November 01, 2022
Social Engineering is a mass of approaches and techniques that describe the ways of influencing the opinions and actions of others. It may be separate individuals, as well as crowds. These methods usually focus attention on the problems and propose the chosen thing as the solution to this problem. Thanks to the development of communication, it has become elementary to perform social engineering events - in messengers, social networks, via emails, or even by phone. Social engineering is a specific method of direct advertising.
In cybersecurity, social engineering plays a great role in malware spreading. Its universality allows the hackers to use it in both cyberattacks on corporations or massive spamming campaigns against individuals. And the overall amount of engineering methods allow it to make it effective in different environments. It is also relatively easy to apply - all you need is a text where the victim will be motivated or even forced to react. No complicated software, no hope of random events - it is ideal for any category of cybercriminals.
How does Social Engineering work?
It is important to mention that we will review the social engineering methods used in cyberattacks. There are many other methods, but they are mostly similar, and the general differences hide in how they are used. As we have mentioned above, cybercrimes with the use of the subject may be done through email or as a message on different communication channels (messengers, forums, in-game chats). One of the most often targets of social engineering is to make people trust you and do what you say. That is not an instant thing and can take days or even weeks. But it is worth spending a certain time when aiming for a large audience. It is obvious that the more trust you will gain - the more the chance that folks will eat your bait. However, the more people you try to fool, the more time you need.
When committing email spoofing, you need way less effort to make someone believe you. You are not going for direct contact - all you have to do is disguise your message as one from a legit sender. Some analysts even divide the spoofing from social engineering - since it is too simple. But for all other practices, you will need a lot more work. Let’s look at several social engineering examples that took place in real life.
Examples of Social Engineering Attacks:
The most pervasive way of leveraging social engineering tactics, hackers will use deceptive emails, websites, and text messages to steal sensitive personal or organizational information from unsuspecting victims.
2. Spear Phishing
This email scam is used to carry out targeted attacks against individuals or businesses. Spear phishing is more intricate than your average mass phishing email, requiring in-depth research on potential targets and their organizations.
We have mentioned email spoofing as one of the examples of elementary social engineering. However, much more sophisticated cases took place during different cyberattacks. When infecting the company through the spoofed email message, you need to do a lot of work to make the reader believe that the message and the sender are legit. For example, the crook can introduce itself as an authorized distributor of a certain company and offer you to sign a contract with them. In the end, you will receive a file with “contract terms and details” - a Word document or Excel table that contains the macro. The latter is one of the most exploitable elements of Microsoft products. Hackers add the malware downloading script to macros; as soon as you open the file & allow macros, your PC becomes infected.
3. BaitingThis type of attack can be perpetrated online or in a physical environment. The victim usually promises a reward for sensitive information or knowledge of its whereabouts.
In a category of ransomware attacks, victims are sent an urgently-worded message and tricked into installing malware on their device(s). Ironically, a popular tactic is telling the victim that malware has already been installed on their computer and that the sender will remove the software if they pay a fee.
For example, Discord became a conversation place for different categories of people. However, the majority of its audience is gamers and programmers. Users may join the channel to ask questions in both categories. How to set up this, pass that level, which framework is best - these themes are typical for that social network. And simultaneously, the answers to those questions can require special applications.
The latter is, exactly, the main attack surface. You can slip the malware instead of the entire program and infect many users with a single message. And to make everyone believe that this file is trustworthy, you can apply social engineering. The group of crooks did that in February 2021. A chain of chats was attacked from the accounts that were present for several months and considered reliable and legit. Sure, the same attacks happened earlier and later - but never with such a large scale. That case led to the appearance of the term “Discord virus”.
This attack involves the perpetrator assuming a false identity to trick victims into giving up information. Pretexting is often leveraged against organizations with much client data, like banks, credit card providers, and utility companies.
6. Quid Pro Quo
This attack centers around exchanging information or service to convince the victim to act. Normally, cybercriminals who carry out these schemes don’t do advanced target research and offer to provide “assistance,” assuming identities like tech support professionals.
This attack targets individuals who can give the criminal physical access to a secure building or area. These scams are often successful due to a victim’s misguided courtesy, such as if they hold the door open for an unfamiliar “employee.”
In this scenario, cyber criminals will leave urgent voicemails to convince victims they must act quickly to protect themselves from arrest or another risk. In addition, banks, government agencies, and law enforcement agencies are commonly impersonated personas in vishing scams.
This attack uses advanced social engineering techniques to infect a website and its visitors with malware. The infection is usually spread through a site specific to the victims' industry, like a popular website that’s visited regularly.
10. Phone Calls
You have likely heard about The Wolf of Wall Street movie. It depicts what social engineering over phone calls means. A victim receives a call where it is ensured to purchase something or give money to the caller. In the times depicted in the film (‘90s), phone sales were very effective. It is pretty easy to assure an individual that you are an expert in a particular industry, mainly when you use many professional terms and your speech is very consistent. Then, when the person believes in your professionalism, pushing it to do what you want is straightforward.
The most notable example of social engineering over the phone is tech support scam. It popped out at the edge of 2021 and exists in different forms today. In the beginning, you see the scary banner over your browser window that says you have your PC infected and must contact support. Alternatively, those statements may notify you about the legal act of watching porn or visiting forbidden websites. Anyway, you are offered to call the number specified on the banner.
On the phone, fraudsters will ensure that everything you saw on the banner is true. They will describe in detail how that happened and which catastrophic things will happen if you don’t follow their instructions. Install the “malware remover” (rogue software), transfer the “fine”, or even give the crooks the complete information about your person - they can ask the scared victim anything.
Is Social Engineering Illegal?
After the paragraphs above, you might think that social engineering is the fate of cybercriminals and scammers. However, the real essence of this technique is just the art of suggestion. In some cases, it can be used for benevolent purposes - for example, to dissuade people from outlawing actions or doing drugs. Various religions are the perfect example of the benevolent use of social engineering - abbe ensures the folks act as God says, for example. That is just the polite manner of life, so practically, religion guides the parish on the right path.
Nonetheless, it can surely be named a double-edged sword. While being formed as benevolent, it found the application in many questionable situations, often even malicious. You will not get punished for social engineering as is but will likely face legal action for fraud if you use it to fool someone. However, that does not stop cybercriminals from using it here and there.
How to protect yourself?
That question cannot be answered linearly. Each human has its gullibility level. Hence each will have their ways of mirroring the fooling attempt. That’s why we decided to describe only the most basic advice.
- Never neglect checking the alternative ways. Even when someone offers you a very effective way of solving the problem, it will be a great idea to review that way and search for several others. Possibly, the review of the offered one will uncover the fraud.
- Never trust the offered applications. On the aforementioned online communication platforms, people can offer to use their self-made apps. Since even the legit ones can trigger the anti-malware programs, the advice to ignore or disable the antivirus does not sound like a menace. Nonetheless, it is still important to ensure that that app is OK.
- Think rationally. No one will give you the cost-free advice to invest in something or purchase the be-all-end thing for nothing. Even if such offers could be relevant for the past decade, they are not good these days. And they must raise even more suspicion if the offer gives you some unrealistic profit or so. If it sounds too good to be true, it probably is.
- Check-up the information about the person who offered the thing to you. If you have just a phone number - check it up. That could be enough to understand what to expect. The Internet made it possible to check each number, and the more people received calls from this number - the more the chance to see the complete information on the caller and its intentions.
- Keep your antivirus/antimalware software updated – Make sure automatic updates are engaged, or make it a habit to download the latest signatures first thing each day. Periodically check to ensure the updates have been applied, and scan your system for possible infections.
3 Ways Organisations Prevent Social Engineering Attacks
The following measures can help preempt and prevent social engineering attacks against your organization:
1️⃣ Security awareness training
Security awareness education should be an ongoing activity at any company. Staff members may not be aware of the dangers of social engineering, or if they are, they may forget the details over time. Therefore, conducting and continuously refreshing security awareness among employees is the first line of defense against social engineering.
Employees of all levels in a company should be schooled to avoid giving out any information via email or phone to “sales” decoys on what hardware, software, applications, and resources are in common use.
2️⃣ Antivirus and endpoint security tools
The primary measure is installing antivirus/antimalware and other endpoint security measures on user devices. Modern endpoint protection tools can identify and block obvious phishing messages or any message that links to malicious websites or IPs in threat intelligence databases. They can also intercept and stop malicious processes on a user’s device. While sophisticated attacks are designed to bypass or disable endpoint and AV agents, those attacks tend to leave other tell-tale signs of a successful attack.
3️⃣ Penetration testing
There are countless creative ways of penetrating an organization’s defenses with social engineering. Using an ethical hacker to conduct penetration testing allows an individual with a hacker’s skillset to identify and exploit weaknesses in your organization. When a penetration test succeeds in compromising sensitive systems, it can help you discover employees or techniques you must focus on protecting or social engineering methods you may be especially susceptible to.