The index of this series of articles can be found here.
Social engineering is a different technique from all the ones seen previously. The main difference is that it does not require a deep understanding of networking, operative systems or other previously seen domains. Social engineering is a non-technical technique to gather information and gain access to resources. It is very popular because tries to exploit one of the most vulnerable points in security the users. People tend to make mistakes, trust people in certain situations, not being aware of the importance of determinate information or, just, not have the proper training to manage appropriately a situation.
If a user is careless to secure its credentials, any architecture will fail. If a user opens malware emails an organisation will have, probably, big problems.
Spreading awareness, training and briefing the user about social engineering, social engineering attacks and the impact of their careless can help to strengthen the security from the rest of the measures in place.
Social engineering is considered the art of convincing a target to reveal information through social interactions despite if it is done in the real world or the virtual one using social online platforms.
As it has been said, one of the major vulnerabilities which lead to this type of attack is “Trust“. Open an email, open the door to some, allow them to access the facilities, try to be helpful during a call, all these actions can be exploited by a social engineer.
A social engineering attack can be divided into four phases:
- Research: It includes a collection of information about the target organisation.
- Target selection: In these phases, attackers select a concrete employee from the organisation to specifically target it.
- Relationship: In this phase, attackers create a relationship with the target in a way that the target could not identify the real intention and, attackers can earn some trust.
- Exploit: Exploit the relationship to gain access to sensitive information or resources.
Types of Social Engineering
There are numerous social engineering techniques that can be classified as follow:
Human-based social engineering
For these techniques, it is necessary the interaction with the real world.
Impersonation means pretending to be someone or something. Attackers pretend to be a legitimate user, an authorised person or a representative of authority. This impersonation can be in person or through different channels like email, telephone, etc.
Eavesdropping and Shoulder Surfing
Eavesdropping is a technique of obtaining information listening to conversations covertly. Listening to conversations, reading or accessing any resource without been noticed.
Shoulder surfing is just a technique of obtaining information by standing behind targets when they are interacting with sensitive information.
Already discussed previously, this technique consists of accessing target’s trash like printer trash, user desk, company’s trash and finding phone bills, contact information, financial information or any other helpful materials.
Reverse Social Engineering
In this technique, attackers present themselves as problem fixers for something that is not working right now or may fail in the future. If victims are convinced, they will provide the information required by attackers. The execution of this attack follow the next steps:
- Attackers damage victim’s systems or identify a vulnerability.
- Attackers advertise themselves as authorised people for solving the problem.
- Attackers gain the trust of the victim and gain access to sensitive information.
- After the relationship has been created, victims often call attackers for help, as trusted contacts.
Piggybacking and Tailgating
Piggybacking is the technique of waiting for an authorised person to gain access to a restricted area.
Tailgating is the technique of following closely an authorised person to gain access to a restricted area.
Computer-based social engineering
For these techniques, it is only necessary the online interaction.
Phishing techniques address a fake email looking like a legitimate one to targets. When the targets interact with the email, they will be redirected to a fake page where they will be requested for some sensitive information.
A spear-phishing attack targets a specific individual and it is tailored for that person. Usually, they are more difficult to create but, the rate of success is higher.
Mobile-based Social Engineering
Publishing Malicious Apps
In this technique, attackers publish fake applications on app stores or similar sources trying to achieve large scale attacks. Usually, these apps are copies of popular apps. Once users provide their sensitive information, the app sends this information to the attackers’ servers.
Re-packaging legitimate Apps
Here, attackers download a legitimate app, re-package it with some malware and re-upload the application to 3rd party stores. This is particularly done with very popular apps like games or anti-viruses. Users, maybe, are not aware of the application being available on legitimate stores or, they download a paid app from a free link intentionally or accidentally. When users supply their sensitive information this is sent to the attackers.
Fake Security Apps
Similar to the previous one but, in this case, usually, the download of the application is offered using a pop-up when the user is surfing the Internet.
Not all the attacks are conducted by third parties, sometimes a frustrated or unhappy employee can perpetrate the attacks. They can be acting as vengeance or being paid by a competitor to spy and steal information.
Impersonation on Social Networks
After collect information about a target, attackers can create fake profiles in social networks to deceive the target friends or groups the real user has links to.
After joining a group or contacting some friends or colleagues attackers can start receiving juicy updates or, even, request people for some specific and sensitive information.
Identify theft is stealing the identification information of a person and is one of the most popular frauds.
Identify theft can be split in three steps:
- Gathering information: Where using some or all of the methods seen previously, attackers can obtain information like full names, address or contact information of a person. In addition, accounts information, birth information, or utility bills.
- Fake identity proof: In this phase, attackers try to create fake driving licence cards, company ids, id cards or any other documents that can prove they are who they are saying.
- Fraud: Armed with all the fake documentation, attackers can try to get credits, a mortgage, spend money shopping, access to the company premises or use the ids for future frauds.
Social Engineering Countermeasures
Social engineering can be mitigated by several methods:
- Educate yourself: As said before, training and self-awareness for users are one of the best things to invert on.
- Be aware of the information you are releasing: Everything shared online when talking or creating a profile can be found by attackers.
- Determine which of your assets are most valuable to criminals: Companies tend to do assessments about what is valuable for them as a business but, this is not always what is valuable for attackers. Attackers want anything they can monetise.
- Write a policy and back it up with good awareness training: Write a security policy for protecting valuable data assets. Then back up that policy with good awareness training.
- Keep your software up to date: Hackers using social engineering techniques are often seeking to determine whether you are running unpatched, out-of-date software they can exploit.
- Give employees a sense of ownership when it comes to security: Employees need to feel involved, not just cold instructions to follow, they need to feel is important for them and they contribute.
- When asked for information, consider whether the person you are talking to deserves the information they are asking about: Before answering any questions, users should think if the person is asking needs to have this information and is allowed to have it.
- Watch for questions that do not fit the pretext: Users should pay attention to questions or request of information that does not fit the profile, or the expected behaviour, of the person asking.
- Stick to your guns: Common sense is the best defence. If, as a user, something feels off, trust the feeling, there will be always time to supply information after pertinent checks have been done.
A quick list involving all the previous points could be:
- Security of sensitive resources
- Physical security
- Rotational duties
- Controlled access
- Least privileges
- Strong policies
- Biometric authentication
- Awareness against social engineering