Social Engineering | Introduction from Theory and Practical Scenarios

News 2023-08-07 03:35:43 views: null

Article directory

Introduction

"There is no technology today that cannot be hacked through social engineering." - Kevin Mitnick, former hacker and social engineering expert.

Despite implementing the strongest technological security measures, every organization faces challenging and unpredictable vulnerabilities: it's us, humans. For hackers seeking to gain access to important data or systems, understanding human psychology is as important as mastering computer systems. What is social engineering and how to prevent it? We address these key issues in the discussion below.

insert image description here

What is social engineering and where it is used

Social engineering is a non-technical tactic used by cybercriminals that relies heavily on human interaction and often involves manipulating people to subvert standard security practices and procedures in order to gain unauthorized access to systems or information.

In other words, social engineering is the art of manipulating, influencing, or tricking people into giving up confidential information. Because social engineering exploits human weaknesses rather than technological or digital system vulnerabilities, it is sometimes referred to as "human hacking." Criminals utilize social engineering tactics because it is often easier to manipulate your inherent tendencies to trust than to find ways to break software. For example, it is usually easier to trick someone into revealing their password than to try to crack it (unless the password is particularly weak).

Social engineering is not only used in hacking or cybersecurity contexts. Its principles have been applied in various scenarios outside the digital world. Social engineering methods are deeply rooted in understanding human behavior and motivation. They have been known to exploit the emotions and impulses of their victims, forcing individuals to take actions that may be harmful to them. This is a fraudulent scheme that has been in place for decades. Here are a few areas where social engineering is commonly applied:

  • Cybersecurity and hacking: Social engineering is often the first tactic cybercriminals and hackers use when trying to gain unauthorized access to a system or information. It is often the starting point because exploiting human vulnerabilities is often easier and less time-consuming than finding and exploiting technical vulnerabilities. People are often the weakest link in the cybersecurity chain. They can be manipulated to reveal sensitive information such as passwords, or tricked into performing security-compromising actions such as clicking malicious links or opening infected attachments. Additionally, most people do not fully understand the type and extent of the risks they face, making them more likely to be exposed to such attacks.

  • Marketing and Sales: Social engineering techniques are often used in sales and marketing to persuade customers to buy a product or service. This can include creating a sense of urgency, using authority figures or celebrities to endorse products, or offering “exclusive” offers that make customers feel special.

  • Politics and Propaganda: Politicians and governments often use social engineering techniques to influence public opinion or voter behavior. This may include appealing to emotions, using fear tactics, or using propaganda to shape perceptions and beliefs.

  • Interrogation techniques: Law enforcement agencies often use social engineering during interrogations. For example, they may build a rapport with the suspect, making them more likely to divulge information, or they may pretend to know more than they actually know in order to prompt them to confess.

  • Liars and Fraud: Social engineering is essentially a scammer's livelihood. They may use tactics such as impersonating bank officials, lottery representatives, or people in need to trick victims into giving them money.

  • Espionage: Social engineering has long been used in espionage to extract sensitive information. Spies may use tactics such as seduction, befriending a target, or blackmail to manipulate individuals into revealing secrets.

[Image: MRcnlZB.png]

How Social Engineering Works

Social engineering exploits human psychology and behavior to trick individuals into providing sensitive information or granting access to systems or resources. While the details of a social engineering attack can vary widely depending on the tactics used and the targets involved, the general steps generally include: - Investigating or

Research: Attackers identify targets and gather as much information as possible to learn about their interests, habits, relationships, job roles, etc. This information is often gathered from social media profiles, company websites or other public sources.

  • Strategy formulation: Based on the collected information, the attacker devises a reasonable scenario or excuse. For example, this could be posing as a needy colleague, a trusted vendor, a software company's support staff, or even a sweepstakes with attractive prizes.

  • Build rapport: The attacker makes initial contact with the target and works to build trust. They may use previously gathered information to make a connection or build credibility. Fraudsters often imitate or “copy” companies that victims know, trust, and likely do business with regularly, to the point that they automatically follow the instructions of those brands and neglect to take necessary security measures. Some crooks employing social engineering tactics take advantage of easily accessible toolkits to create fake websites that mimic well-known brands or businesses.

  • Exploitation: Once trust is established, an attacker can manipulate a target to perform a specific action or reveal confidential information. This could involve clicking malicious links, revealing passwords, or transferring funds to specific accounts. At this stage, attackers often induce panic or a sense of urgency. People often react impulsively when they are startled or rushed. Social engineering schemes may employ various tactics to incite panic or a sense of haste in victims, such as informing victims that a recent credit card transaction has been declined, that their computer has been infected by a virus, or that images on their website violate copyright law etc. Social engineering can also exploit a victim's fear of missing out (FOMO), creating a unique sense of urgency.

  • Execution: An attacker uses obtained information or access for malicious purposes. This could involve stealing funds, accessing confidential data, or installing malware for further attacks.

  • Exit: After achieving a goal, attackers often cover their tracks to avoid detection and may use the same access route in the future.

[Image: MRcnlZB.png]

Known Social Engineering Tactics and Techniques

Almost every type of cybersecurity attack involves some kind of social engineering. For example, classic email and virus scams are heavily socialized. In addition to desktop devices, social engineering can affect you digitally through mobile attacks. However, you could also easily face the threat yourself. These attacks can overlap and stack on top of each other, creating a scam. Understanding the different attack vectors of this type of crime is key to prevention. Here are some common methods used by social engineering attackers:

  • Phishing: A method by which attackers send communications (usually email) that appear to come from a reputable source and request sensitive information, such as usernames, passwords, or credit card details. Recipients are tricked into believing the message is something they want or need, and click a link or download an attachment.

  • Spear Phishing: This is a more targeted form of phishing where the attacker studies the victim and personalizes their communication to appear more legitimate. This may involve using the victim's name, title or other personal information. Spear-phishing attacks are particularly effective because they are highly personalized and often appear to come from a trusted source.

  • Watering hole attack: In this type of attack, an attacker observes which websites are frequently visited by an organization or a specific group of people, and then tries to infect those websites with malware—but the main goal is to infect users' computers and gain access to the network. Criminals collect data on specific groups of people to identify the websites they frequently visit, and then probe those websites for vulnerabilities. Gradually, some members of the targeted group will succumb to the infection, providing the attackers with an entry point into the security system.

  • Sweet Trap: In this method, the attacker creates a fake profile on social media or a dating site, and gets the victim to divulge confidential information over time, often under the guise of a romantic or very close friendship relationship. It is a tactic to lure men into interacting with non-existent but attractive female personas online. This tactic stems from the age-old espionage technique of hiring a real woman for a similar purpose.

  • Bait: Bait involves making an enticing offer to a target that prompts them to take a specific action. This could be performed through peer-to-peer or social networking sites, offering enticing (possibly adult) movie downloads, or it could involve deliberately leaving a USB drive in a public place for the victim to discover, labeled "Q1 layoff plan." Once a USB device is used or a harmful file is downloaded, the victim's computer becomes infected, allowing the perpetrator to take control of the system.

[Image: MRcnlZB.png]

Examples of social engineering attacks

Here are a few examples of major incidents involving social engineering:

  • Kevin Mitnick Hacking: Kevin Mitnick is probably the most famous social engineer. During the 1980s and 1990s, Mitnick used tactics such as social engineering to break into dozens of systems, including those of major companies such as IBM and Nokia. He often pretends to be a system administrator to trick people into revealing their passwords. Mitnick was eventually arrested and sentenced to prison. He now works as a security consultant and has authored several books on the subject.

  • Operation Aurora: In 2009, hackers believed to be based in China launched a series of cyberattacks known as Operation Aurora. The attacks targeted dozens of large companies, including Google and Adobe, using spear-phishing emails to trick employees into clicking links that installed hidden Trojan horses on their computers.

  • Associated Press Twitter Hack: In 2013, the Associated Press Twitter account was hacked to post false tweets claiming an explosion at the White House had injured President Obama. Hackers used spear-phishing emails to obtain login information for Associated Press staff. The tweet caused a brief panic and a temporary sharp drop in the stock market.

  • The Fappening or Celebgate: Happened in 2014. In this high-profile case, an individual (or possibly a group) used social engineering techniques, among other things, to gain unauthorized access to the iCloud accounts of several celebrities, resulting in the leak of numerous personal photos, some of them explicit. The attackers reportedly used a technique known as "spear phishing," sending targeted emails to celebrities that appeared to be from Apple or Google, asking for their usernames and passwords. Once the information is obtained, the attacker can access the account and download content. The FBI investigated the incident and eventually arrested a man named Ryan Collins. He pleaded guilty to a felony violation of the Computer Fraud and Abuse Act and was sentenced to 18 months in federal prison in 2016.

  • 2016 U.S. Election Interference: Russian hackers used social engineering techniques to allegedly interfere with the 2016 U.S. presidential election. They sent spear-phishing emails to more than 1,000 people, many of whom were associated with the Democratic National Committee (DNC). By impersonating Google and asking users to change their passwords, hackers were able to gain access to many email accounts, including that of Hillary Clinton's campaign chairman.

  • Twitter Bitcoin Scam 2020: 130 high-profile Twitter accounts were hijacked in 2020, including those of Elon Musk, Bill Gates, and Barack Obama. The attacker tweeted, asking followers to send bitcoins to a specific address, promising to double the funds. The attackers reportedly gained access to Twitter's internal systems by calling employees and posing as Twitter IT employees who require login credentials to access the system. The hack is one of the most high-profile cases of social engineering in recent years.

insert image description here

Guess you like

Origin blog.csdn.net/caoxiaoye/article/details/131906629
Recommended
Linus is the most active in "eating dog food"!
Ranking
Share good programmer web front-end array and sorting, de-duplication and random roll call
Compilation error caused by cv_bridge and python version problems error: return-statement with no value, in function returning'void*' [-fpe
魔众帮助中心系统 v3.1.0 首页切换器,界面优化
Die beim Millimeterwellenradar-Integrationstest aufgetretene Grube (Multiprozessbindung an einen UDP-Port verursacht Probleme)
How to suppress the "requires transitive directive for an automatic module" warning properly?
LeetCode-1743. Restore the Array From Adjacent Pairs-Analysis and Code (Java)
Summer 2019 Summer soft essay 7 workers
Python中Assert断言的使用语法和例子
LeetCode one question per day (2021-2-3 sliding window median)
Fairchild, the ancestor of semiconductors, the legend of the first trillion-dollar start-up
Daily
More
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)

Code World

© 2018 codetd.com