This is the art of impersonating as a trusted person, organization or group of people in order to obtain information which is valuable. Over the past years there has been a rise in cases which involve social engineering attacks. Social engineering attacks can be divided into several categories ranking them from the simplest form of social engineering to complex forms.
The COVID-19 pandemic gave the social engineering attackers greener grounds to carry out their social engineering attacks successfully since the lock down forced many of the employees to work from home. Hackers exploited this chance to carry out massive social engineering attacks on their victims. Below are some of the most common type of social engineering attacks.
Simple social engineering attacks
As the name states, simple social engineering is very simple to implement using readily available tools. This type of social engineering attacks exploit the fact that many systems users do no know how to distinguish between the authentic ways of operations of the system. Users will tend to trust any information regarding a service they use without first confirming if they are from the authentic source.
For example, when a user is requested by google to reset his/her password by providing their previous password.
Man in the middle attack (Pharming)
In these types of social engineering attacks, an attacker will place himself/herself in between the client and the legitimate service being offered online. In our previous tutorial we learnt about BeEF which is a common tool used in these social engineering attacks. These types of attacks are hard to be noticed by a user with no knowledge in cyber security.
Whenever the victim submits information to a website, it first goes through the hackers hands before being delivered to the legitimate website. In a case where there is weak encryption mechanism on the website, the hacker may manipulate the data to his/her advantage.
In these kind of social engineering attacks, the hacker disguises himself/herself as an a trusted person i.e. family or friend, in order to gather valuable information from his/her victim. These hacker later uses this information to exploit the victim.
Pretexting works as reconnaissance tool against the client. These type of social engineering attacks may take time to implement since they involve a lot of information gathering.
Social engineering attacks involving baiting take advantage of the curiosity of the victim. Hackers may present infected USB drives as gifts or place them in a way that the victim will come into contact with it.
These types of social engineering attacks are very dangerous since they can even compromise the most protected targets.
USB drives contain a payload which executes on connecting to a computer. This creates a connection back to the hackers computer and he can now be able to access files stored on the victim’s computer or even move on to compromise the whole network.
Phishing can be divided into several forms. These type of social engineering attacks involve stealing of user credit card details and login credentials to different online services of interest to the hacker. They are mostly used in e-mails and instant messages. Other types of phishing include;
- Whaling/ CEO fraud : Whaling social engineering attacks targets individuals of high profile in the victim organization. Hackers targets the CEO s of the organization. This type of attack involves a lot of prior information gathering in order to learn the individual of interest.
- Spear phishing : Spear phishing is a type of social engineering attack which targets individuals in specific fields off professions. Spear phishing type of social engineering attacks involves sending an email with an attachment. The email always have a subject of interest to the victim hence opening it.
- Angler phishing : Angler phishing is relatively new type of social engineering attack. The hackers clone legitimate websites and use the social medias to send users links to fraudulent websites. Hackers also use notification feature found on social medias to gain access to victims’ social media accounts for their own benefit.
Smishing & Vishing
Smishing social engineering attacks involves using of SMS (Short Message Services) to send fraudulent links to the victim. The hacker may pose as a reputable company to ensure the success of the attack.
Hackers will most likely ask for some valuable information from the victim or provide links to fraudulent websites hence infecting the victim’s device with a malware. In the eastern countries, this kind of an attack is increasing on a daily basis.
Vishing social engineering attacks is the same as smishing except that in vishing, the main target is those people who use voicemail services. Hacker will pose as a trusted person or organization and try to get some valuable information from he target. Most of the time, the hackers will claim to be employee from the bank or from a government related agency and ask for clarification of your personal details.
On the internet we have websites with millions of website visitors daily, hackers will infect these websites with malicious payloads which affects the websites visitors. Social engineering attacks of these type usually take advantage of weak websites which can be used to spread a malware.
Click-baiting is common in water holing attacks. Hackers will infect a website with a pop up which has a luring message on it making the web user click on the fraudulent hyperlinks.
These attacks may look simple but over the years they have caused massive loss both to individuals and organizations which have fallen into their traps. Some of the ways to avoid being a victim of social engineering attacks include;
- Never open emails and attachments from suspicious sources – If you find a suspicious message, contact the sender to confirm the he/she is the one who sent them and if not delete and report the email as spam.
- Always have an antivirus software for your PC – Antivirus software have advanced in that they can be able to detect some of these attacks. Make sure you have a running antivirus program at any given time. Be sure to purchase the antivirus programs from a trusted or the official providers.
- Do not provide any personal information online – You should not provide any personal information online without first confirming the credibility of the request. Many of these social engineering attacks are successful just because the victim offered a benefit of doubt to the request.