6 Most Common Social Engineering Cyber Attacks
Social engineering attacks are broad range of malicious activities carried out through human interactions. This deals with many psychological manipulation to trick users into making security mistakes or giving away sensitive information. What makes social engineering attacks dangerous is that it depends on human error, rather than susceptibilities in software or operating system. Mistakes made by legitimate users are much less expectable, making them harder to identify and frustrate than a malware-based intrusion. Today we’ll see 6 common social engineering cyber attacks.
Social engineering attacks can be performed anywhere where human interaction is involved.
“A company can spend hundreds of thousands of dollars on firewalls, encryption and other security technologies, but if an attacker can call one trusted person within the company and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted.” – Kevin Mitnick
The Social engineering cyber attacks generally follow a sequential method of steps such as :
- Preparing a base for the attack.
- Lying the victims to gain a toehold.
- Fetching the information over a period.
- Closing the interaction, ideally without doubt.
Let’s see some of the most common social engineering cyber-attacks in detail.
PHISHING is the shot to gain delicate information such as usernames, passwords, and bank details (and sometimes, indirectly, money) by camouflaged as a responsible entity in an electronic communication.
Communications purporting are mostly from popular social web sites, auction sites, banks, online payment processors or IT administrators to lure unsuspecting public. Phishing is a recurrent threat that keeps growing to this day. The risk grows even larger in social media such as Facebook, Twitter, Myspace, etc.
Attackers use emails, social media and instant messaging, and SMS to trick victims into providing sensitive information or visiting malicious URL in the attempt to compromise their systems. Types phishing are
- Spear phishing.
- Clone phishing.
- Rouge WIFI (MITM).
As its name indicate baiting attack implies use of a false promise to temper a victim’s gluttony or interest. They trap users and steals their personal information or imposes their systems with malware.
A simple example of power baiting in physical world is disseminating infected USB’s tokens in the parking lot of a target organization and wait for internal personal insert them in the corporate PC.
Baiting is when an attacker leaves a malware-infected physical device, such as a USB flash drive, in a place it is sure to be found. Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in automatic malware installation on the system.
It is another form of social engineering attack where attacker focus on creating a good pretext. So that they can use it to steal their victim’s personal information. Unlike phishing emails, which use fear and urgency to their advantage, pretexting attacks rely on building a false sense of trust with victim. In simple language pretexting is when one party lies to another to gain access to privileged data. Ex. A pretexting scam could involve an attacker who imagines needing personal or financial data in order to confirm the identity of recipient.
The success of pretexting attack heavily depends on the ability’s attacker in building trust.
A water holing attack is when the attacker injects malicious code into public web pages of sites that the target used to visit. The attackers compromise websites within a specific part that are normally visited by specific individuals of interest for attacks.
General steps undergo in water hole attack are
- Attacker profiles victims and the kind of websites they go to.
- Attacker then tests these websites for vulnerabilities.
- When the attacker finds the website then he injects the code redirecting the victim to a separate site hosting the exploit code for the chosen vulnerability.
- The compromised website is now ‘waiting’ to infect the profiled victim with a zero day exploit, just like a lion waiting at a watering hole.
Scareware involves tricking the victim into thinking that his computer is infected with malware or has unintentionally downloaded illegal content. This involves bombarding of a false alarms and fictions threats on victim. So they are forced to think that their system is infected with malware, warning them to install software that has no real profits or is malware itself.
Scareware is also scattered via spam email that doles bogus warnings or makes offers for user to buy useless/injurious services.
The victim is simply tricked into downloading and installing the attacker’s malware.
Piggybacking also called as Tailgating in technical terms, is when a hacker walks into a secured building by following someone with authorized access card. An attacker seeking entry to a restricted area which lacks the proper authentication. Attacker walk in with authorized person with legitimate access to the building. Assuming they are allowed to be there.
These are some of the common social engineering cyber-attacks. The attackers manipulate human feelings, such as curiosity or fear, to carry out schemes and draw victims into their traps. Therefore, be alert whenever you feel suspicious about these kind of attacks.
Some cautions for social engineering attacks are:
- Use multifactor authentication.
- Don’t open emails and attachments from suspicious, untrusted sources.
- Be wary of inviting offers.
- Use Antivirus software and keep them updated.
Hope you like this post. Stay Tuned with PinProgram for further updates. We are trying to release new post on alternate days. Please do subscribe to get future notifications.