What is a social engineering attack?
In the social engineering attack, human interaction (social skills) plays pivotal role for attack. Consequently, people are inspired by attackers in order to divulge confidential information or perform actions which are asked by attackers.
The regarded attack is not based on technical knowledge such as firewall bypass. It is scientifically proven that people tend to trust others. Thereby, attackers misuse the considered natural sense so that people perform activities to comply with attackers' wishes.
In the regarded attack, there are many pragmatic approaches in order to obtain confidential information as follows, fraud, bribery, blackmail, to illustrate the point.
Is there a common pattern associated with a Social Engineering attack?
The answer is Yes. As reported by Gartner in a paper titled Management Update: How Businesses Can Defend against Social Engineering Attacks' published on March 16, 2005, any criminal act has a common pattern. Such a pattern is evident with Social Engineering, and it is both recognizable and preventable.
For the purpose of this paper, this pattern will be known as The Cycle.
Figure 1 illustrates ‘The Cycle, which consists of four phases (Information Gathering, Relationship Development, Exploitation and Execution). Each Social Engineering attack is unique, with the possibility that it might involve multiple phases/cycles and/or may even incorporate the use of other more traditional attack techniques to achieve the desired end result.
- Information Gathering: This is the initial stage of social engineering attack in which variety of techniques are utilized by aggressor in order to gather information about targets from social networks, organizational charts so on and so forth to achieve confidential data including birth dates, bank account numbers, national IDs, to illustrate the point.
- Developing Relationship: In this stage, after gathering information, an aggressor uses these data in order to establish relationship with target. While developing relationship, the aggressor must put himself into a position in which he or she attracts target's trust.
- Exploitation: Following developing relationship with target, the target may be manipulated intelligently by aggressor to perform aggressor's requested activities including divulging confidential information such as passwords or perform an action that would not normally occur such as transferring money into aggressor's bank account.
- Execution: once the aggressor's requested task has completed by target, the cycle is completed.
There are numerous motivations in order to do so that are explained below.
- Financial gain: financial gain is considered as one of the most significant motivations for variety of reasons. For instance, he may believe he deserves more money than he earns or maybe there is a need to satisfy an out–of-control gambling habit.
- Self-interest: an aggressor tend to access or modify information which is associated by immediate family members, colleagues, friends or even neighbors.
- Revenge: Vengeance is a strong feeling that can be used as a motivation for social engineering attack. Thereby, an aggressor targets company, friend, colleagues or even a total stranger in order to satisfy emotional desire.
- External Pressure: an individual may be exposed to external pressure from friends, family or organized crime syndicates for reasons such as financial gain, self-interest and/or revenge.
Social Engineering Techniques
There are two main categories of social engineering techniques as follows: computer based and human based.
- Computer based techniques
- Phishing: Phishing is a technique of fraudulently obtaining private information. In phishing, also known as "brand spoofing," an official-looking e-mail is sent to potential victims pretending to be from their ISP, credit union, bank, or retail establishment. Then after, it would asked from victims to provide confidential information such as bank account numbers, national IDs, user IDs, passwords that would be accessed by aggressor.
- Text Messages "Smishing": Smishing (SMS Phishing) is the mobile phone counterpart to phishing. Instead of being directed by e-mail to a Web site, a text message is sent to the user's cell phone or other mobile device with some ploy to click on a link. The link causes a Trojan to be installed in the cell phone or other mobile device.
- LAND LINE TELEPHONE "VISHING" & VoIP (INTERNET PHONES "VISHING"): Vishing, (Voice phISHING) also called "VoIP phishing for the Internet phones," is the voice counterpart to phishing. Instead of being directed by e-mail to a Web site, an e-mail message asks the user to make a telephone call. The call triggers a voice response system that asks for the user's card number or other personal or financial information. The initial bait can also be a telephone call with a recording that instructs the user to phone an 800 number or another area code within or outside of the United States.
- Mail LETTER "PHISHING": This new scam occurs where the phisher is creating a letter and sending it through the mail to individuals to respond to the letter by calling a phone number. The phisher outlines in the letter that the individual must respond for their own protection. This scam is used in conjunction with other channels to steal valuable personal and financial information of the individual receiving the letter.
- Pop-Up windows: mentioned windows may contain malicious codes in which by clicking on them, malicious code will be executed on the cell phone. As a result, cell phone will be infected.
- Electronical attachments: it would be possible that regarded attachments may contain malwares in which by opening and executing above attachments, your system or mobile will be infected. In the light of this evidence, "love letter" is an attachment that contain worms. Thus, by downloading and executing it, the worms are spread into networks due to existing vulnerabilities in the network.
- Email Spam: Email Spam, also known as unsolicited bulk email (UBE), is the practice of sending unwanted email messages, frequently with commercial content, in large quantities to an indiscriminate set of recipient. It is strongly recommended that do not click on spam emails due to probability of malicious code's existence in spams.
- Web Sites: a ruse used to get an unwitting user to disclose potentially sensitive data, such as the password he/she uses at work. For example, a website may promote a fictitious competition or promotion, which requires a user to enter in a contact email address and password. The password entered may very well be similar to the password used by the individual at work.
- Forensic Analysis: There is a strong probability that confidential information can be obtained from second hand products by the aim of forensic tools such as cell phone, tablets, laptops, etc.
- Human based techniques
- Direct approach: the victim is directly asked by aggressor in order to complete the task. Although, this method is the easiest approach in comparison with other ones, it will not be successful, since any security-conscious individual will be mindful of providing such information.
- Dumpster Diving: It is strongly recommended to shred papers appropriately before diving them into dumpsters. Papers may contain confidential information. Thus, there must be an appropriate policy to shred papers.
- Important user: by pretending to be a senior manager of an organization with an important deadline, the aggressor could pressure the Helpdesk operator into disclosing useful information.
- Helpless user: an aggressor may pretend to be a user who requires assistance to gain access to the organization's systems. For example, the aggressor would call a secretary within the organization pretending to be a new temp who is having trouble accessing the organization's system. By not wishing to offend the person or appear incompetent, the secretary may be inclined to help out by supplying the username and password of an active account.
- Technical support personnel: an aggressor could obtain confidential information from victim by pretending to be a member of technical support team. For instance, the victim is asked by aggressor to give the aggressor usernames and passwords to solve the problem.
- Reverse Social Engineering (RSE): a legitimate user is enticed to ask the aggressor questions to obtain information. With this approach, the aggressor is perceived as being of higher seniority than the legitimate user who is actually the target. For example, the system would be corrupted by the aggressor intentionally. Therefore, the aggressor will be asked by victim in order to solve the problem in which additional information would be achieved by aggressor from asked questions from the victim.
- Shoulder surfing: Shoulder surfing refers to the act of obtaining personal or private information through direct observation. Shoulder surfing involves looking over a person's shoulder to gather pertinent information while the victim is oblivious.
How to avoid being a victim?
- Do not input confidential information into websites without checking website security such as validity of SSL certificates.
- Legitimacy of websites is always checked by checking the URL of websites in terms of spelling, credibility of website, etc. For instance, www.mci.ir is not the correct website of MCI corporation due to spelling mistake. The legitimate website of MCI is www.mci.ir.
- Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
- Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email
- If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group.
- Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.
- Take advantage of any anti-phishing features offered by your email client and web browser. For instance, netcraft toolbar which is an anti-phishing toolbar can be added as Add-ons into Google Chrome and Mozilla Firefox. Additionally, automatic filtering is available in Thunderbird Email application for detecting scams. The regarded feature warns users for phishing Emails.
What do you do if you think you are a victim?
- If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity. For instance, a user password would be compromised throughout social engineering attack. Thereby, network administrators must be informed about compromised password as soon as possible.
- If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
- Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
- Watch for other signs of identity theft. For instance, do not put confidential information into social networks.
- Consider reporting the attack to the police and regarded authorities