Social Engineering – The Art of Virtual Exploitation
Social engineering uses human weakness or psychology to gain access to the system, data, and personal information, etc. It is the art of manipulating people. It doesn’t involve the use of technical hacking techniques. Attackers use new social engineering practices because it is usually easier to exploit the victim’s natural inclination to trust.
For example, it is much easier to fool someone to give their password instead of hacking their password. Sharing too much information on social media can enable attackers to get a password or extracts a company’s confidential information using the posts by the employees. This confidential information helped attackers to get the password of victim accounts.
How Social Engineering Attacks takes place?
Phishing scams are the most common types of Social Engineering attacks these days. Tools such as SET(Social Engineering Toolkit) also make it easier to create a phishing page but luckily many companies are now able to detect phishing such as Facebook. But it does not mean that you cannot become a victim of phishing because nowadays attackers are using iframe to manipulate detection techniques. The example of such hidden codes in pishing pages are cross-site-request-forgery “CSRF” which is an attack that forces an end user to execute unwanted actions on a web application.
Example: In 2018 we have seen a great rise in the use of ransomware which have been delivered alongside Phishing Emails. What an attacker does is they usually deliver an attachment with a subject like “Account Information” with the common file extension say .pdf/.docx/.rar etc. At which user generally click and the attacker’s job gets done here. This attack often encrypts the entire Disk or the documents and then to decrypt these files it requires cryptocurrency payment which is said to be “Ransom(money)”. They usually accept Bitcoin/Etherium as the virtual currency because of its non-traceable feature. Here are a few examples of social engineering attacks that are used to be executed via phishing:
- Banking Links Scams
- Social Media Link Scams
- Lottery Mail Scams
- Job Scams
- Timely monitor online accounts whether they are social media accounts or bank accounts, to ensure that no unauthorized transactions have been made.
- Check for Email headers in case of any suspecting mail to check its legitimate source.
- Avoid clicking on links, unknown files, or open email attachments from unknown senders.
- Beware of links to online forms that require personal information, even if the email appears to come from a source. Phishing websites are same of legitimate websites in looks.
- Adopt proper security mechanism such as spam filters, anti-virus software, and a firewall, and keep all systems updated, anti-keyloggers.