20 Oct The Why and How of Social Engineering
In today’s world of increasing cyber-dependency, both businesses as well as personal transactions are reliant on digital modes of information exchange. Whether it concerns communication between business partners or company departments, most of us rely on emails and other online modes of information exchange. There’s no denying that these communication channels are super convenient and easy, they could pose a serious threat to the safety and integrity of cyber systems, if not managed securely. The rapid proliferation of digital crime has made terms such as social engineering and it’s sub-parts such as phishing a part of the common vocabulary. Yet, how much do we truly know about these modes of attack?
Cyber criminals are cunning: to say the least, and their trade is dependent upon exploiting systemic weaknesses. While most of us perceive hackers to be tech geniuses who code at the speed of thought, the reality is entirely different. It’s true that cyber criminals are masters at spotting weaknesses, but most often, they don’t target only technical loopholes. Instead, they go for the weakest link in the chain: People.
Phishing and Social Engineering: Exploiting the Human Element
Going by latest statistics are anything to go by, more than 70% of all cyber-attacks are attributable to phishing and social engineering. Interestingly, both these modes of attack don’t primarily depend on technical expertise, and centre around exploiting the human element of the cybersecurity chain.
When considering cybersecurity, the common trend of businesses is to focus on advanced encryption methods. Along with that, experts seek to improve network communications, authentication protocols, and multi-factor access controls. Yet, systems fall prey to cyber attacks, and the truth behind this is simple. No matter how strong your security measures are, they cannot be stronger than the weakest link: us.
Humans are the most vulnerable chink in the cyber security armour. We make mistakes; when we are impatient, tired, angry and frustrated. We are inquisitive. We want instant results, and easy rewards; Hackers target and exploit these human traits in social engineering and phishing attacks.
In the following sections, we are going to discuss these two attack modes in detail.
Social engineering is an extremely effective yet simple attack method. It’s essentially a ploy staged to trick users into revealing sensitive information, such as login credentials. Social engineering attacks involve serious observation of the target, understanding of their behaviours, and manipulation of the same.
A common example of social engineering is as follows. Suppose your email password is the name of your dog, together with your birthday. Now, both these pieces of information can be easily gleaned from a careful analysis of your social media accounts. An attacker, after getting hold of the information, can simply launch a brute force attack and compromise your account.
The above is a simple example of how a social engineering attack may proceed. There are several other techniques to launch a social engineering attack. They are as below –
- Baiting; involves enticing the victim with physical or digital bait. This may take the form of an attractive or salacious online ad or game. In the physical world, thumb-drives with malware may be left in conspicuous locations for the victims to use.
- Scareware, a form of social engineering in which users are prompted with emergency messages about their system being infected. The malicious party then offers a solution in the form of a download, which in most cases is the actual malware.
- Tailgating also known as piggybacking involves an attacker pursuing entry to a restricted area without the proper authorization. The attacker can merely walk in behind a person who is authorized to access the area. In a typical attack scenario, a person impersonates as a company employee and wait until a genuine employee opens their door. An attacker then asks that employee to hold the door, bypassing the security measures in place such as electronic access control or biometric access control.
- Pretexting is a technique in which an attacker presents himself/herself as someone else to obtain private and sensitive information. Usually, attackers create a fake identity and use it to manipulate the information. This attack usually relies on attacker’s ability to gain victims trust. For e.g. An attacker can impersonate an external IT service worker to ask internal staff for information that could allow accessing internal systems of the organization.
Then… there’s phishing. It is perhaps the most rampant and widely used form of social engineering attack. In the following section, we are going to take a detailed look at phishing. We’ll also read about the company whose name is used in phishing the most.
Phishing has its origins in the early 1990s when a group of hackers called the Warez Community attacked AOL systems using a random credit number generation algorithm. Of course, since then, this attack mode has evolved and become a lot more sophisticated.
Attackers target users using email or text messages in phishing. These messages are made to seem as though sent by authority sources. The messages aim at creating a sense of urgency for the receiver, prompting them to take an action such as clicking on a link.
Doing so takes the user to a fraudulent website, which attempts to steal their confidential credentials. Phishing attacks can be highly sophisticated, and use domain names, websites, and email templates very similar to the genuine entity they are impersonating.
Spear phishing is an even more targeted form of phishing. Spear phishing involves attackers who are extremely focused on the target and have performed a detailed study of the victim before launching phishing campaigns.
Apple: The Most Phished Brand
In the first quarter of 2020, the one brand that was used most widely to launch phishing attacks was Apple. While the iPad manufacturer featured in the 7th place on the list of most phished brands in the last quarter of 2019, it rose to the top spot in 2020.
Why this obsession with using Apple? One of the simplest reasons is the wide use of Apple devices and the large target base of Apple users. Another factor is the massive recognisability of the Apple brand. Apple is a worldwide phenomenon, and when anyone gets an email from Apple asking to reset their iCloud account, people rarely think twice before clicking on the link.
Again, it’s this trust factor that attackers exploit.
The Final Word: Constant Vigilance
The question remains: how can businesses and individuals protect themselves against social engineering attacks? The answer is simple: constant and uncompromising vigilance. For example, in email conversations one of the simple checks people can perform is to always verify the source before clicking on a link.
Also, when visiting a URL, make sure it’s the genuine one from the brand or service you intend to deal with. Often, hackers can use a domain with closely resembling spellings, so stay wary of misspelled URLs.
Keeping strong passwords and following simple steps such as not writing them down for easy remembering can go a long way towards helping to prevent social engineering attacks. By adopting such precautions, coupled with effective spam mail practices, businesses and individuals can protect themselves from falling prey to these pernicious scams. And create a safer, more reliable online experience in the process.