curiosity, anger, guilt, sadness will
be the targets of social engineers. So, think twice before your online interactions.
3. The request is urgent: Social engineers don't want you to
think about their techniques twice, so most attacks contain a kind of urgent
and haste as it asks you to enter your information directly or asks you to download
security program because your device contains viruses.
4. The offer feels too good to be true: Have you ever
received a message that you haven't asked for? Even great news that you've won a lottery
or got a license of a service for free.
5. You will receive help and services that you didn’t ask
for: Social engineers may contact you as a representative of a company that
solves a problem that you have, for example, you have a technical issue and they
contact you as a support team, so you will give them direct access to edit
your system.
6. The sender can’t prove their identity: For example, when
you suspect someone and ask him to prove his/her identity by video call, he/she
refuses.
Like most cyber-attacks, social engineering has many forms
and techniques that continuously evolving, these are some of its common types:
1. Scareware: As it appears from its name, Scareware is a
type of malware created to scare you and do something. It often comes to you in
the form of emails and popups and asks you to do something directly, for
example, "downloading a program to clean up harmful viruses and
files", which is the virus itself.
2. Hacking emails and contact spamming: It is human nature
that cares about the message of people they know, and social engineers know
this very well, so they take their emails and use phishing techniques.
3.Access Tailgating: A type of social engineering in which
the person physically follows you and accesses an organization’s network or
devices through you, for example, holding a large box in his arms that shows
his or her hand is full to enter through your fingerprint.
4. Phishing: Is a common way to get information and data
from an unaware target, generally the social engineer sends a message to their
target as an organization or someone else and asking for an action from them,
such as verifying their email or downloading a specific program. It's worth
mentioning that phishing has different forms and types.
- Spam phishing: Which is often sent in bulk to many users.
- Spear Phishing: Unlike Spam, it targets only one person or
organization as celebrities and important peoples.
- Vishing: This type of phishing is performed voice messages.
It may be an automatic message and may talk to you personally to build more
trust.
- Smishing: This type of phishing is performed through SMS.
- Email phishing: One of the traditional and most common
types of phishing sent by email.
- Phishing link: is a falsified link you receive that
contains malware
- in-session Phishing: Occurs when you're on your account or
platform and you're suddenly being asked to login again.
In the phishing example, the social engineer may present
himself as your bank's organization and ask you to click on a link and entering
your detail there. Those who click on the link will take them to a fake website
like the original site, so when you enter your information, it goes directly
into the pocket of a social engineer.
5.DNS Spoofing: Also known as cache poisoning, occurs when the browser is manipulated, and users are directed to a harmful
website. In 2018, $17 million in bitcoin was stolen from users of the
MyEtherWallet website.
6.Baiting: This type often occurs on social medias when
someone asks you to download a video or piece of music that is secretly linked
to the virus. Or the engineer may leave a USB in a public place that loaded
with viruses and anyone who plug it to his device immediately the virus will be
transferred to his device.
7.Physical breaches: The social engineer may show himself
as an IT expert and go to an organization to repair the staff's equipment so
that he/she will have full power over the devices and can set up his/her own keylogger
program on them.
8.pretexting: The social engineer himself creates a story
that he knows it will capture of his target’s attention, Once the story hooks
the person, the engineer tries to deceive him and get his confidential data.
9.Watering hole attack: In this way, only one page of a
well-known website is targeted, a page with many visits thus reaches the
highest number of victims.
10.Quid pro quo: It often happens on gaming platforms when
someone sells game activation code or cheat codes and asks you to give him/her
your account to finish your work eventually you'll never see your account.
How do you avoid social engineering attacks?
The best defense and protection against these attacks is to
educate yourself of their attack types and signs so that you can easily
recognize them, and consider the following instructions:
When using the Internet: the first line of defense in social
engineering is yourself so be aware of these points:
- Don't open a link you didn't ask for.
- Don't publish too much personal information.
- Be careful with friends you know only on the Internet.
- Recognize the signs of social engineering.
secure your account and network: After your awareness, you
need to protect your network and accounts, where you carry sensitive and confidential
information.
- Use two-factor authentication.
- use strong and unique passwords and change them quickly.
- Use a software to manage your passwords.
- Set high spam filters.
- Do not allow strangers to use your Wi-Fi.
- Use VPN.
- monitor your account activity continuously.
Secure your devices:
- Don't leave your device unattended.
- Use an antivirus and security program (we recommend
Kaspersky).
- keep your software and systems up to date.