Social Engineering is a form of cyber attack where the physiological manipulation of people to trick them into divulging confidential information that can be used to hack into websites and other computing resources. There are various forms of social engineering:
- Spear Fishing
- Water Holing
- Website Cloning
Lets take a deeper look at these.
Baiting – In the context of social engineering, this is an attack that uses physical media and relies on the curiosity, or greed, of the victim to lure them in to clicking on a link to a malicious website. This is likened to the concept of a ‘Trojan Horse’, but using electronic media. An example would be that you have an interest in motorcycles, so you receive an invite to a motorcycle event. The website you visit will then implant malware into your device.
Impersonation – In this context as part of social engineering, an attacker will impersonate someone in authority to trick you into divulging information. An example of an attack is a call from HR requesting information on yourself or another person.
Pharming – An attack method that focuses on the network infrastructure that results in a user being redirected to an illegitimate website despite the user having entered the correct address.
Phishing – This is typically when you receive an email that claims to be some form of offer, or request for information that is fraudulent. The emails can look genuine (e.g. form your bank) and can trick a lot of people into disclosing their login credentials or key banking information, among other things. See also Lateral Phishing.
Smishing – This is a social engineering attack similar to Phishing, but instead of email they use SMS texting to deliver the request for information.
Spear Phishing – This is similar to the other forms of Phishing (including Vishing and Smishing), where the attack is very focused on an individual. The email will be highly customised to the individual, and is a regular attack method used against enterprise executives. They will typically focus on a particular aspect of your professional interests and requires the attacker to fully research their target.
Tailgating – This is where an attacker typically gains access to a building/restricted area by coming in behind an authenticated person. Often the person will look like they are trying to find their pass, or claim they left it at their desk, but they are actually trying to gain access on the back of your authentication. This is more an issue for enterprises, but can also affect consumers in more social contexts e.g. when at the gym and someone tries to gain access without paying or for nefarious purposes.
Vishing – This is a social engineering attack method similar to Phishing, but this is where the attacker will contact you by phone and request you divulge confidential information.
Water Holing – This is where a fake website is posted that you implicitly trust (e.g. Amazon), but actually is a clone of the website designed to extract personal information. The victim will feel safe in the fact that they trust this site, and often now are posted using an HTTPS secure site. See also ‘Website Cloning’ below.
Website Cloning – There are legitimate reasons why you would want a copy of your live website, e.g. to diagnose a bug, backup purposes. There is software available that allows you to download the publicly available content of a website and store it locally – a clone/copy of the website. Cyber Criminals can also clone websites with the intention of imitating the legitimate website for nefarious reasons. They will typically infect the clone with malware, post it at a similar URL/address to the target and get victims to access the site normally via some form of Phishing attack. Once the clone is accessed, and the hackers have what they want, you are typically redirected to the genuine site. See also ‘Water Holing above.
Whaling – This is a highly focused form of Phishing attack that is largely targeted at executives. This is similar to Spear Phishing.
Combating the Threat
The majority of these attacks occur through some form of messaging (email, SMS, Instant messaging). There is often a sence of urgency, for example ‘your account will be locked if you don’t click on this link right now‘. There is also often a sence of something unpleasant will happen to you if you don’t do what they say (e.g. pay them some bitcoin, or click on a link).
Social engineering attacks can also be crude attempts at extortion and/or blackmail. However, in recent months this has been increasingly sophisticated and almost believable.
The initial contact will often be in the form of an official looking email from someone you might do business with (e.g. your bank or a shopping site). A banking email might say there has been suspicious activity on your account and you need to confirm your details by clicking on a link. When you do you are taken to a clone of your banks website that will attempt to steal your login credentials. Once in the cyber criminals can empty your account.
Another example is a shopping site making an unmissable offer. In your haste you click on the link, and the same scenario plays out as for the banking attempt above, except here they are intending to buy goods using your account that are then delivered elsewhere.
The way to counter this type of threat is to trust no-one.
If it looks too good to be true, then it probably is. If your bank is contacting you about your account being compromised, they will in all likelihood call you. However, so might a cyber criminal. If you receive a call from your bank, best to try to authenticate them and preferably by calling them back on a different phone line.
There have been instances where cyber criminals have called people and used a telephony trick to keep the line open so that when you call back you hear a dial tone they are playing back to you. Then when you get through to who you think is your bank, the cyber criminals will put their full attack into motion, often tricking you into moving money into an account that they control claiming this is to safeguard you against the very thing they are doing.
If you receive an email saying your account has been compromised, then test it out. Using a known link for your banking website (etc.), preferably a trusted shortcut/bookmark, attempt to login. If you get in, you will likely be greeted with an alert if it is genuine. If not, then in all likelihood it is not. In any case you should check activity on your account.
If you receive an email at work from HR asking you to confirm your details and the website it takes you to is outside of your organization, or away from a known trusted source, then it is likely a social engineering attack. Often you can hover your mouse over the link (not so easy on a touch device) and see exactly where you are being directed.
If an email goes to spam, it is probably malicious although some first time emails can also go to spam before you add them to your trusted senders list.
In the corporate world, cyber attackers use social engineering techniques to gather intelligence on your organization and/or trick you into divulging corporate information (e.g. confidential information or internal account/organization structure). When you are at work, you are often busy, stressed and often will just not do the normal checks you would otherwise do. However, in this environment you do have to be very careful since divulging confidential information can have a severe impact on your organizations reputation. You should also never reply to inquiries from the press (assuming they are genuine) and in these cases always refer them to the appropriate public relations department, press office or if your employer is relatively small the responsible person in your office – often the owner.
Social engineering is one of the most used attack vectors used by cyber criminals to get that all important foot in the door. Nothing will necessarily prepare you for the initial attack, but if you treat all email/messages as suspicious until you can confirm they are legitimate then you shouldn’t go far wrong.
Cyber criminals using this approach will often choose the most busy time for you, especially if you are at work. For example:
- End of day when you are trying to tie down the end of day procedures, particularly of you are in a transaction processing job
- Times of high volume (e.g. Christmas, end of month)
- Times when there will be reduced staff (e.g, during the summer holidays, or over a national holiday like Christmas, Easter or bank holidays).
Cyber criminals will also try to tempt you by appealing to your greed, or predisposition to a bargain especially around holidays.
There are so many different circumstances, but in all cases they are trying to trick you into doing something you would not normally do.