Nextiva / Blog / Leadership

Leadership Leadership February 26, 2019

What Your Business Needs to Know About Social Engineering Attacks

Social Engineering Attacks
A comprehensive guide on the definition, types, and stages of social engineering attacks. Also inside are methods to safeguard your business.
Chris Reaburn
Author

Chris Reaburn

Social Engineering Attacks

See Nextiva in action.
Quick, on-demand demos.

Social engineering attacks exploit human behavior for malicious goals. These goals include stealing money, identities, and classified information. Social engineering can also be used to damage or destroy critical networks.
Impregnable fortresses, hyper-secure banks, and clandestine espionage agencies are vulnerable. What makes your company any different? How safe is your business against social engineering attacks?

  • Two in ten employees compromised their workstations in an experiment. This experiment involved ten types of penetration tests and 3,300 messages.
  • In the real world, a malicious campaign — Operation Sharpshooter — launched a massive attack against nearly a hundred organizations in 24 countries.

Here’s how we’re breaking down this topic:

What Are Social Engineering Attacks?

Social engineering uses non-technical methods such as behavioral manipulation for malicious goals. They are often carried out using communication channels such as SMS, email, chat, and social media. Hostile entities use social engineering to extract confidential information from unwitting personnel or to coerce someone to do a series of damaging actions.
Unlike computer hacking, where an attacker exploits weaknesses in software design, social engineering involves the exploitation of human vulnerabilities. Social engineers target irrational behavior, cognitive biases, distractedness, and emotions.
Related: VoIP Hacking: How It Works & How to Protect Your VoIP Phone

Examples of tactics social engineers use

Phishing is a common social engineering attack. “Phishers” use fraudulent email to steal sensitive data such as your credit card information. Sometimes, social media information is enough to orchestrate a social engineering attack.

What motivates these attackers?

Attacks are caused by greed, revenge, mischief/fun, monumental hacker ego, or advocacy. The goal of a social engineering attack can be any of these —

  • Identity theft
  • Financial benefits such as fund transfers
  • Economic sabotage, such as stealing classified documents
  • Large-scale denial of service (DoS)

Do you have a data breach response plan in place? Get started here.

How Do Social Engineering Attacks Work?

Social engineering attacks usually happen via a flexible four-step process. These steps may vary depending on the intel on hand, attack method, target’s vulnerability, and other factors.
Stages of social engineering attacks
The key steps of social engineering are —

1) Gather information

The first step is to set up the scenario and prepare all the resources you need for a successful attack. Information gathering might be time-consuming but it is the most crucial element. Practitioners use a wide variety of tools to gather relevant information. This includes website crawlers for third-party services, search engines for social profiles, etc.

2) Build relationship

Here, the attacker attempts to establish rapport with a human target. The target may trust the attacker enough to perform a desired action or even execute the final goal. We’re talking about transferring funds to a bank account, opt-in using a credit card, etc. Relationship-building may occur in person or via email, SMS, phone, or social media messages.

3) Exploit weakness

Once the attacker builds enough trust, it becomes easier to infiltrate the system. Exploitation may be in the form of voluntary disclosure or the target launching a secure portal for the attacker. The target may also open an email attachment to install malware or introduce the attacker to others for sabotage.

4) Execute attack

This final step implements the sequence of direct actions to infiltrate the target. It may also include an exit strategy to blind or distract targets. After the attack, they may remove any clues tracing back to the attacker.

Different Types And Techniques Of Social Engineering Attacks

There are four main types of social engineering attacks — phishing, smishing, vishing, and impersonation. However, the mechanics have evolved over time, and several specialized techniques exist to execute an attack.
Types of social engineering attacks

Impersonation

This is the oldest form of social engineering attack. Ancient spies wore local disguises to access strategic positions or acquire information. The $28-million diamond theft at ABN Amro is an example of impersonation. Social engineers may pose as delivery or postal service personnel to enter an office. Once inside, they can gather information, plant malware, or steal confidential data.

Phishing

Usually delivered via email. Phishers deceive targets into visiting a fake website or installing malware. They then enter sensitive information such as account passwords and credit card numbers. Phishing has become the most frequently used technique in social engineering.
Social engineers use a domain that resembles a legitimate site. They create fake websites and email addresses. For example, “goggle.com” may be used instead of “google.com”).

Security journalist David Bisson said most phishing attacks have the following characteristics:

  • The email appears to come from a trustworthy source, such as your bank, cable TV provider, or tech support.
  • Aims to obtain personal data such as addresses and social security numbers
  • The main goal is to steal identity or money
  • Link shorteners such as bit.ly to conceal fake websites;
  • Suspicious URLs (wrong spelling, strange punctuation marks, inaccurate domain extensions, etc. ) that lead to fake websites
  • Has warnings, emergencies, or cash prizes to manipulate the target’s emotions
  • May use attachments with malware

Spear phishing describes a phishing attack aimed at a specific target. Whaling is a phishing attack that targets a person with a high corporate position.

Vishing

This refers to phishing attacks that use the telephone (voice + phishing). Vishers use voice changers and other tools to impersonate a trusted individual. They steal social security numbers, employee ID numbers, passwords, and other sensitive information.

SMiShing

This is a combination of SMS and phishing. Fake SMS messages are used to trick recipients into visiting a fraudulent website, downloading malware, or calling a fake phone number. Social engineers use fake prizes, sensational news, and other bait to steal sensitive information.
Now’s the best time to create and update your business continuity plan. See how.

Spear phishing

This is a phishing attack that targets a specific individual. Spear phishers gather open-source information about a target, such as a name, job, location, and hobbies. This delivers a higher success rate compared to ordinary phishing attacks.

Whaling

This phishing attack targets “big phish” such as executives and leaders. Social engineers research the corporate leader before the actual attack. Whaling attacks cause huge damage because high-level leaders have access to trade secrets.

Baiting

This technique uses flashy tricks. Baiters use web pop-ups and USB flash drives that are “left behind by accident.” Pop-ups usually display clickbaits linked to fraudulent websites. Suspicious devices sometimes contain malware that can hijack your systems.

Pretexting

This refers to a technique that sets up ideal scenario for an attack. Social engineers use pretexting to steal money and identity. Social engineers act like trustworthy professionals. But they plan to steal sensitive info such as social security and bank account numbers.

Scareware

This technique exploits people’s emotions. It uses shock, emergency, or threat messaging. A message can claim that a powerful virus has infected your desktop computer or your smartphone. You then make the mistake of running malware to scan your system.
Scammers pack scareware messages with phishing programs. They also use ransomware that grabs control of your computer/data. Targets end up paying money just to regain control of their devices.

Water holing

Denotes the behavior of animals that gather around a water source. It targets a particular user group and attacks the websites they commonly visit. Malware can spread like wildfire across the group and infect the entire network. Attacks of this type can shut down entire government agencies and corporate departments.

Diversion theft

This technique resembles impersonation. It is a trick that targets transport, shipment, or delivery companies. Social engineers may re-route or alter the goods being delivered. An alteration may include installing malware or spyware in electronic products. Physical rerouting usually ends in traditional theft. Social engineers use an accomplice in cyberspace to convince a target to share sensitive data.

Quid pro quo

This is also a form of impersonation. As the term implies, the core idea is to exchange something for something. Quid pro quo attackers usually target businesses with many employees. They begin by “helping” one employee. After gaining trust, attackers then convince the beholden employee to take action. Such actions often compromise system security.

Honey trap

This technique plays on human emotions by focusing on sex and romance. Attackers pose as very attractive persons on social media and dating sites. They can also be found on adult-oriented websites. Attackers use charm, sex appeal, or blackmail to get personal data and financial information.

Tailgating

Also called “piggybacking.” Attackers access restricted areas or confidential data by “tailgating” authorized personnel. For example, attackers disguised as tech support can convince an executive to access the company’s confidential data.

Rogue Access Point

This technique uses WiFi. Attackers exploit the demand for internet connection by seeking or creating rogue access points. These access points can be used to steal personal data, install the malware in connected devices, and even start a DoS attack.

Real-world Examples Of Social Engineering Attacks

Security leader Aura published a types social engineering attacks to be on the lookout for. Here are some of the most interesting:

Hack of AP’s Twitter account by the Syrian Electronic Army

In 2013, the Syrian Electronic Army attacked employees of the Associated Press. Attackers used spear-phishing emails and fake websites. Employees entered login data for the news agency’s Twitter account on the fake website. The Syrian Electronic Army gained access to the account.
It tweeted that the White House had been bombed and that then-president Obama was injured. The tweet was live for three minutes. But it shook the markets, and the Dow lost around $136 billion.

Sony Pictures Hack

North Korea’s cyber army hacked Sony Pictures because of a film about the country’s leader. In the film (The Interview), the leader is the target of an assassination attempt.  The phishing attack used information from LinkedIn and Apple ID to steal passwords. Attackers used the stolen passwords to steal 100 terabytes of data from Sony.

Theft of Democratic National Convention (DNC) Emails by Russia/Wikileaks

Russian hackers breached the DNC email network. They stole 150,000 confidential emails from the Clinton campaign. The attackers used a spear phishing email that appeared to come from Google. The email contained a link to a fake site where victims shared their login info. The incident is still subject to ongoing investigations.

How To Prevent Social Engineering Attacks

There’s no foolproof security solution for a system that includes a human element. If social engineers can break into AP News, Sony Pictures, and the Democratic Party, how safe is your company?
Not very much. But you can still drive awareness and prepare for such attacks. Human error can be mitigated. Here are some steps you should consider.
(courtesy of Social Engineer LLC and Fossbytes):

  1. Improve awareness and knowledge about the threat (social engineering) and its different forms.
  2. Encourage personnel to screen messages they receive on computers and mobile devices.
  3. Clarify your protocols on social engineering attacks. Integrate such protocols into the overall policy on information security and data protection.
  4. Educate staff about cyber security. Train them how to counter each type of social engineering attack.
  5. Train staff on how to improve their emotional intelligence. Build their resistance to social engineering attacks.
  6. Encourage staff to to ask colleagues and tech support when they are unsure about an issue.
  7. Protect computers and other devices using updated anti-virus and other security software.
  8. Have an accessible, centralized, and updated knowledge base on social engineering.

Conclusion

The threat of social engineering intensifies as the world becomes more digital. Regardless of size or industry, no business or organization is exempt from the threat.
Even the most tech-savvy professionals can still get blindsided and make a grave error. Amid this environment, companies need to adopt the best security solutions and build a culture of vigilance.
Today, Chief Information Officers (CIOs) develop rigorous prevention and detection programs to limit risks to technical systems and human operations. At the heart of every company is data worth safeguarding, which ultimately protects the company as a whole.

See Nextiva in action.
Quick, on-demand demos.