HOW HACKERS CAN USE SOCIAL ENGINEERING TO ACCESS YOUR INFORMATION
Social engineering refers to a range of malicious acts carried out through human interactions where tricksters use psychological manipulation tactics to trick users into making security lapses or revealing sensitive information.
In most cases, the hacker investigates the target, seeking to gather useful background information such as potential entry points and weak security protocols before proceeding with an attack.
The attacker would then move to gain the victim’s trust and try to spur or encourage actions that might cause them to reveal sensitive information that would help the hacker gain access to secure accounts and critical resources.
Rather than relying on software vulnerabilities, social engineering relies on human error to help hackers gain access to victims’ accounts. As opposed to malware-based vulnerabilities that can be predicted and secured against, human behavior is unpredictable and thus harder to thwart and protect a system against.
Social engineering techniques
There are several forms of social engineering attacks that can be performed anywhere as long as there is human interaction.
Scareware
As the name implies, scareware, also known as rogue scanner software or fraudware, involves victims being inundated with false alarms, threats, and warnings and being deceived into believing that their systems are infected. This prompts them to install suggested software, which is nothing but malware fronted by the hacker, effectively downloading malware into their systems.
Popular examples include pop-up banners appearing on web browsers warning users that “Your Computer Might Be Infected”. Users might be prompted to perform a scan or install a virus-detecting tool, with the link conveniently located and conspicuous enough for the user to see.
Scareware can also be distributed via spam email with false warnings or with offers for users to purchase or register for pernicious services.
Baiting
A baiting attack uses a false promise to pique a victim’s curiosity or greed, and during this interaction, the hacker gains access to critical information from the victim or infects their system with malware and spyware.
One method can be leaving a physical storage device like a flash drive equipped with a key logger in a conspicuous location where a victim might pick it up and, out of curiosity, insert it into their device, effectively infecting it with malware.
Other non-physical forms can include enticing ads that direct a victim to a site where they end up downloading malware-infected applications or attachments.
Phishing
These are emails or texts sent to victims that aim to create a sense of fear, curiosity, and urgency in them, prompting them to reveal sensitive information, click on links to malicious sites, or open malware-infected attachments.
One tactic can be when a victim is sent to a purported online service, alerting them of a policy violation and requiring an immediate change of credentials. A link redirects the victim to a fake but identical-looking page, which captures the credentials as they’re entered by the unsuspecting victim.
Spear phishing
In this case, an attacker, after doing some due diligence, tailors messages based on the exact characteristics, contacts, and roles of individuals in targeted enterprises. This type of attack can take weeks or months to pull off since it involves researching individuals and enterprises, but it can be harder to detect and thus very effective.
A hacker might impersonate a company employee and send an email to another employee using seemingly authentic and legitimate company communication channels and protocols, requesting critical information, changing passwords, or redirecting them to malicious links where their information is captured.
Pretexting
A hacker might purport to be a co-worker, tech support representative, bank official, or law enforcement official, and after establishing trust with the victim, ask questions that would require the victim to verify their identity, which is standard protocol in such scenarios.
Unsuspecting victims, who would expect these standard questions from these officials, reveal critical information like phone numbers, addresses, bank records, passwords, codes, and such.
Tailgating
This is where a potential hacker, masquerading as a company employee, follows an authorized employee past secure facilities under the pretext of having forgotten their RFID card or being unable to open the door because they’re carrying a large box and their hands are occupied.
The forms and techniques of possible social engineering hacks are by no means exhaustive, as human behaviour is unpredictable and new techniques can be invented on the fly.
Preventive measures against social engineering
Hackers who use social engineering as their modus operandi use human traits like fear, greed, and curiosity. Vigilant users ought to be wary when they receive alarmist or enticing marketing emails or come across stray physical storage media lying around. A few measures can include:
Periodically updating antivirus and antimalware software. One effective way might be to engage automatic antivirus updates and in carrying out periodic, if not daily, scans of computers, laptops, and software systems.
Being wary of enticing offers. Offers and deals that sound tempting and too good to be true ought to be viewed with suspicion. Sometimes doing a little due diligence elsewhere before proceeding can unearth some information that can legitimize suspicious deals or offers.
Use multifactor authentication techniques. Multi-factor authentication techniques can help protect a potential victim’s account from looming attackers who might have laid their hands on one part of the victim’s credentials.
Emails and attachments from suspicious sources. While not exactly foolproof, being wary and paranoid of emails or attachments from unknown or suspicious sources can go a long way in protecting a victim from potential social engineering attacks.
Staff training and sensitization on possible social engineering practices.
Comments