ingegneria sociale email Giacomo Lanzi

Social engineering: how hackers scam their victims

Estimated reading time: 10 minutes

Social engineering is the term used for a wide range of malicious activities performed through human interactions. It uses psychological manipulation to trick users into making security mistakes or provide sensitive information. Then, with that information, the hacker is able to successfully carry out targeted attacks, such as data theft, a ransomware or a ‘ interruption of services.

Social engineering attacks usually occur in stages . The perpetrator first investigates the intended victim to gather the necessary background information , such as potential entry points and weak security protocols, required to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provide incentives for subsequent actions that violate security practices, such as disclosing sensitive information or granting access to critical resources.

What makes social engineering particularly dangerous is that it relies on human error rather than vulnerabilities in software and operating systems . Mistakes made by legitimate users are much less predictable, making them more difficult to identify and thwart than a malware-based intrusion.

social engineering hacker with 2 pc

Note that the target of a social engineer is not necessarily a network or software . Being able to enter a building evading security, and then installing a device or stealing documents, are actions that still fall under this type of attack.

The techniques of social engineering

Social engineering attacks come in many different forms and can be carried out wherever human interaction is involved . The following are five most common methods of digital social engineering attacks.

Baiting (from “bait”)

As the name suggests, baiting attacks use a false promise (a decoy , indeed) to whet the victim’s greed or curiosity. They lure users into a trap that steals their personal information or installs malware on their systems.

The most infamous form of baiting uses physical media to disperse malware . For example, attackers leave the bait (typically infected keys) in conspicuous areas where potential victims are certain to see them (e.g. bathrooms, elevators, the parking lot of a targeted company). The decoy has a legitimate look, like a label indicating the content, like the company’s payroll. The clue that reveals what it should contain may change, of course, but has the potential to be potentially very interesting .

Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in automatic installation of malware on the system.

Lure scams don’t necessarily have to be done in the physical world. Forms of online baiting consist of enticing advertisements leading to malicious sites or encouraging users to download a malware-infected application. Here it leads to the phishing techniques, which we will see shortly.

Defense notes : to defend against these social engineering attacks, as well as paying close attention to what is connected to your computer, it does not hurt to have an efficient antivirus and anti-malware system. For the company, a new generation SIEM system and UEBA help in detect suspicious user behavior and greatly reduce the risk of malware infection.

social engineering laptop

Scareware (from “to scare”)

Scareware consists of bombarding victims with false alarms and fake threats . Users are tricked into thinking their system is infected with malware, prompting them to install software that has no real benefit (other than the perpetrator) or is malware itself. Scareware is also called deception software ( deception software ), rogue scanner software and fraudware .

A common example of scareware is the legitimate-looking popup banner that appears in your browser as you browse the web , displaying text such as “ Your computer may be infected with spyware programs harmful “. In other cases, the popup offers to install the tool (often infected with malware) for you, or directs you to a malicious site where your computer is infected.

Scareware is also distributed via spam email which distributes bogus warnings, or offers users to buy useless / harmful services. Social engineering is often very imaginative and manages to find ever new ways to deceive. Always be alert.

Defense notes : In case you suspect that the received message is really legitimate, it is best to seek a solution actively , i.e. without using the links suggested by the message same. For example, we received a message from a service announcing that our account has been compromised. If in doubt, you can contact the support of the service directly from their site to ask for clarification. Avoid using the links suggested by the suspicious message at all costs .

multiscreen social engineering

Pretexting (from “to pretend”)

In this social engineering attack, an attacker gains information through a series of cleverly constructed lies . The scam is often initiated by an perpetrator who pretends to need sensitive information from a victim in order to perform a critical task.

The attacker usually begins by establishing trust with his victim by impersonating colleagues, police, bank and tax officials, or others who have a right to know authority . The hacker asks questions that are apparently necessary to confirm the victim’s identity, through which he collects important personal data.

ingegneria sociale dall'alto

Many types of information are collected using this technique, such as identity card numbers, personal addresses and telephone numbers, telephone records, staff vacation dates, bank records, and even security information relating to a physical facility.

Any information, however harmless it may seem, could later be used for a second attack. Even the name of a security guard hired by the company could already be enough to build trust and ask for a tear to the rule when asking for the access code to automatic doors.

Phishing (from “to fish”)

As one of the most popular types of social engineering attacks, phishing scams are email and text message campaigns that aim to create a sense of urgency , curiosity or fear in the victims . Then it prompts them to reveal sensitive information, click links to malicious websites, or open attachments that contain malware.

An example is an email sent to users of an online service notifying them of a policy violation that requires immediate action on their part, such as a mandatory password change. Includes a link to a website, nearly identical in appearance to its legitimate version, which prompts the user to enter their current credentials and new password . After submitting the form, the information is sent to the attacker.

Since identical, or nearly identical, messages are sent to all users in phishing campaigns, detecting and blocking them is much easier for mail servers that have access to threat-sharing platforms.

Defense note : While it is true that in some cases we have become accustomed to not giving weight to these kinds of messages, it is also true that social engineers have become increasingly clever. There is no need to let your guard down. Instead, it is very useful to always be wary of messages that require credentials.

These attacks leverage the fact that it’s easy to fool some users, whether out of distraction or naivety. The best defense is employee training through a ethical phishing service and subsequent targeted training.

social engineering hacker

Spear phishing (from “spear, and “to fish”)

This is a more targeted version of phishing in which an attacker chooses specific individuals or businesses . They then tailor their messages based on their victims’ characteristics, job positions, and contacts to make their attack less obvious. Spear phishing requires a lot more effort from the author and can take weeks and months to complete. They are much harder to detect and have better success rates when done skillfully.

A spear phishing scenario could involve an attacker who, impersonating an organization’s IT consultant, sends an email to one or more employees. It is worded and signed exactly as the consultant normally does, thus fooling recipients into thinking it is an authentic message. The message prompts recipients to change their password and provides them with a link that redirects them to a malicious page where the attacker now captures their credentials.

Hacker with graphics

How to defend against social engineering attacks

Social engineers manipulate human feelings, such as curiosity or fear, to carry out patterns and lure victims into their traps. Therefore, it is essential to be cautious whenever you feel alarmed by an email, attracted to an offer displayed on a website, or when you come across digital media wandering around. Being alert can help protect you from most social engineering attacks that happen online.

Additionally, the following tips can help you improve your vigilance in relation to social engineering attacks.

  • Do not open emails and attachments from suspicious sources . If you don’t know the sender in question, you don’t need to reply to an email. Even if you know them and are suspicious of their message, cross-check and confirm the news from other sources , such as over the phone or directly from a service provider’s website. Even an email that appears to come from a trusted source may have been initiated by an attacker.
  • Use multi-factor authentication . One of the most valuable pieces of information attackers look for is your user credentials . Using 2-factor authentication helps ensure the protection of your account in case of system compromise. There are free applications for all types of mobile devices that allow you to implement this type of authentication.
  • Be wary of attractive offers . If an offer seems too tempting , think twice before accepting it as real. Use Google to check the topic and quickly determine if you are dealing with a legitimate offer or a trap.
  • Update your antivirus / antimalware software . Make sure automatic updates are turned on. Check periodically that updates have been applied and scan your system for possible infections.

If your company has an IT department, these recommendations should be standard security measures.

Office

Security services for companies

When you think about the data that your company holds and manages, you are never too cautious in defense. Social engineering relies on the fact that an employee hacks more easily than a computer , which is often true.

In addition to the cyber protection measures listed above, it is good that all employees are aware of the risks and potential threats.

SOD offers a series of services that go in this direction. The first and perhaps most important is ethical phishing in which we try to attack the company with phishing techniques . We find out what the weak points are and organize internal training to provide the right tools for staff.

We also have the classic Vulnerability Assessment and Penetration Test for testing cybersecurity systems. Addons are applicable to this service to cover a greater number of areas. There is a specific addon for app analysis and code review , but also one where we try to hack the company with physical attacks . We will test the physical security of the company, the ability to enter buildings, access to network controllers and more.

Finally, to keep networks under control, the SOCaaS service allows you to monitor the entire network, identify suspicious actions (with behavior analysis via artificial intelligence), unauthorized installations, breach attempts and much more.

Data security in the company is really important, contact us to find out how we can help you!

Useful links:

Share


RSS

More Articles…

Categories …

Tags

RSS darkreading

RSS Full Disclosure

  • Business Logic Flaw and Username Enumeration in spa-cartcmsv1.9.0.6 June 16, 2024
    Posted by Andrey Stoykov on Jun 15# Exploit Title: Business Logic Flaw and Username Enumeration in spa-cartcmsv1.9.0.6 # Date: 6/2024 # Exploit Author: Andrey Stoykov # Version: 1.9.0.6 # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2024/04/friday-fun-pentest-series-5-spa.html Description - It was found that the application suffers from business logic flaw - Additionally the application is vulnerable […]
  • APPLE-SA-06-10-2024-1 visionOS 1.2 June 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Jun 11APPLE-SA-06-10-2024-1 visionOS 1.2 visionOS 1.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT214108. Apple maintains a Security Releases page at https://support.apple.com/HT201222 which lists recent software updates with security advisories. CoreMedia Available for: Apple Vision Pro Impact: An app may be […]
  • CyberDanube Security Research 20240604-0 | Multiple Vulnerabilities in utnserver Pro/ProMAX/INU-100 June 9, 2024
    Posted by Thomas Weber via Fulldisclosure on Jun 09CyberDanube Security Research 20240604-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| SEH utnserver Pro/ProMAX / INU-100 vulnerable version| 20.1.22 fixed version| 20.1.28 CVE number| CVE-2024-5420, CVE-2024-5421, CVE-2024-5422 impact| High homepage| https://www.seh-technology.com/...
  • SEC Consult SA-20240606-0 :: Multiple critical vulnerabilities in Kiuwan SAST on-premise (KOP) & cloud/SaaS & Kiuwan Local Analyzer (KLA) June 9, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 09SEC Consult Vulnerability Lab Security Advisory < 20240606-0 > ======================================================================= title: Multiple critical vulnerabilities product: Kiuwan SAST on-premise (KOP) & cloud/SaaS Kiuwan Local Analyzer (KLA) vulnerable version: Kiuwan SAST
  • Blind SQL Injection - fengofficev3.11.1.2 June 9, 2024
    Posted by Andrey Stoykov on Jun 09# Exploit Title: FengOffice - Blind SQL Injection # Date: 06/2024 # Exploit Author: Andrey Stoykov # Version: 3.11.1.2 # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2024/05/friday-fun-pentest-series-6.html Steps to Reproduce: 1. Login to application 2. Click on "Workspaces" 3. Copy full URL 4. Paste the HTTP GET request into […]
  • Trojan.Win32.DarkGateLoader (multi variants) / Arbitrary Code Execution June 9, 2024
    Posted by malvuln on Jun 09Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/afe012ed0d96abfe869b9e26ea375824.txt Contact: malvuln13 () gmail com Media: x.com/malvuln Threat: Trojan.Win32.DarkGateLoader (multi variants) Vulnerability: Arbitrary Code Execution Description: Multiple variants of this malware look for and execute x32-bit "urlmon.dll" PE file in its current directory. Therefore, we can...
  • SQL Injection Vulnerability in Boelter Blue System Management (version 1.3) June 9, 2024
    Posted by InfoSec-DB via Fulldisclosure on Jun 09Exploit Title: SQL Injection Vulnerability in Boelter Blue System Management (version 1.3) Google Dork: inurl:"Powered by Boelter Blue" Date: 2024-06-04 Exploit Author: CBKB (DeadlyData, R4d1x) Vendor Homepage: https://www.boelterblue.com Software Link: https://play.google.com/store/apps/details?id=com.anchor5digital.anchor5adminapp&hl=en_US Version: 1.3 Tested on: Linux Debian 9 (stretch), Apache 2.4.25, MySQL >= 5.0.12 CVE:...
  • CyberDanube Security Research 20240528-0 | Multiple Vulnerabilities in ORing IAP-420 May 30, 2024
    Posted by Thomas Weber via Fulldisclosure on May 29CyberDanube Security Research 20240528-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| ORing IAP-420 vulnerable version| 2.01e fixed version| - CVE number| CVE-2024-5410, CVE-2024-5411 impact| High homepage| https://oringnet.com/ found| 2024-01-19 by| T. Weber...
  • HNS-2024-06 - HN Security Advisory - Multiple vulnerabilities in Eclipse ThreadX May 30, 2024
    Posted by Marco Ivaldi on May 29Hi, Please find attached a security advisory that describes multiple vulnerabilities we discovered in Eclipse ThreadX (aka Azure RTOS). * Title: Multiple vulnerabilities in Eclipse ThreadX * OS: Eclipse ThreadX < 6.4.0 * Author: Marco Ivaldi * Date: 2024-05-28 * CVE IDs and severity: * CVE-2024-2214 - High - […]
  • SEC Consult SA-20240527-0 :: Multiple vulnerabilities in HAWKI didactic interface May 28, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on May 27 SEC Consult Vulnerability Lab Security Advisory < 20240527-0 > ======================================================================= title: Multiple vulnerabilities product: HAWKI (Interaction Design Team at the University of Applied Sciences and Arts in Hildesheim/Germany) vulnerable version: 1.0.0-beta.1, versions before commit 146967f     fixed version: Github commit 146967f...

Customers

Newsletter

{subscription_form_1}