Social engineering is nothing but a kind of attack (cyber) vector.
This attack vector relies pretty heavily on user interaction.
More often than not, this type of attack involves hackers manipulating users into breaking or violating normal security standard operating procedures.
Hackers also try to get users to move away from best practices so that they, in turn, can have an easier time accessing the relative physical locations, networks and/or systems.
There is no explanation necessary as to why hackers want to do this.
For the purposes of this guide, it is more than enough to assume that hackers do it for financial gain or just for fun.
As mentioned just now, threat actors such as hackers make use of social engineering approaches in order to conceal anything that is related to their true and original identities.
They also hide their motives very well.
On the face of it, these malicious actors present (or rather pretend) themselves as reputed and a trusted source of information or even a trusted individual.
Their objective is to simply manipulate, influence or trick online users into unknowingly giving up sensitive or privileged access or information within a given organization.
There are a ton of social engineering exploits that have become fairly popular among circles of hackers.
But the exploits involving social engineering have also become so popular because hackers often find it easier to abuse various weaknesses which are associated with online consumers than to make effort to actually find a software or network vulnerability.
Hackers in the online world today often make use of various social engineering approaches and tactics as their first step in a much larger attack campaign in order to infiltrate the given network or system and then also steal sensitive information/data.
Sometimes they only break into a given system to disperse malware.
As mentioned just now, social engineers make use of a good variety of malicious tactics in order to properly perform cyber attacks.
Most of the time, the majority of these social engineering cyber attacks have the first step of the attacker making an effort to perform reconnaissance and research on the given target.
To take an example, if the target is not an individual but is an organization, then the hacker has all the opportunity in the world to gather intelligence on all the employees working for that organization and the employee structure.
The hacker may also try to make use of common lingo and internal operations which are used within a given industry.
Hackers sometimes also try to do the same with all possible related business partners of the given organization.
Apart from that, they collect tons of other information as well.
So it makes sense that social engineers love the common tactic of focusing on the patterns and behaviors of employees that have a low level but necessary initial level access.
These are the people that have their job descriptions as receptionists and/or security guards.
Hackers can actually scan a given person’s online social media pages and/or profiles for further information.
They may also study a person’s behavior in the online world and sometimes, in person.
Moving from there, hackers can actually design a cyber attack which is based only on the information which they have collected beforehand.
Doing so enables them to exploit all the weaknesses that they uncovered during their campaign’s reconnaissance phase.
Now, if hackers have managed to launch a successful attack, then they get full access to an organization’s or individual’s sensitive data.
This means the organization or individual would have to deal with the fact that hackers have gotten hold of their banking and/or credit card information.
Our research shows that this is the most common way hackers are able to make tons of money off their targets.
Sometimes, hackers collect information just to have access to protected networks or systems.
At the time of writing this guide, the most popular and common type of social engineering cyber attacks hackers like to launch are,
- Honey Trap
- Quid pro quo
- Diversion theft
- Spear phishing
Let’s discuss each of them one by one.
This attack comes in the form of rogue security software which, in turn, is a very specific type of malware whose job is to target people who can be easily tricked into paying a good amount of money for the privilege of fake removal of all the ‘malware’ on their system.
Some experts in the industry like to refer to Tailgating as piggybacking.
This type of attack happens when there is a hacker who walks into an important and secured building.
The hacker does that by following someone who has an officially authorized access card to the building.
Needless to say that the Tailgating attack presumes that the person who has possession of a legitimate access card to the secured building is actually courteous enough to do the right thing and hold the secured building’s door open for a random person who is behind him/her.
In such a case, the person with the legitimate access card simply assumes that the hacker person actually has permission to be inside the building.
These are the type of attacks in which a given social engineer makes an attempt to pretend as if he/she is an attractive person.
The social engineer does that in order to interact with a specific person either via online methods or in-person.
Sometimes the social engineer can form a fake online relationship with the person and then exploits that relationship to gather sensitive information.
Quid pro quo
The quid pro quo type of attack is the one where a given social engineer makes an attempt to pretend and provide some benefit to the target in exchange for some assistance or information.
To take an example, a social engineer could call a random selection of numbers which belong to the target organization and then further pretend to be making calls from the tech support office.
Whatever the case may be, eventually, the aim of the hacker is to find that special someone who would have a genuine tech issue.
After catching such a target, the hacker would pretend to help the target solve the tech problem.
And that is the opening through which hackers can convince the target to type in a command which allows the hacker to launch a malware attack and/or collect some sensitive or password information.
Diversion theft is that type of cyber attacks in which social engineers try to trick a courier or delivery company to send their collector to the wrong drop-off or pickup location.
In this way, hackers are able to intercept the actual transaction.
In the waterholing type of cyber attack, hackers attempt to compromise a very specific group of targets by launching malware and infecting websites that hackers know the group visits regularly.
And since the group trusts the given website (which is now infected), hackers are able to gain network access.
In this type of cyber attack, hackers develop software applications that trick the users into becoming victims by making them think that their computer machine has malware infection or someone has downloaded illegal content on their machine inadvertently.
After that, the hacker offers the user/victim an online solution which would fix the fake and bogus problem.
However, in reality, there is no problem.
And the hacker simply tricks the user into first downloading and then installing the hacker’s malware code.
In this type of attack, there is one part that lies to another party for the purposes of gaining access to exclusive and privileged data.
To take an example, in any given pretexting scam, the hacker could pretend as someone who has this need of financial and/or personal data.
The hacker does that in order to confirm the actual identity of the person/recipient that they are talking to.
Similar to phishing, in this attack hackers launch voice phishing attempts.
In other words, hackers make use of various social engineering approaches over the phone in order to collect financial and personal information from their target.
In the spear phishing type of attack, hackers make use of all the techniques that they would use in a typical phishing attack except for the fact that spear phishing attacks involve the hacker developing attack vectors which are tailor-made for a very specific organization and/or individual.
This is the most common type of cyber attack now.
Phishing takes place when a hacker or any other malicious party tries to send a fake or fraudulent email message to a target which is actually disguised as a real/genuine/authentic/legitimate email message.
Most of the time, hackers try to make the victim believe that the email message has come from a source that the victim trusts.
However, as some might expect, the main aim of sending the message is to actually trick the individual (the recipient of the message) into sharing financial or personal information or even click a link that can install malware on the system.
Baiting is the thing that happens when there is a hacker who leaves a malware-infected but working physical device in a physical location where he/she suspects the target would surely find it.
Such devices include USB flash drives and others.
Once the finder of the device picks up and uses the device, the device loads malware onto her/his computer machine.
In the process of doing so, the user of the machine unintentionally installs a malware on it.
Our research shows that the most popular social engineering cyber attacks tend to come from the mythological (hence, untrue) and the very famous Trojan War.
In this ‘war’, the Greeks managed to sabotage their way into the prized city of (you guessed it) Troy.
Not only that, they also won the war by simply hiding themselves in a huge wooden horse.
The Greek army presented the horse to the unsuspecting Trojan army as their idea of a gift.
And not only as a gift, but a gift of stability and peace.
Currently, Frank Abagnale, is widely considered to be one of the foremost security experts in the field of social engineering.
That basically means, he understands all the techniques hackers like to make use of when launching social engineering cyber attacks.
Back in the 60s, Frank made use of various techniques and methods to impersonate, at the very least, a total of eight people.
That included imitating an,
- Airline pilot
Moreover, in this time, Abagnale also worked as a check forger.
However, after his due incarceration, Abagnale eventually became a renowned security consultant.
He worked for the FBI for a while as well.
After that, he had enough experience to start his very own consultancy in the financial fraud industry.
Abagnale used experiences from his younger confidence man days to get famous and then also author his profitable book titled Catch Me If You Can.
Steven Spielberg, the director who has won an Oscar, also made a movie out of that book.
Moving on to some more recent examples of successful and effective social engineering cyber attacks, we have to talk about the 2011 attack, more specifically a data breach, or RSA a security company.
In that attack, a hacker managed to send two different email messages to carry out the phishing attacks.
The hacker sent those messages to manageable groups consisting of RSA workers over a period of two days.
Reports show that the email had a rather interesting headline as well.
It said, 2011 Recruitment Plan.
Moreover, the email messages contained an attachment in the form of an Excel document.
The hacker had infected the spreadsheet with malicious code which also installed a malicious backdoor channel with the help of a vulnerability in Adobe Flash.
No one till now has managed to ascertain what type of data hackers stole via the attack.
Some say hackers did not steal any data.
But the fact is, they managed to compromise the SecurID 2FA (two-factor authentication) installed throughout the RSA as a company.
Moreover, the company had to spend around $66 million in order to recover from the phishing attack.
Then in 2013, we saw the Syrian Electronic Army finding success in accessing the official Twitter account of the Associated Press.
It did that with the help of a phishing email that contained a malicious link.
The hacking team sent the email to AP employees after disguising their presence with the help of another fellow employee’s identity.
After that, the hacking team behind the attack made a tweet about a bogus news item (a fake story) from the official AP account.
The Tweet mentioned that a total of two explosions which had gone off in the United States White House and the then President of the United States of America Barack Obama had sustained injuries.
As expected, the story from the official AP account garnered such a huge amount of reaction from the internet and the world over that the country’s stock market actually dropped a total of 150 points in a matter of five minutes.
Another phishing scam that took place in 2013, was the one which led to a huge data breach at Target.
Hackers sent a phishing email to an HVAC (which stands for heating, ventilation and air conditioning), subcontractor who had signed a business agreement with Target.
As expected, that email contained other malicious code in the form of Citadel Trojan.
This enabled the attackers to successfully penetrate various point-of-sale systems at Target and also steal a ton of personal information covering over 40 million Target customers’ debit card and credit card details.
The third major attack that took place in 2013 happened when hackers attacked the United States Department of Labor with watering hole attack.
They managed to infect its official websites with a malware.
Hackers had managed to do that by leveraging a vulnerability in Microsoft Internet Explorer.
In the process of doing so, they installed Poison Ivy, a Trojan with remote access to the network.
Fast forwarding to 2015 and we saw hackers gaining full access to the official personal email account (on AOL) of Jon Brennan who was the director of the CIA at the time.
Interestingly enough, one member of the team of hackers explained to various media outlets the technique that he made use of in order to get to John Brennan.
He said that he actually used social engineering approaches to get the job done.
In simpler terms, he posed as a technician working at Verizon and requested information about John Brennan’s official account registered with the US telecom giant.
After the hacker got hold of John Brennan’s account details with Verizon, they immediately contacted people at AOL and then used that information to have a look at John Brennan’s security questions and give the correct answer.
Readers should understand that all of it started with the hacker posing as a fake agent to get Brennan’s details.
That’s is all it takes.
The majority of the security experts in the cybersecurity community advise that IT departments in companies should regularly put into practise various comprehensive penetration tests that make use of the most popular social engineering approaches.
Carrying out such tests would help system and network administrators to learn which type of individuals or users pose the system or the network or the organization the most risk in regards to specific types of cyber attacks.
All the while, such tests would also make sure that administrators are able to identify each and every employee that requires additional training.
Other things such as security awareness programs, most of the time, goes a long way in blocking and preventing social engineering threats.
And that makes sense.
If all employees of a given organization know the kinds and forms of various social engineering threats, they are less likely to take the fall.
And in the process of doing so, they would have more protection against becoming victims.
On the other hand, if we’re talking about something that would prove effective on a much smaller scale, then organizations should make use of secure email gateways and web gateways.
These gateways should scan all emails for malicious content/links and then continue to filter all of them out.
If there is a process like that placed in the system then it would greatly reduce the possibility of some staff member looking at a malicious email and clicking on it.
Other practices such as staying aware of and up to date with firmware and software patches on various endpoints can also play an important role in having protection from social engineering cyber attacks. practices
Apart from that, keeping a comprehensive track of all staff members who have the responsibility of handling sensitive information can also help.
Organizations should also enable advanced authentication features and measures to further guard against social engineering threat vectors.