In his book, “The Art of Deception,” popular hacker Kevin Mitnick explained the power of social engineering techniques. Today, we are aware that social engineering can be combined with hacking to power insidious attacks.
Let’s consider, for example, social media and mobile platforms; they are powerful attack vectors for various categories of threat actors because they allow hitting large audiences instantaneously.
Most of the attacks exploiting both paradigms are effective because they leverage the concept of “trust” on which social networks are built.
Let’s take a close look at the most common social engineering attacks used to target users.
Phishing attacks are the most common type of attacks leveraging social engineering techniques. Attackers use emails, social media, instant messaging and SMS to trick victims into providing sensitive information or visiting malicious URLs in the attempt to compromise their systems.
Phishing attacks present the following common characteristics:
- Messages are composed to attract the user’s attention, in many cases to stimulate his curiosity by providing a few pieces of information on a specific topic and suggesting that the victims visit a specific website to learn more.
- Phishing messages aimed at gathering a user’s information convey a sense of urgency. This is an attempt to trick the victim into disclosing sensitive data in order to resolve a situation that could get worse without the victim’s interaction.
- Attackers leverage shortened URL or embedded links to redirect victims to a malicious domain that could host exploit codes or that could be a clone of legitimate websites with URLs that appear legitimate. In many cases, the actual link and the visual link in the email are different; for example, the hyperlink in the email does not point to the same location as the apparent hyperlink displayed to the users.
- Phishing email messages have a deceptive subject line to entice the recipient to believe that the email has come from a trusted source. Attackers use a forged sender’s address or the spoofed identity of the organization. They usually copy contents such as texts, logos, images and styles used on the legitimate website to make it look genuine.
A watering hole attack consists of injecting malicious code into the public web pages of a site that the targets used to visit. The method of injection is not new and it is commonly used by cybercriminals and hackers. The attackers compromise websites within a specific sector that are ordinary visited by specific individuals of interest for the attacks.
Once a victim visits the page on the compromised website, a backdoor Trojan is installed on his computer. A watering hole method of attack is very common for a cyber-espionage operation or state-sponsored attacks.
It is a common conviction that this type of attack is related to state-sponsored offensives. The choice of the website to compromise, the study of victim’s habits and the adoption of an efficient exploit code are steps that require a significant effort in the preparation phase of the attack.
The efficiency of watering hole attacks increases with the use of zero-day exploits that affect victim’s software. In this case, victims have no way to protect their systems from the malware diffusion.
Whaling is another evolution of phishing attacks that uses sophisticated social engineering techniques to steal confidential information, personal data, access credentials to restricted services/resources and, specifically, information with relevant value from an economic and commercial perspective.
What distinguishes this category of phishing from others is the choice of targets: relevant executives of private business and government agencies. The word whaling is used, indicating that the target is a big target to capture.
Whaling adopts the same methods of spearphishing attacks. The scam email is designed to masquerade as a critical business email sent from a legitimate authority, typically from relevant executives of important organizations. Typically, the content of the message sent is designed for upper management and reports some kind of fake company-wide concern or highly confidential information.
The term pretexting indicates the practice of presenting oneself as someone else to obtain private information. Usually, attackers create a fake identity and use it to manipulate the receipt of information.
Attackers leveraging this specific social engineering technique adopt several identities they have created. This bad habit could expose their operations to the investigations conducted by security experts and law enforcement.
The success of the pretexting attack heavily pretends on the ability’s attacker to build trust.
Most advanced forms of pretexting attacks try to manipulate the victims into performing an action that enables an attacker to discover and exploit a point of failure inside an organization.
An attacker can impersonate an external IT services operator to ask internal staff for information that could allow accessing systems within the organization.
Baiting and quid pro quo attacks
Another social engineering technique is the baiting that exploits the human’s curiosity. Baiting is sometimes confused with other social engineering attacks. Its main characteristic is the promise of goods that hackers use to deceive the victims.
A classic example is an attack scenario in which attackers use a malicious file disguised as a software update or as generic software. An attacker can also power a baiting attack in the physical world, for example disseminating infected USB tokens in the parking lot of a target organization and wait for internal personnel to insert them into corporate PCs.
The malware installed on the USB tokens will compromise the PCs, gaining the full control needed for the attacks.
A quid pro quo attack (aka “something for something” attack) is a variant of baiting. Instead of baiting a target with the promise of a good, a quid pro quo attack promises a service or a benefit based on the execution of a specific action.
In a quid pro quo attack scenario, the hacker offers a service or benefit in exchange for information or access.
The most common quid pro quo attack occurs when a hacker impersonates an IT staffer for a large organization. That hacker attempts to contact via phone the employees of the target organization then offers them some kind of upgrade or software installation.
They might request victims to facilitate the operation by disabling the AV software temporarily to install the malicious application.
The tailgating attack, also known as “piggybacking,” involves an attacker seeking entry to a restricted area that lacks the proper authentication.
The attacker can simply walk in behind a person who is authorized to access the area. In a typical attack scenario, a person impersonates a delivery driver loaded down with packages and waits until an employee opens their door. The attacker asks that the employee hold the door, bypassing the security measures in place (e.g., electronic access control).
Read more about social engineering attacks
5 Social Engineering Attacks to Watch Out For, The State of Security
Qingxiong Ma, “The process and characteristics of phishing attacks: A small international trading company case study,” Journal of Technology Research
The Social Engineering Framework, Security Through Education
Social engineering: Quid Pro Quo attacks, LinkedIn
Social Engineering: What is Tailgating?, Mailfence