Most people have heard stories about certain companies or individuals being hacked and enduring the consequences of losing sensitive information. However, most people aren’t aware that most of these successful hacks are tricking the victim(s) into giving up their usernames and passwords. This form of hacking is called social engineering.
Definition
Social engineering is a practice used by malicious hackers to target and trick people into giving up their personal information. Most attempts at social engineering are fairly obvious, and the vast majority of society can recognize hackers’ blatant attempts at their private data. If you would like to see a good example of an obvious social engineering attack, watch the following video by comedian James Veitch.
However funny the previous example, hackers who are clever enough can give even the most seasoned computer-user a run for their money using social engineering. That being said, how do we protect ourselves?
We can start by identifying the tactics many hackers use to deceive people into forfeiting their data. According to David Bisson of tripwire.com, there are five common social engineering attacks everyone should be aware of. They are listed in the following section.
Social Engineering Attacks
The most common form of attack is phishing. Phishing attacks are scams sent through email messages that are asking for personal data such as credit card, social security numbers, and passwords. They often contain links to suspicious websites that ask the user to reveal some portion of their private information. Many of these suspicious websites also contain multiple viruses that are designed to steal information, so even visiting them can be dangerous. Most of the time, the emails seem to be sent from popular social websites or even IT administrators. The following image provides a good example of a well written phishing attack, notice the suspicious link in the email.
The next form of social engineering is called pretexting. Pretexting occurs when a hacker, pretending to be someone else, asks for confidential information in order to “verify” the identity of the user being attacked. Pretexting is usually accomplished when the attacker impersonates somebody with a right to know personal information (such as police or tax authorities). Sometimes, all that is needed for a pretexting attack to be successful is a voice of authority and an earnest tone. This method only works by establishing a sense of false trust.
The third technique, baiting, is much more direct. Baiting is basically a trade in which the hacker offers something (like free movie downloads, for example) in return for a person’s login credentials to a specific application or website. However, baiting attacks are not restricted to an online environment, but can also be performed in a physical manner. For example, a hacker could load some kind of virus on multiple thumb drives and then disperse them randomly throughout a company’s parking lot in the hopes that an employee will retrieve a thumb drive, insert it into their computer, and give the hacker access to sensitive data. In this case, the baiting attack would rely on the employee’s curiosity on discovering what is on the thumb drive.
Quid pro quo, the fourth method, is similar to baiting, where something is offered in return for a user’s login credentials. The difference however, is that the attacker offers a service (such as IT assistance) instead of a good in return for information. While such a trade sounds ridiculous, hackers who impersonate IT professionals are a dime a dozen online. One can only conclude, in this case, that the large number of hackers who use quid pro quo to hack others is evidence that the method must have a high success rate.
The fifth attack is termed tailgating. This type of attack occurs when a malicious hacker follows an authenticated user into a restricted area, such as a data center. Once there, they then install malware or something similar onto the physical machines within the center. This is surely the simplest method of gaining unlawful access to information, but that’s where the genius lies. Depending on the company, this method can be embarrassingly easy to accomplish as well as the most direct way to access data.
As afore mentioned, the various methods of social engineering listed in this article are the methods most commonly used by the world’s hackers. It is extremely important for individuals and organizations to be familiar with these methods in order to recognize and prepare against these attacks. By so doing, individuals and organizations will be better able to protect their personal data safe from those who would exploit it.
Definition
Social engineering is a practice used by malicious hackers to target and trick people into giving up their personal information. Most attempts at social engineering are fairly obvious, and the vast majority of society can recognize hackers’ blatant attempts at their private data. If you would like to see a good example of an obvious social engineering attack, watch the following video by comedian James Veitch.This is what happens when you reply to spam email | James Veitch
However funny the previous example, hackers who are clever enough can give even the most seasoned computer-user a run for their money using social engineering. That being said, how do we protect ourselves?
We can start by identifying the tactics many hackers use to deceive people into forfeiting their data. According to David Bisson of tripwire.com, there are five common social engineering attacks everyone should be aware of. They are listed in the following section.
Social Engineering Attacks
The most common form of attack is phishing. Phishing attacks are scams sent through email messages that are asking for personal data such as credit card, social security numbers, and passwords. They often contain links to suspicious websites that ask the user to reveal some portion of their private information. Many of these suspicious websites also contain multiple viruses that are designed to steal information, so even visiting them can be dangerous. Most of the time, the emails seem to be sent from popular social websites or even IT administrators. The following image provides a good example of a well written phishing attack, notice the suspicious link in the email.The next form of social engineering is called pretexting. Pretexting occurs when a hacker, pretending to be someone else, asks for confidential information in order to “verify” the identity of the user being attacked. Pretexting is usually accomplished when the attacker impersonates somebody with a right to know personal information (such as police or tax authorities). Sometimes, all that is needed for a pretexting attack to be successful is a voice of authority and an earnest tone. This method only works by establishing a sense of false trust.
The third technique, baiting, is much more direct. Baiting is basically a trade in which the hacker offers something (like free movie downloads, for example) in return for a person’s login credentials to a specific application or website. However, baiting attacks are not restricted to an online environment, but can also be performed in a physical manner. For example, a hacker could load some kind of virus on multiple thumb drives and then disperse them randomly throughout a company’s parking lot in the hopes that an employee will retrieve a thumb drive, insert it into their computer, and give the hacker access to sensitive data. In this case, the baiting attack would rely on the employee’s curiosity on discovering what is on the thumb drive.
Quid pro quo, the fourth method, is similar to baiting, where something is offered in return for a user’s login credentials. The difference however, is that the attacker offers a service (such as IT assistance) instead of a good in return for information. While such a trade sounds ridiculous, hackers who impersonate IT professionals are a dime a dozen online. One can only conclude, in this case, that the large number of hackers who use quid pro quo to hack others is evidence that the method must have a high success rate.
The fifth attack is termed tailgating. This type of attack occurs when a malicious hacker follows an authenticated user into a restricted area, such as a data center. Once there, they then install malware or something similar onto the physical machines within the center. This is surely the simplest method of gaining unlawful access to information, but that’s where the genius lies. Depending on the company, this method can be embarrassingly easy to accomplish as well as the most direct way to access data.
As afore mentioned, the various methods of social engineering listed in this article are the methods most commonly used by the world’s hackers. It is extremely important for individuals and organizations to be familiar with these methods in order to recognize and prepare against these attacks. By so doing, individuals and organizations will be better able to protect their personal data safe from those who would exploit it.
Sources
Bisson, D. (2015, March 23). 5 Social Engineering Attacks to Watch Out For. Retrieved from https://www.tripwire.com/state-of-security/security-awareness/5-social-engineering-attacks-to-watch-out-for/
Mohamed, A. (2016, October 04). Phishing and Social Engineering Techniques. Retrieved from http://resources.infosecinstitute.com/phishing-and-social-engineering-techniques/
Nadeem, M. S. (2018, January 30). What is pretexting definition and examples. Mailfence Blog. Retrieved from https://blog.mailfence.com/pretexting/
Veitch, J. (2016, February 01). This is what happens when you reply to spam email | James Veitch. Retrieved from https://www.youtube.com/watch?v=_QdPW8JrYzQ&feature=youtu.be