We
have become all too familiar with the type of attacker who leverages their
technical expertise to infiltrate protected computer systems and compromise
sensitive data. We hear about this breed of hacker in the news all the time,
and we are motivated to counter their exploits by investing in new technologies
that will bolster our network defenses.
However,
there is another type of attacker who can use their tactics to skirt our tools
and solutions. They are the social engineers, hackers who exploit the one
weakness that is found in each and every organization: human psychology. Using
a variety of media, including phone calls and social media, these attackers
trick people into offering them access to sensitive information.
Social
engineering is a term that encompasses a broad spectrum of malicious activity.
For the purposes of this article, however, we will focus on the five most
common attack types that social engineers use to target their victims:
phishing, pretexting, baiting, quid pro quo and tailgating.
1. PHISHING
Phishing
scams might be the most common types of social engineering attacks used today.
Most phishing scams demonstrate the following
characteristics:
- Seek
to obtain personal information, such as names, addresses and social
security numbers.
- Use
link shorteners or embed links that redirect users to suspicious websites
in URLs that appear legitimate.
- Incorporates
threats, fear and a sense of urgency in an attempt to manipulate the user
into acting promptly.
Some
phishing emails are more poorly crafted than others to the extent that their
messages oftentimes exhibit spelling and grammar errors but these emails are no
less focused on directing victims to a fake website or form where they can
steal user login credentials and other personal information.
A
recent scam sent phishing emails to users after they installed cracked APK files from Google Play Books that
were pre-loaded with malware.
This specific phishing campaign demonstrates how attackers commonly pair
malware with phishing attacks in an effort to steal users’ information.
2. PRETEXTING
Pretexting
is another form of social engineering where attackers focus on creating a good
pretext, or a fabricated scenario, that they can use to try and steal their
victims’ personal information. These types of attacks commonly take the form of
a scammer whopretends that they need certain bits of information from their target in order to confirm
their identity.
More
advanced attacks will also try to manipulate their targets into performing an
action that enables them to exploit the structural weaknesses of an
organization or company. A good example of this would be an attacker who
impersonates an external IT services auditor and manipulates a company’s
physical security staff into letting them into the building.
Unlike
phishing emails, which use fear and urgency to their advantage, pretexting
attacks rely on building a false sense of trust with the victim. This requires
the attacker to build a credible story that leaves little room for doubt on the
part of their target.
Pretexting
attacks are commonly used to gain both sensitive and non-sensitive information.
Back in October, for instance, a group of scammers posed as representatives from modeling agencies and escort
services, invented
fake background stories and interview questions in order to have women,
including teenage girls, send them nude pictures of themselves.
3. BAITING
Baiting
is in many ways similar to phishing attacks. However, what distinguishes them
from other types of social engineering is the promise of an item or good that
hackers use to entice victims. Baiters may offer users free music or movie
downloads, if they surrender their login credentials to a certain site.
Baiting
attacks are not restricted to online schemes, either. Attackers can also focus
on exploiting human curiosity via the use of physical media.
One
such attack was documented by Steve Stasiukonis, VP and founder
of Secure Network Technologies, Inc., back in 2006. To assess the security of a
financial client, Steve and his team infected dozens of USBs with a Trojan
virus and dispersed them around the organization’s parking lot. Curious, many
of the client’s employees picked up the USBs and plugged them into their
computers, which activated a keylogger and gave Steve access to a number of
employees’ login credentials.
4. QUID PRO QUO
Similarly,
quid pro quo attacks promise a benefit in exchange for information. This
benefit usually assumes the form of a service, whereas baiting frequently takes
the form of a good.
One
of the most common types of quid pro quo attacks involve fraudsters who impersonate IT service
people and
who spam call as many direct numbers that belong to a company as they can find.
These attackers offer IT assistance to each and every one of their victims. The
fraudsters will promise a quick fix in exchange for the employee
disabling their AV program and for installing malware on their computers that
assumes the guise of software updates.
It
is important to note, however, that attackers can use much less sophisticated
quid pro quo offers than IT fixes. As real world examples have shown, office
workers are more than willing to give away their passwords for a cheap pen or even a bar of chocolate.
5. TAILGATING
Another
social engineering attack type is known as tailgating or “piggybacking.” These
types of attacks involve someone who lacks the proper authentication following
an employee into a restricted area.
In
a common type of tailgating attack, a person impersonates a delivery driver and
waits outside a building. When an employee gains security’s approval and opens
their door, the attacker asks that the employee hold the door, thereby gaining
access off of someone who is authorized to enter the company.
Tailgating
does not work in all corporate settings, such as in larger companies where all
persons entering a building are required to swipe a card. However, in mid-size
enterprises, attackers can strike up conversations with employees and use this
show of familiarity to successfully get past the front desk.
In
fact, Colin Greenless, a security consultant at Siemens Enterprise
Communications, used these same tactics to gain access to several different
floors, as well as the data room at an FTSE-listed financial firm. He was even
able to base himself in a third floor meeting
room, out of which he worked for several days.
0 comments:
Post a Comment