By | Mohamad Hafiz bin Rahman
Introduction
There are currently a few definitions of social engineering depending on which book you read or to whom you speak. Based on Wikipedia, it is “The psychological manipulation of people into performing actions or divulging confidential information.” The Oxford dictionary defines social engineering as “The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes” (in the context of information security). Other possible definitions are “The art of intentionally manipulating behaviour using specially crafted communication techniques” (Watson, G., Mason, A. G., & Ackroyd, R., 2014) and “Social engineering penetration testing: executing social engineering pen tests, assessments and defense.” (Amsterdam: Syngress, an imprint of Elsevier. pp 2). Social engineering is one of the biggest challenges facing network security because it exploits the natural human tendency to trust.
Social Engineering Life Cycle
Figure 1 displays the systematic four-step sequence of a social engineering attack, also called the attack cycle: gathering information, establishing a relationship, exploitation, and execution. For any given goal, a number of factors can cause the process to repeat some or all stages. The entire process can repeat several times or even each step multiple times depending on the nature of the attack and the target until the attacker is either captured, satisfied, or gives up.
-
Information Gathering
Information gathering is the beginning stage where the hacker or penetration tester starts before vulnerability appears. Basically hackers will use different sources and tools to collect information from the targeted victim and system before selecting the attack method. -
Establishing a Relationship
The second step is to establish a relationship with the victim. This is a critical point, as the quality of the relationship built by the attacker determines the level of cooperation and to what extent the target will go to help the attacker achieve the goal. According to the framework of social engineering, three steps are undertaken as part of the selection method before contacting the target for the first time, namely identifying, gathering, preparation. This is a good reminder of how much effort and research goes into conceiving a social engineering assault. Once the objective is met, social engineers have learned their goal and formulated their plan well. -
Exploitation
After a relationship is established, exploitation can begin. Here different conditioning techniques are utilized to elicit the right type of emotions and lead the target to the right emotional level. The social engineer starts bringing out details from the target once the target is in the right state. Then the social engineer can exploit trust to make the target let data slip, like passwords, e-mail credentials, banking information, etc. This may be either the end of the attack or the start of the next stage. - Execution
After the mission is accomplished, the social engineer will cover up all tracks or evidence. The attacker also usually looks for a quick escape, sometimes without the victim or company even knowing that their data has been compromised.
Types Of Social Engineering Attacks
Social engineering attacks can be classified into two categories: human-based and computer-based, as illustrated in Figure 2.
Attacks through social engineering come in many different ways and can be carried out wherever human interaction is involved. Hackers regularly create clever tactics to get people like employees to reveal sensitive data. They use psychological manipulation to trick a person’s emotions and feelings. Understanding the types of strategies utilized in social engineering gives better opportunities to stay secure. The following are the 5 commonest sorts of digital-based and human-based social engineering attacks.
- Vishing
Vishing, also known as voice phishing, is the illegal activity of using the telephone system to get personal and financial data for financial reward purposes. The Macau Scam is an example of vishing being used. Attackers also work to collect more accurate information on a target’s entity for identification purposes. - Phishing
Phishing is a fraudulent attempt to steal sensitive information such as usernames, passwords and credit card information by disguising oneself in electronic communication as a trustworthy person. Usually done by spoofing e-mails or instant messaging, users are often directed to enter personal information on a fake website that looks like a real website. In another scenario, phishing is used as part of a larger attack like an advanced persistent threat (APT) event to gain a foothold in corporate or government networks. Employees are compromised in this latter situation in order to bypass security perimeters, spread malware within a closed environment or obtain privileged access to secured data. - SMiShing
SMiShing is described as the act of using text messages by mobile phone (SMS) to manipulate victims into immediate action such as downloading mobile malware, visiting a malicious website or calling a fraudulent phone number. Typically, SMiShing messages are designed to prompt action from the user, asking them to hand over personal identification data and account details. Fear or greed-based terms are common, such as "imminent suspension of account," "fraudulent identification of account activity" or some form of reward or sale. - Impersonation
Impersonation is described as the practice of pretexting to be another person for the purpose of stealing information or gaining access to an individual, company or computer system. This type of social engineering plays with our natural tendencies to believe when told by authority people that they are who they claim to be and to follow instructions. This involves deceiving a victim deliberately in order to obtain data without the victim knowing there is a security breach. - Tailgating and Piggybacking
Tailgating occurs when an intruder has a false badge or follows an official person through an open security door. Smokers’ docks and emergency doors are suitable spots for tailgating.
Piggybacking is a bit different because the intruder doesn't have a badge but asks somebody to let him in somehow. He may say he left his badge on his desk or at home. In either case, even if he has no badge visible, an authorized user will keep the door open for him.
Social Engineering Prevention Action
Social engineers exploit human feelings like curiosity or fear to carry out schemes and lure victims into their traps. Therefore, be alert if you feel disturbed by an e-mail, drawn to an offer on a website, or misled by stray digital media. Being alert will help defend from most of the digital realm's social engineering attacks.
When it comes to social engineering, the greatest threat to cybersecurity is human error. The majority of all incidents occur due to employee mistakes. This is why firms should focus on educating and training employees to avoid social engineering and raising awareness of the various types of attacks likely to be faced. Educate and train yourself, your associates and other employees because all it takes is one employee to fall for a scam and the whole business can be at risk.
The following tips can help improve vigilance in relation to social engineering hacks:
- Don’t open e-mails and attachments from suspicious sources – You don't need to answer an e-mail if you don't know the sender. Even if you know them but are sceptical about their post, check through other sources such as by telephone or directly from the site of a service provider and verify. Note that e-mail addresses are spoofed all the time and intruders often send e-mails supposedly from trusted sources.
- Use multifactor authentication – User credentials are one of the most important pieces of information that hackers are searching for. Using multifactor authentication will help ensure the security of your account in the event of device failure.
- Be wary of tempting offers – If an offer sounds too attractive, consider it twice before accepting it as a fact. Researching the subject will help you figure out quickly if you're dealing with a legitimate offer or a trap.
- Keep your antivirus/antimalware software up to date – Make sure automatic updating is applied and make it a routine of downloading the latest signatures every day. Check to make sure the changes are applied regularly and check the device for potential infections.
- Improve your emotional intelligence – Social engineers mostly aim for the emotional part of the human brain. They may try to take you on a guilt trip, make you feel nostalgic, or induce any other negative feelings. The situation is alarming how people tend to open up to those who seem to offer emotional comfort.
Conclusion
Social engineering is a type of attack that exploits the psychological vulnerabilities of humans. It is formally said to have four phases: information gathering, establishing a relationship, exploitation and execution. However, social engineering is not limited to certain scenarios or any particular type of attack. Rather, it includes a variety of methods, strategies and approaches that can be used to manipulate people in an organization for instance to gain access to information or resources. Because the threat is so diverse, has no specific form and continues to evolve to adopt new tactics of exploitation, it poses a serious threat to operational security.
The challenge of social engineering can never be eliminated so long as the functions of human beings are included in an organization, because humans cannot be patched to make them safer. Using technology may reduce the burden of providing people with security, but a balance must be achieved whereby there is no complete dependency on either humans or technology since both have specific problems and weaknesses. Moving forward, the best thing that can be done to combat social engineering attacks is to continue researching how organizations are being manipulated in order to improve security practices and build
innovations to increase security.