What is Social Engineering?
The art of psychologically manipulating people so that they give up confidential/sensitive information is known as social engineering. These are non-technical attacks, which rely on fooling people into deviating from regular security procedures. People engaging in this criminal act either target individuals for things such as bank information and passwords, or they might target the employees of entire organizations for sensitive corporate information, which they can then use to make a lot of quick money in the market.The use of social engineering has increased drastically, because it is much more difficult to hack into someone’s software/password than it is to win their trust and exploit them to gain information that is wanted. No matter how technically sound the security chain might be, information is always susceptible to attack if the people involved with the information are vulnerable. The key to protecting oneself from such fraud is to develop a good sense of who and what to trust. The various types of social engineering that one can be targeted with are based on common attributes of the human thought process while making decisions. The various biases that a human may have towards a person or a situation are exploited in an endless list of combinations, some of which we will look at below.
Types of Social Engineering
Pretexting: This is one of the most common threats of social engineering, in which conmen create an imaginary scenario to interact with the targeted person in such a way that the person would voluntarily give out information or perform certain actions, which he/she would not do in ordinary circumstances. This technique is carried out by first finding out information about the targeted person or organization through documents such as discarded bank/financial statements, which is then used to convince the target that the conman has a sense of authority.
This technique can also be used by impersonating people like the police, tax officials, or insurance investigators, who in the mind of the victim have a right to know about the information. The conman simply does a little research to satisfactorily answer questions asked by the victims, behaves earnestly and authoritatively, and extracts information with quick thinking and manipulation of the situation.
Baiting: This technique uses the greed or curiosity of the target. Usually, the criminal uses some form of physical media like a CD or pen drive, which is given a legitimate but interesting label. It is then purposely left in a place like a restroom or elevator, where it is sure to be found by someone. When any person finds the CD, he/she is expected to get curious about the label and the data that it contains. However, on inserting the CD into a computer, they unknowingly install malware into the system, which could give the attacker unrestricted access, not only to that computer, but also to the company’s internal network.
Tailgating: In this method, the attacker’s intention is to gain entry into a restricted area of large organizations. If the area is guarded by electronic access systems, like electronic employee ID cards, the attacker just walks behind a legitimate employee having access to the area. Usually, the real employee will hold the door open for the attacker as courtesy, as he/she may think that the attacker is a part of the organization. They might forget to ask the attacker for identification, or may assume that he has misplaced his ID. The attacker might also display a fake ID, giving him access to any place that he may want to go.
Quid Pro Quo: In this technique, the attacker randomly calls telephone numbers at the targeted company, posing as a member of the technical assistance staff, and asking if there is any problem with the computer systems. Eventually, the attacker will find someone having a genuine problem, and will help solve the issue, all the while getting the distressed employee to unknowingly type in commands which will give the attacker access to the network, or put in a malware in the computer.
Phishing: This is another popular method used by criminals to fraudulently obtain private information about a person. The scam is run by either sending an email or making a phone call to the target. The email/phone call is designed to appear like legitimate correspondence from real businesses, like banks or credit card companies. If such an email is received, it will have links to a webpage with seemingly legit logos and company content, and a form which will request all kinds of details, such as PIN numbers or addresses, for alleged verification purposes.
In phone calls, a bogus interactive voice response (IVR) system prompts the target to call a supposed bank number, where a lot of information is asked for verification purposes. These systems work by appearing to reject login IDs and passwords entered by the victim, so that the information is entered multiple times. Some systems even transfer your call to the attacker, who gains information by acting as a representative from the customer service department.
Social Engineering Examples
Example 1: In 2011, a security company ironically had a breach in their security system, which the attacker accessed using social engineering. Over a couple of days, two phishing emails were sent to low-level employees of the firm. The subject of these emails was ‘2011 recruitment plan’. Eventually, one curious employee opened the excel attachment, which contained a malware, giving access to the attacker by a loophole in Adobe Flash software. The breach cost the company over USD 60 million.
Example 2: In 2013, a Chinese cyber-espionage group named ‘Hidden Lynx’ made several attacks on the digital code signing certificates of security companies. The group infected sites, which were accessed regularly by the target companies with malware, and gained access to the company network and networks of some of their clients.
Example 3: A bank in Belgium was robbed of diamonds and other gems worth over 21 million Euros in 2007 by a mysterious man, who is still at large. But what set this robbery apart from the others was that, the thief used only his charm and wit to do the job, despite the bank’s great security system. He visited the bank during business hours, became very friendly with the staff, brought them small gifts like chocolates, all the while making copies of the keys and finding information on where the jewels were. Finally, when the theft was found out, the employees could not believe that such a nice man could do such a terrible thing.
Social engineering attacks prey on the nature of humans to be helpful and trusting, and many individuals are unaware of how these attacks look like. Even if the employees of a company are trained to spot such frauds, third-party contacts can still compromise security. Therefore, such attacks are difficult to prevent completely. However, in order to make it difficult for social engineers and discourage them from attacking, some preventive measures need to be taken.
Measures to Prevent Social Engineering Attacks
-It is important to assess how much knowledge an individual or employees of the organization have about security, so that adequate training can be imparted to fill in the gaps in their knowledge.
-Training should be provided in small pieces rather than as a whole, so that it is easily understood.
-Using simulated attacks of likely fraudulent scenarios will help in identifying the signs of social engineering.
-Using advanced systems of security and different passwords for different accounts is very important.
-Regularly checking personal data, account details, and making requisite upgrades to security is very helpful.
-Keep security questions creative, and completely abstain from giving out personal information over the phone or email.
-Restrict information that can pass out of the organization, and never allow unauthorized guests to be unsupervised in areas with network access.
-Make sure that employees are trained to politely question people they don’t know, about their presence in the office premises, and ensure that regular sessions and talks about security issues are held, so the problem of social engineering is always fresh in the minds of the employees.
-Employees should be provided with an effective centralized system for reporting suspicious behavior, which will have a good chance of detecting social engineering patterns, and preventing disasters from taking place.
This list of preventive measures is by no means a complete one. However, it is hoped that the article has given you some food for thought. Social engineering attacks occur on a daily basis, and it is important that awareness is maintained, so that one does not give out information just because the attacker asked for it nicely.