Social Engineering: Basic Principals, Attacks, Phases and Prevention

People, processes, and technology are the three essential components of a security program. In order to provide effective security protection to an organization’s assets, all three components must function together. Humans, according to several security experts, are the weakest link in the security chain. Human errors can sometimes have a devastating impact on an organization’s security even if you have the best technologies in place defending your assets. These errors might occur as a result of carelessness, a lack of security awareness education, or excessive permissions. According to research conducted by Stanford University, nearly 88 percent of all data breaches are the result of human error. When it comes to defending your company against various attack vectors, it is critical to keep the human factor in mind. This article goes over the basics of social engineering attacks and how to prevent them.

What is Social Engineering?

Social engineering is a type of manipulation technique used by adversaries to exploit human behavior and deceive them into exposing personal or sensitive information. These attacks compel humans to take actions that jeopardize the security of the assets/information under their control.

These attacks are designed to take advantage of people’s natural trust instincts and the way they think. These attacks are devised after a thorough examination of the user’s background information, activities, or needs, and then misleading them into disclosing useful information in order to get access to important resources.

For a variety of reasons, social engineering attacks are considered to be more effective than other types of attacks. With the introduction of modern technology that is designed to provide superior security performance, it is far more difficult to penetrate an organization’s defense mechanisms than it is to deceive individuals into divulging valuable information. If the victim has advanced privileges in the company, social engineering attacks can be quite difficult to detect.

In red team exercises, social engineering can be used to assess the strength of an organization’s security mechanisms as well as employees’ understanding of various attack strategies.

Attacker Motives behind these attacks:

Some of the typical motives of the hackers behind a social engineering attack are as follows:

  • Financial gain, for example, getting user credentials for a financial website and utilizing them to transfer funds into their own account

  • Gain access to the organization’s vital data/resources, such as collecting trade secrets.

  • Revenge, for example a disgruntled former employee seeking vengeance against an organization

Impact of Social Engineering Attacks:

Social engineering attacks can have severe implications for a company. The following are some of the most significant impacts:

Financial Losses

Social engineering attacks can result in significant financial losses for the company, including losses suffered as a result of data breaches, the expense of restoring lost/stolen data, legal/regulatory fines, and much more.

Reputational losses

Social engineering attacks can potentially harm a company’s reputation, resulting in a decrease in customer confidence in the security of the organization or the loss of potential investors.

Operational Downtime Losses

Social engineering attacks can potentially impair critical business functions within an organization. This can prevent an organization from conducting important business and force it to undertake drastic measures to restore these activities.

Phases of Social Engineering attack:

Some of the phases involved in a social engineering attack are as follows:

1. Research and Reconnaissance

This is the first stage of the social engineering attack. During this phase, an attacker chooses his target and studies various exploitation methods. This phase usually entails the adversary conducting research on the organization in order to gain a better understanding of its structure, operations, and infiltration methods. If the target is a person, the attacker can use a variety of methods to gather information about him, such as looking at his social media profiles to learn about his background and interests. The data gathered during this phase aids the attacker in devising an attack strategy.

2. Engagement

The attacker now interacts with the target in order to build a trust connection and deliver his payload after gathering the essential information about the target and devising an attack strategy.

3. Attack

If the reconnaissance and engagement phases go as planned, the attacker will achieve his goal and successfully launch his attack. This can take the form of an attacker gaining access to a company’s computer system, obtaining the victim’s bank account information, stealing sensitive data, and so on.

4. Closure and Covering the Tracks

One of the attacker’s goals is to carry out his attack as quietly as possible while avoiding detection mechanisms. After successfully carrying out the attack, the attacker proceeds to cover the trails of his malicious activities and concludes the attack.

Common Attack Types

Social engineering can be carried out using various communication media such as emails, text messages, and phone calls, or it can be carried out physically such as by leaving a USB containing malware in the parking lot of some company. Some of the most popular types of social engineering attacks are discussed in this section:

Phishing

Phishing is one of the most popular and most commonly used types of social engineering attacks. A phishing attack is carried out through the use of maliciously crafted email, SMS, phone calls, etc. in order to get the victim’s attention and inspire him to perform an action. The most common form of phishing attack is to embed a link in an email and get the victim to click the link in order to redirect him to the attacker’s website that contains the malware.

Let’s suppose an attacker sends out an email to the victim and makes it appear like came from the user’s bank. In the received email, he may be asked to click on a link to provide the bank with some important details. Now as soon as the user clicks the link, he is redirected to the attacker’s website which looks very similar to the bank’s original website. When the user tries to log in, his or her entered credentials are stolen by the attacker. The user may now be redirected to the original website and won’t even know that his credentials have been stolen.

In a phishing attack, the attacker’s goal is to make the email or message appear to be from a genuine source and to generate a sense of urgency in the victim so that he feels obligated to act. The success of a phishing attempt is determined by how skillfully the message is structured so that the recipient does not doubt the message’s authenticity.

The main forms of phishing attacks are as follows:

Spear Phishing: Spear phishing is a targeted attack that is designed for a specific individual or group of people.

Vishing: Vishing is a form of a phishing attack that is carried out over a phone call.

Whaling: A whaling attack is used to target the big fish in an organization e.g. CEO(Chief Executive Officer), COO (Chief Operating Officer), CFO (Chief Financial Officer), or the CSO (Chief Security Officer). The purpose of targeting the higher management is that they have access to some of the most sensitive data related to an organization.

Baiting

Baiting is a type of social engineering attack that draws the victim’s attention by tempting him with a desirable offer such as free movies, phones, or games, or by taking advantage of his curious nature. The purpose of this attack is to obtain important/sensitive information about the victim or to implant malware onto his system.

One of the most common forms of a baiting attack is dropping a USB containing malware in a place where it is noticeable such as the parking lot of a company or an elevator. The victim picks it up and plugs the USB into his system in order to view its contents. As soon as the victim plugs the USB into his system, the malware gets installed providing the attacker privileged access to the victim’s PC.

Quid Pro Quo

Quid Pro quo is a type of social engineering attack in which an attacker requests the exchange of some important/sensitive information from the victim under the pretext of providing some service.

For example, an attacker attempts to call multiple people in a company pretending to be an IT support representative and offers to help with some technical issue. If the victim agrees, he then asks for his credentials in order to resolve the issue.

Pretexting

Pretexting is the form of social engineering attack in which an attacker tries to elicit valuable information from the victim under the pretense of someone important. The goal of this attack is to force the victim to reveal confidential/sensitive information by making it appear that this information is needed for some urgent/important matter.

For example, an attacker calls the victim and pretends to be some official from the victim’s bank. He then creates a false story about online banking user accounts being updated. He then asks the user for his account details and assures him that these details are needed so that the user can continue to use online banking services without any problems.

Scareware

Scareware is a form of social engineering attack in which an attacker causes a sense of alarm or instills fear in the victim that a threat is affecting their system. The attacker thus forces the victim to visit the malicious website/link or download some software(malware) in order to remove the threat.

The most common form of these attacks is ads or notifications popping up in the user’s browser that alerts the user that his computer is infected with a virus. These alerts can fool the victim by forcing him to visit the website or download the software and provides the attacker access to the user’s system.

How to prevent Social Engineering Attacks

Social engineering attacks tend to exploit human weaknesses to gain sensitive information. In order to effectively defend against these attacks, you can use a combination of security controls that not only reduce human errors but also detect and prevent them. Some of the prevention techniques are given below:

Security Awareness training programs

In order to deal with social engineering attacks, a company must develop and conduct security awareness training programs on a regular basis. These programs are designed to educate people on attacker techniques, help them in taking proper action if they notice something suspicious, and teach them to perform their job duties in a secure manner. The following are some of the important elements that these programs should cover:

  1. Do not open any HTML links in the email or that have been sent to you through any other media. Instead, type them manually in your browser.
  2. Be skeptical of any emails/messages/calls that are asking you to perform some action urgently or pressing you to reveal some sensitive information. Instead, call the legitimate company to verify the authenticity of the message.
  3. Do not reveal your passwords, pins, OTP, social security number, credit/debit card details, and other sensitive information to any individual over the phone, email, or any other medium.
  4. Verify the legitimacy of different websites by reviewing the address bar. Look for misspellings or improper domain names.
  5. If you are entering any sensitive information on the website such as financial information or account credentials, make sure that the connection is set up over TLS (Transport Layer Security). You can verify this by checking for https:// in the address bar.
  6. Use passwords that are difficult to guess and are not based on the information that can be easily discovered from your digital footprint.

Enforce Multi-factor Authentication

In order to protect the user credentials from being compromised, enforce multifactor authentication across your enterprise. Multifactor authentication requires the user to provide more than one credential as proof of his identity for successful authentication.

Employ email security solutions

Email security solutions are used to protect organizations from phishing attacks and other threats that leverage emails. Employ email security solutions in your organization in order to block suspicious emails and their attachments, and prevent them from reaching user inboxes.

Employ the latest Antivirus solutions

Employ Antivirus solutions on each endpoint and make sure they are updated to the latest version in order to block the malware and prevent its execution.

Employ IDS/IPS in your network

Employ intrusion detection or intrusion prevention systems in your network in order to detect and block malicious network traffic or requests. These systems can also prevent the exfiltration of sensitive data from your network.

Whitelist websites

If possible, construct a whitelist of permitted websites that users can browse, and any requests to websites that are not on the lists should be denied. Although this strategy is not completely foolproof, and persistent hackers can find ways to circumvent the filters, it can give some protection when used in conjunction with other security measures.

Implement Separation of Duties for critical operations

Implement the separation of duties principle for critical business functions such as financial transactions so that a single employee doesn’t have the sole authority to complete these operations. Employing this principle will reduce the chances of multiple users becoming a victim of social engineering attacks.

Leverage Threat Intelligence and Threat Hunting

Leverage threat intelligence from reputable sources to assist you in profiling threat actors, learning the newest tactics/techniques they use for malware infiltration, and understanding the various types of malware they employ. Employ threat hunting methodologies to proactively defend and safeguard your organization against threats that could damage its security.

Employ Zero Trust Architecture

Employ Zero trust architecture to limit user access privileges, protect the organization’s resources from unauthorized access and prevent lateral movement of the attacker within your network.

Do you want to get practical skills to work in cybersecurity or advance your career? Enrol in MCSI Bootcamps!