Phishing Attacks
Phishing Attack: Social Engineering Attack
Last updated
Phishing Attack: Social Engineering Attack
Last updated
Thanks to Simplilearn for the great video ! I found it so informative and helpful to start with this chapter.
A system is only as strong as its weakest member, which is often a human being. Social engineering involves targeting users with attacks and trying to fool them into doing things they did not intend to do. This kind of technique is very popular, and many of the biggest hackers in the world have been involved in using social engineering techniques.
Social engineering often tries to abuse certain aspects to make victims comply with actions, for example:
Most people have the desire to be polite, especially to strangers
Professionals want to appear well-informed and intelligent
If you are praised, you will often talk more and divulge more
Most people would not lie for the sake of lying
Most people respond kindly to people who appear concerned about them
When someone has been victimized by a good social engineering attack, they often do not realize they have been attacked at all.
Social engineering attacks work by exploiting human emotions and behaviors to trick individuals into divulging sensitive information or taking actions that could compromise their security.
Attackers may use a variety of tactics, such as phishing emails, pretexting, baiting, or pretexting, to gain the trust of their victims and deceive them into divulging sensitive information or performing a certain action. For example, an attacker might send an email that appears to be from a trusted source, such as a bank or a social media platform, asking the victim to provide their login credentials.
Social engineering attacks can also be carried out in person or over the phone, where the attacker may use their charm or authority to persuade the victim to divulge sensitive information or perform a certain action.
The success of a social engineering attack depends largely on the attacker's ability to manipulate their victim's emotions, such as fear, curiosity, or trust. Therefore, it is important for individuals and organizations to be aware of these tactics and to take steps to prevent them, such as training employees on security awareness and implementing security protocols to verify the legitimacy of requests for sensitive information.
Being Helpful
Humans usually want to be helpful to each other. We like doing nice things!
Consider a scenario where Eve runs into the reception of a big corporate office with her papers soaked in coffee. The receptionist can clearly see Eve in distress and wonders what is going on. Eve explains that she has a job interview in 5 minutes and really needs her documents printed out for the interview.
In advance, Eve has prepared a malicious USB stick with documents designed to compromise computers it is plugged into. She hands the receptionist the malicious USB stick and, with a smile, asks if the receptionist can print the documents for her. This might be what it takes for attackers to infect a system on the internal network, allowing them to compromise more systems.
Using fear
People often fear failing or not doing as ordered. Attackers will often use fear to try to coerce victims into doing what the attackers need. They can, for example, try to pretend to be the company director and ask for information. Perhaps a social media update revealed the director is away on vacation, and this can be used to stage the attack.
The victim probably does not want to challenge the director, and because the director is on vacation, it might be harder to verify the information.
Playing on Reciprocation
Reciprocation is doing something in return, like a response to someone showing you kindness.
If we consider someone holding the door for you to let you in the front door of your office building. Because of this, you are likely to want to hold the next door open for the person to reciprocate. This door might be behind access control, needing employees to present their badges, but to offer the same kindness in return, the door is held open. This is called tailgating.
Exploiting Curiosity
Humans are curious by nature. What would you do if you found a USB stick lying on the ground outside the office building? Plug it in? What if the USB stick contained a document with the title "Salary Information - Current Updates"?
An attacker could deliberately drop many malicious USB sticks around the area where employees reside, hoping someone will plug them in.
Documents can contain malicious macros or exploits, or simply trick users into performing certain actions that make them compromise themselves.
Phishing is a technique usually done through email. Attackers will try to coerce and trick employees into giving away sensitive details, such as their credentials, or have them install malicious applications, giving attackers control of the system.
Phishing is a common technique for attackers to break in, something penetration testers might also try to exploit. It is important to never underestimate the human factor in cyber security. As long as humans are involved, phishing will always be a possible way for attackers to gain access to systems.
Phishing should not be used to prove that humans make mistakes, but try to prove the consequences of those mistakes. It can also be used to test the strength of anti-spam filters and user awareness.
A campaign of many phishing attempts can be done instead of a single round. A campaign of multiple phishing rounds can help determine the overall awareness of the organization and also let them know that not only attackers are trying to trick our users, but even the security department.
Vishing means using phone calls to try to get unsuspecting employees to perform actions for the attackers. If the employee believes they are on a phone call with someone they know, preferably someone with authority, the employee can be tricked into performing unwanted actions.
Vishing could try to get victims to disclose sensitive information. It could be an attacker asking for a copy of a sensitive document or a spreadsheet.
A Youtuber specialized in taking Scams in call centers (Vishing Attacks Example):
A smishing attack, also known as SMS phishing, is a type of social engineering attack where an attacker uses text messages (SMS) to trick individuals into revealing sensitive information or performing certain actions. It is similar to email phishing but takes advantage of the widespread use of mobile phones and SMS messaging.
In a smishing attack, the attacker may send a deceptive text message that appears to be from a legitimate source, such as a bank, service provider, or government agency. The message often contains urgent or enticing information, such as account security alerts, prize notifications, or requests for personal information. The goal is to manipulate the recipient into clicking on malicious links, providing sensitive data, or taking other actions that benefit the attacker.
Pretexting attacks are a type of social engineering attack where an attacker creates a false pretext or scenario to trick individuals into revealing sensitive information or performing certain actions. The attacker adopts a fabricated identity or role to gain the trust of the target and manipulate them into providing confidential data or engaging in activities that benefit the attacker.
In a pretexting attack, the attacker typically engages in extensive research and preparation to create a believable story. They may impersonate a trusted individual, such as a co-worker, technical support personnel, or a customer service representative. The goal is to deceive the target into disclosing sensitive information like usernames, passwords, financial details, or access to restricted systems
To learn about Pretexting , You can watch this YouTube Video/Tutorial created by NetworkChuck .