Social engineering and the new methods of abuse
Social Engineering is essentially the art of gaining access to buildings, systems, or data by exploiting human psychology without penetrating or using technical hacking techniques. For example, a social engineer tries to deceive one or more employees in order to disclose their password rather than trying to find a software vulnerability. Even if you are in full alert, when it comes to protecting the data center, cloud developments and building security, even though you have invested in defense technologies and measured security policies and appropriate procedures, a social engineer can open his own path.
Social networks have been recognized as a tool for facilitating modern communication in order to establish personal and professional relationships. However, hackers and cyber-attackers have exploited this platform for malicious purposes and have found these networks a good place to reach their goals and interests. These subversive activities are generally organized and executed in the form of raids. The term "fishing raids" is related to a social phenomenon in which a person or group represents themselves in a trusted, well-known format and form, and thus attempts to collect sensitive information from the user. The reason that these attacks are called "hunting attacks" is the similarity of this approach to fishing where the hunter uses prey to trap prey and hunt. There is a risk of fishing for prey (such as fake web pages and infected emails) throughout the virtual world, especially in social networks, which are more suitable for identification and access to most Internet services due to the proliferation of users and easy access to sensitive information. It's about trapping the victims. According to research by Kaspersky Lab, one of the most prestigious cyber-attack research and development centers, 22 percent of the targets for fishing attacks are on users of one of the most popular and well-known social networks in the world. The report said that more than 20,000 fishing strikes targeting the social network are being observed daily. These statistics indicate that social network users are in urgent need of security awareness programs to safeguard against such attacks. Deceptive fishing attacks are the most common type of fishing attacks on social networks. In a common scenario, an attacker (so-called fisherman in a raid) logs into the social network with a dummy user account, landing himself instead of another person, and interacting with his friends on that network. And then, the hunter moves to send messages to those who contain destructive bonds, with the hope that more of them are trapped. Most of these links contain forged material by placing victims in sensitive or worrying situations (such as the possibility of a virus, an exceptional opportunity to reduce cost and purchase with discount, etc.), urging him to import personal information, while this information is placed. Most of these attacks are aimed at giving victims access to personal information (such as banking information) for abuses such as theft or impersonation. However, sometimes the purpose is not to inflict damage on the victims, but to collect personal information and sell it to other persons or groups. Currently, with regard to the introduction and epidemic of dynamic codes throughout the country, there is no longer evidence of bank account information in the already visible ways. Also, by launching a recently observed link in Figure 1, a link sent to the subscriber by clicking on the link and completing information by the victim will automatically collect and exploit information.
In order to prevent possible risks and to prevent abuse in this regard, it is strongly recommended that users strictly enter their personal information such as name, surname, ID number, national card number, contact information and addresses. Workplace and residence and postal codes as well as sensitive bank card information such as CVV2 etc. on untrustworthy sites or presenting this information to anonymous individuals and clicking on invalid links and filling out personal information fields.