Social engineering is the art of tricking people into revealing confidential information. The type of information which the criminals are seeking varies depends on their goal. The idea behind social engineering is to take advantage of victim’s natural tendencies and emotional reactions.
Criminals are usually trying to trick you into giving them your passwords or bank information. Moreover, they want to access your computer to secretly install malicious software. Therefore, it will give them access to your passwords and bank information as well as giving them control over your computer.
To access a computer network, the typical hacker might look for a software vulnerability. A social engineer, though, could pose as a technical support person to trick an employee into revealing their login credentials.
Why to use Social engineering?
Criminals use social engineering tactics because it is usually easier to use your natural tendency to trust than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password, unless the password is really weak.
Different types of social engineering attacks
Email from a friend
Criminal can hack or socially engineer one person’s email password. In this way they will access that person’s contact list. Moreover, because most people use one password everywhere, they probably have access to that person’s social networking contacts, too.
It’s in our nature to pay attention to messages from people we know. Some criminals try to take advantage of this by commandeering email accounts and spamming account contact lists.
If your friend sent you an email with the subject, “Check out this site I found, it’s totally cool,” you might not think twice before opening it. By taking over someone’s email account, a fraudster can make those on the contact list believe they’re receiving email from someone they know. The primary objectives include spreading malware and tricking people out of their data.
When the criminal has access to that email account, they send emails to all the person’s contacts or leave messages on all their friend’s social pages.
Taking advantage of your trust and curiosity
Messages which take advantage of your trust will:
- Contain a link: Because the link comes from a friend and you’re curious about it, you’ll trust the link and click. Once you do this, you will be infected with malware. Therefore, the criminal can access your device and collect your contacts information and deceive them just like you were deceived.
- Contain a download: It contain a download of a pictures, music, movie, document, etc., that has malicious software in it. And as you are likely to download because you think it is from your friend, by doing this you become infected. Now, the criminal has access to your device, email account, social network accounts and contacts, and the attack spreads to everyone you know. It goes over and over. Unfortunately, it is a very large disaster.
Phishing Email- Email from another trusted source
Phishing attacks are one of the products of social engineering strategy. They are well-known ways to grab information from an unwitting victim. It goes through a trusted source and seemingly logical scenario for gaining login credentials or other sensitive personal data. Despite its notoriety, it remains quite successful.
Using a pretext
Criminals make use of an interesting pretext in order to capture someone’s attention. Let’s say you received an email, naming you as the beneficiary of a will. The email requests your personal information to prove you’re the actual beneficiary and to speed the transfer of your inheritance.
This kind of messages which make use of a pretext may:
- Ask for your help: For example it may say that your friend has been robbed, beaten, and is in the hospital. They need you to send money so they can get home and they tell you how to send the money to the criminal.
- Use phishing attempts which appear legitimate: Typically, a phisher sends an e-mail, IM, comment, or text message that appears to come from a legitimate, popular company, bank, school, or institution.
- Ask you to donate to their charitable fundraiser: Sometimes, phishers may ask you for aid or support for whatever disaster, political campaign, or charity.
- Present a problem that requires you to “verify” your information: Phishers may do that for you to click on the displayed link and provide information in their form. The link location may look very legitimate with all the right logos, and content. Actually, the criminals may have copied the exact format and content of the legitimate site. Because everything looks legitimate, you trust the email and the site. So you would easily provide whatever information is required.
- Tell you that you are a winner: Maybe the email claims to be from a lottery to click on their site. In order to give you your prize, you have to provide information about your bank account so they know how to send it to you. Or they ask for your address and phone number so they can send the prize. Also, you may be asked to prove who you are often including your social security number. Even if the pretext is thin, people want what is offered and fall for it by giving away their information. Then having their bank account emptied, and identity stolen.
- Pose as a boss or coworker. It may ask for an update on an important project your company is currently working on, for payment information belonging to a company credit card.
This type of social engineering depends upon a victim taking the bait, not unlike a fish reacting to a worm on a hook. These social engineering schemes know that if you dangle something people want, many people will take the bait.
A cyber criminal might leave a USB stick, loaded with malware, in a place where the target will see it. Moreover, the criminal might label the device in a persuading way, “Confidential” or “Bonuses.” A target who takes the bait will pick up the device and plug it into a computer to see what’s on it. The malware will then automatically inject itself into the computer.
People who take the bait may be infected with malicious software that can generate any number of new exploits against themselves and their contacts. Also, they may lose their money without receiving their purchased item. If they were foolish enough to pay with a check, may find their bank account empty.
Response to an unexpected question (Quid pro quo)
This scam involves an exchange — I give you this, and you give me that. The malicious person makes the victim believe it’s a fair exchange, but that’s far from the case, as the cheat always comes out on top.
Criminals may pretend to be responding to your request for help from a company while also offering more help. They choose common companies that millions of people use such as a software company or bank. If you don’t use the product or service, you will ignore the email, phone call, or message. Unfortunately, if you do happen to use the service, there is a good chance you will respond because you probably want help with a problem.
For example, even when you didn’t ask a question you probably have a problem with your computer’s operating system. So you will use this opportunity to get it fixed for free! Once you respond and give them your trust, you will open yourself up for exploitation.
The representative that is actually a criminal may ask you more information or may ask to give them remote access to your computer so they can ’fix’ it for you. The commands they tell you to enter will open a way for the criminal to get back into your computer later.
This form of social engineering often begins by gaining access to an email account or another communication account on an IM client, social network, chat, forum, etc. They accomplish this either by hacking, social engineering, or simply guessing really weak passwords.
Some social engineering, is all about creating distrust, or starting conflicts. These kind of social engineering are conducted by people you know and who are angry with you. Also, it can be done by nasty people that just seek for revenge. Or by some people who want to first create distrust in your mind about others. So they can then put an step in as a hero and gain your trust.
The malicious person may change sensitive or private information like images and audio. They use basic editing techniques and forwards these to other people to create distrust, embarrassment, etc. They may make it look like it was accidentally sent, or like they are letting you know what is really going on.
Alternatively, they may use the altered material to gain money both from the person they hacked and from the supposed recipient.
Vishing is the voice version of phishing. “V” stands for voice, but the scam attempt is the same. The criminal uses the phone to trick a victim into revealing valuable information.
For example, criminal might call an employee, posing as a co-worker. The criminal might ask the victim to give login credentials or other sensitive information. Now the malicious person is able to target the company or its employees.
There are thousands of variations to social engineering attacks. The only limit to the number of ways they can socially engineer users is the criminal’s imagination. And you may experience multiple forms of scams in a single attack. Then the criminal is likely to sell your information to others. So they can run their exploits against you, your friends, your friends’ friends, and so on.
Something else to keep in mind about social engineering attacks is that cyber criminals can take one of two approaches to their crimes. They often are satisfied by a one-off attack, known as hunting. But they can also think long-term, a method known as farming.
Hunting is when cyber criminals use phishing, baiting and other types of social engineering. In this way they extract as much data as possible from the victim with as little interaction as possible.
Farming is when a cyber criminal seeks to form a relationship with their target. Then the attacker’s goal is to string along the victim for as long as possible. They do it in order to extract as much data as possible.