We often hear the term “social engineering”. It is a technique commonly used by the attackers to spread malware or steal sensitive data from the victims. What is this social engineering actually? How do attackers use this for malicious purposes and how can we safeguard ourselves? In this article we would discuss about that.
What is Social Engineering ?
Sometimes we think in certain ways that deviates from being rational or showing good judgment. These are called cognitive biases. These cognitive biases are often maliciously exploited by the attackers in perpetrating cyber crimes. Social engineering is a technique based on these cognitive biases of common people.
Social engineering refers to the psychological manipulation of people with the purpose of deceiving them in performing malicious actions like installing a malware or divulging sensitive information, which otherwise the victims would not be doing.
Types of Social Engineering
There are several types of social engineering.
In pretexting, criminals create an imaginary scenario to convince a user to divulge sensitive information or perform other actions that solve the malicious purposes of the attackers. The attackers often do this by researching and exploiting the information to impersonate a legitimate authority and deceiving the user. A very good example can be impersonating a tax authority and deceiving a victim in divulging sensitive information. Another example may be, impersonating a coworker who has some urgent problem and requires access to additional network resources.
Baiting is like a real world Trojan Horse. Attackers use some physical media to lure the victims and exploit the curiosity or greed of the victims to victimize them. A very good example can be to leave a malware-infected USB drive in public places and wait for victims. If a victim, out of curiosity takes the USB drive and inserts it into his computer, his computer will be infected with malware and give access of that to the attackers.
Quid Pro Quo
In this technique, attackers lure the victims in divulging sensitive information in return of something very cheap. A good example can be, offering icecreams or chocolates to young people to make them divulge their sensitive passwords.
Scareware involves scaring the victim into thinking that his computer has some technical problem or the computer is infected with some malware, that needs immediate removal. This technique is often used by the attackers to trick users in installing rogue anti-malware, that itself installs malware in the computer.
Phishing is a technique widely used by the attackers to deceive victims into divulging sensitive information or installing malware in their computers. The attackers typically sends an email purportedly from a legitimate authority and requests to verify some details by clicking on a link or by opening a malicious attachment. The attackers typically use threats and creates a sense of urgency to the users, so that users get worried and fall victims.
In this technique, the attackers use a rogue Interactive Voice Response or IVR system to recreate a legitimate-sounding copy of a bank or other legitimate authority and use that for phishing. Attackers often send the victims some legitimate looking numbers to verify some details and when the victims make a call, they are deceived to divulge passwords, PINs or other sensitive information. In some cases, the attackers ask the victims to login using the IVR and reject the credentials continually, so that the victims type in the credentials multiple times or are are tricked to type in multiple passwords.
Techniques used in Social Engineering
Attackers can use several methods in social engineering.
Email from a friend
Attackers can spoof email address of a friend or relative and send a phishing email to the user. As the email contains email address of a friend or relative, it becomes more difficult for the victims to detect such scams.
Containing a link
Attackers often send emails containing a link that points to some malicious website. The website may spread malware or it may be a clone of a legitimate website that is used by the attackers to trick users in divulging sensitive information.
Attackers often send an email requesting the victim to verify some details by opening a malicious attachment and when the attachment is opened, the computer gets infected with malware.
Urgently asking for help
Attackers can send emails urgently asking for help. They may talk about an imaginary situation and ask the victim to send money to the sender.
Asking for donation
Attackers may send emails asking for donation for their charitable fundraiser and instruct the victim how to send money.
Asking to verify some information
Attackers may send some malicious attachment and trick the user in opening it by requesting to verify some information. The attackers often create a sense of urgency through the email to increase the probability that the email will be opened by the victim.
Notifying you are a winner
Attackers may send an email claiming to be from a lottery, a dead relative or some other wealthy person who wants to transfer money to the victim’s bank account and thus trick the victim in clicking a link or attachment or divulging sensitive personal information.
Example of Social Engineering
Amazon Phishing Scam
This scam appeared in January, 2017. In this scam, a victim typically gets an SMS as mentioned below:
Order Confirmation (#101-2341765-1192723)
Order total: 70$
If you did not authorize this purchase, click http://bit.ly/amazon-refund to Cancel and Refund.
As usual the link points to some fraudulent website that looks quite identical to Amazon website and asks for sensitive credentials from the victim. The fake website even asks for entering credit card numbers to the victims. No doubt on providing such sensitive details the victims’s Amazon account as well as financial details get compromised.
However, if you look carefully, you can notice some pointers that indicate the SMS is not legitimate.
It should have been written as $70 and not 70$. A legitimate communication should not have this mistake.
It is unlikely that Amazon will send a link using such URL shortening service.
This is a good example of a scam using Social Engineering. However, if a user gets any such unexpected text, the best way to deal with it would be not to visit the provided link, but to login in legitimate Amazon website and verify the active orders. The user can also call the Amazon customer care and clarify.
Social Engineering Prevention
We can always take a couple of steps to protect ourselves in a better way:
If an email gives a sense of urgency to click on a link, open an attachment or reveal any sensitive information, slow down and think twice to perform any action that the sender wants you to do.
If an email looks suspicious, spend some time to research the facts. Sometimes some simple google searches help us a lot in preventing problems.
Delete emails that request to divulge credentials or other sensitive information. They are surely scams.
Reject requests coming from an unknown person that ask for help via emails.
Do not click on any link in a suspicious email sent by an unknown sender.
Do not open attachment of emails sent by unknown senders.
Email spoofing is widely used by the attackers to trick victims. So, if you get an email containing email address of a friend or relative in the sender fiend but looks suspicious, do not click on any link in the email or open any attachment.
If you receive an email offering a foreign lottery or sweepstakes, money from an unknown user or funds from foreign country in return of divulging personal information, delete the email immediately.
If an email looks suspicious, confirm with the sender offline before responding to the email. It is better to be safe than sorry.
If you think an email is a spam, mark it so in the spam filter. Spam filters often use machine learning in detecting spam emails. By marking an email as spam helps the spam filters to learn about spam emails in a better way and detect future spams better.
Last but not the least, keep your operating system, browser and other commonly used software updated with recent security patches. Configure proper firewalls. Use anti-malware solutions from trusted sources and keep them updated regularly.