INTRODUCTION
Welcome dear networkseclearners for this new cybersecurity tutorial on Social Engineering which is a very important topic we shall be aware of. Have you ever received a suspicious e-mail offering you some unexpected advantages and asking you to click on a link to proceed? Or have you ever received an e-mail claiming to be sent by somebody you trust or know very well requesting you to send money or provide private and sensitive information for an urgent assistance or something like this? Or even more tricky one, have you ever received an email claiming to come from the police or the tax authorities which threatens you with legal action if you do not pay an amount due or don’t provide some information by a given date? Even if you have never received such emails, I guess you have probably already heard about these kind of tricks. These are exactly some types of social engineering techniques. In a nutshell, Social engineering consists in using manipulative techniques to trick people and make them do things that could be harmful to them or to their organizations in the case of employees. But you might wonder what is the link with cybersecurity. Well, social engineering techniques are used for instance by hackers to get access to systems, networks, to install malware. As a cybersecurity professionnal, social engineering is therefore a very important skill to master above all if you work in the offensive cybersecurity or pentesting. This is also an important skill to master if you work on the defensive side since being aware of these social engineering techniques will help you implement the most efficient security measures to protect yourself or your organization cybersecurity assets. Given the importance of this topic and given the fact it is part of the CompTIA security+ exam objectives, I wanted to write an article on it. For networkseclearners that are planning to take the CompTIA Security+ exam, social engineering is part of domain 2 Threats, Vulnerabilities, and Mitigations and the objective 2.2 Explain common threat vectors and attack surfaces.
All social engineering threats mentionned in the objective are covered in this tutorial. This is then a good ressource to help you prepare for the exam. 😊
For this tutorial, I would like present you the factors that make people fall into the trap in the first part. In the second part, I will introduce the various social engineering attacks. I decided not to discuss the mitigation strategies against the social engineering attacks because I plan to write a dedicated tutorial on measures to prevent or avoid the attacks. If you are already looking forward to this tutorial, don’t hesitate to subscribe to my newsletter to get notified as soon as the article is published. 🤲
If you have already come across some words like phishing, smishing, vishing, typosquatting, impersonation and you wonder what they mean, you are at the right place because I will introduce all these social engineering techniques to you.
Let’s get started with social engineering factors!!!😉
1. Social Engineering Factors
Before I introduce the social engineering factors that make people fall into the trap, I would like to remind you what social engineering is.😉
Social Engineering consists in using various manipulative techniques to trick people and make them perform actions that can lead to cybersecurity breaches. But, wait, what tricks are used to manipulate people to do things on their computer that can be harmful to them? this is exactly what I want to tell you in this section, so, since you are impatient, let’s start listing and describing the tricks. 😅
1.1 Urgency trick
The urgency factor or trick consists in creating an urgency situation that put pressure on individuals to act quickly without proper judgement or thinking. Imagine if you are asked via e-mail for instance to verify some details (related to your bank account) urgently or immediately otherwise your bank account will be blocked forever. You might think that nobody will fall in such trap but believe me, some individuals unfortunately still fall into it. As you now know, I hope you can identify this sort of trick and will never fall in this kind of trap. Now let’s move to the next trick which is the Authority trick.
1.2 Authority
the “Authority trick” is used because people tend to comply with requests from figures of authority. A social engineer using this trick will for instance impersonates a high-ranking official like CEO, police officer to persuade a victim to provide sensitive information or perform specific actions. Imagine this like getting an e-mail claiming to be from the CEO (Chief Executive Officer) or your boss and asking you to perform some actions or to provide some sensitive information. As you can guess, this can be really dangerous if you fall in the trap. You shall pay attention to this kind of trick.🤲
1.3 Fear
The fear trick is used beacause making people afraid can make them act without thinking. It is like when somebody tells you that if you don’t do what that person tells you, some bad thing is going to happen to you. For instance, a social engineer will tell you that your computer is infected and you need to download a fix immediately and as you might guess, this fix will be harmful to you. 🤔
1.4 Scarcity
In order to illustrate this trick, let me relate one funny fact that happened during the sad period of Covid19😀. Well, Before Covid, toilet paper was an ordinary product in supermarkets as you already know. However, as soon as a shortage was announced, everybody rushed to buy it making its value increase considerably. These people most probably felt some psychological pressure from the fact that such an ordinary product was becoming increasingly scarce. In the digital world, the same trick is used to make people fall in the trap. Concretely, you can imagine as if you received an email from a seemingly credible source informing you that you must update certain private information otherwise your account will be blocked in 2 or 3 days. be careful with this kind of trap. 🤲
1.5 Familiarity / Likability
As you know, people are more likely to comply with requests from those they like or feel familiar with. So, social engineers attakers will play with this by using sexual attraction and friendship in order to gain trust over time and then asks for sensitive information or favors that will be used to perform cybersecurity attacks. So, be carefull about this!!
1.6 Social Proof
Individuals often look to others’ actions to determine their own, especially in uncertain situations. An attacker references fake testimonials or implies that others have already complied with the request to persuade the victim to do the same. So, be careful when you make decision to perform some actions because many people have already done the same thing.
1.7 Greed
Promising financial gain or other rewards can lure individuals into traps. An email promises a large sum of money from a foreign lottery or inheritance, asking for personal details to claim the prize. I often myself get this kind of emails so you gotta be careful.
2. Social Engineering attacks
Now that you are familiar with the tricks used by social engineers to make their victims fall in their trap, I want to present you the most common and known social engineering attack. I know you are impatient to learn about those attacks 😅. I will not make you wait longer and will jump right in the topic and will start with the phishing attacks.
2.1 Phishing attacks
In the introduction, I mentioned some attacks like smishing, vishing, etc. This is the moment to tell you what all these fancy words mean. But wait, what does phishing mean at the first place? good question! Here is its meaning :
Phishing is a type of cyber attack where attackers impersonate legitimate entities, such as organizations or individuals, to trick victims into revealing sensitive information, such as passwords, credit card numbers, or personal data.
This is typically done through deceptive emails, SMS, phone calls or websites that appear to be from trusted sources. The goal of phishing attacks is to steal sensitive information, commit fraud, or gain unauthorized access to systems or accounts.
There are different types of phishing attacks :
2.1.1 Smishing
Smishing means SMS phishing and consists in using SMS messages to trick people into providing personal or sensitive information.
2.1.2 Vishing
Vishing means Voice phishing and consists in using manipulative tricks over the phone to make the victims share personal or financial information.
2.1.3 Spear phishing
This is a type of phishing that targets a specific group of people or organizations. As you might guess, given the fact, many individuals are targeted, this kind of phishing has a higher success rate.
2.1.4 Whaling
Also known as “CEO fraud”, this is a type of spear phishing that targets high profile people like executives, CEO (Chief Executive Officer), CFO (Chief Finance Officer), board members or any other higher level managers. This technique is used by attackers because even if it may appear hard to conduct, the reward can be greater and allow the attackers to reach much more targets within the organization.
2.1.5 Business Email Compromise (BEC)
This is from my point of view, the most harmful type of phishing attack because this is very difficult to detect. Indeed, this consists in gaining unauthorized access to a business email account and using it to impersonate the owner within an organization. It is as if an attacker manages to access your email account, impersonates you and manipulate individuals within or outside the organization into transferring funds, disclosing sensitive information, or taking other actions that result in financial loss or data breaches. So, now, do you agree with me that this is the most harmful phishing attack?😉 I also think that this can even be more dramatic if it is combined with whaling. Imagine the damage if an attacker takes control of the email account of the CEO of a big size company.
I would like to remind you that the purpose of all the information shared here is to make as much as possible number of people be aware of these attacks, techniques so that they can avoid falling in the trap. My ultimate goal is to help you protect yourself in the digital realm.🤲
Now that we are done with the phishing attacks, let’s continue with the other social engineering attacks.
2.2 Impersonation Attacks
Impersonation refers to the act of assuming the identity of another person, entity, or system with the intention of deceiving others or gaining unauthorized access to information or resources. Here are some well known impersonation attacks :
2.2.1 Typosquatting
Typosquatting, also known as URL hijacking or cybersquatting is a cybersecurity attack where attackers register domain names that closely look like legitimate ones but contain typographical errors. The goal is to mislead the users so that they mistype the intended website URL, leading them to the malicious site instead. This technique is used to distribute malware or steal sensitive information.
here are some examples of typosquatting :
- Instead of “facebook.com”, a typosquatter might register “facbook.com” or “facebok.com”.
- Instead of “twitter.com”, they might register “twiter.com” or “twittter.com”.
- Instead of “linkedin.com”, they might register “linkdin.com” or “linkdein.com”.
- Instead of “amazon.com”, they might register “amzon.com” or “amazoon.com”
2.2.2 Brand impersonation
Brand impersonation in cybersecurity refers to the act of creating fake online identities or websites that mimic legitimate brands or organizations. Attackers often use brand impersonation as part of phishing attacks or other social engineering tactics to trick individuals into disclosing sensitive information, such as login credentials, financial details, or personal data. This technique relies on exploiting trust in well-known brands to deceive victims and facilitate fraudulent activities.
2.2.3 Watering Hole
In cybersecurity, a watering hole attack is a type of cyber attack where attackers infect websites that are frequently visited by their target victims. The goal is to compromise the devices of users who visit these sites, typically by exploiting vulnerabilities in the website’s code or injecting malicious code into the site. When users visit the infected site, their devices may become infected with malware, allowing the attackers to steal sensitive information or gain unauthorized access to their systems. This type of attack is called a “watering hole” because attackers wait at a popular site, like predators waiting for animals to come to drink water in a watering hole in the wild.
2.3 other social engineering attacks
2.3.1 Hoax attacks
In cybersecurity, a hoax attack consists in propagating a false or misleading message or warning often via email, social media, or other online platforms, with the intention of causing panic, confusion, or harm.
2.3.2 Dumpster Diving
Dumpster diving in cybersecurity refers to the practice of searching through trash some materials, such as paper documents, electronic devices, or other physical media, in order to find sensitive or confidential information that can be exploited for malicious purposes. This technique is often used by attackers to gather information about an organization’s operations, employees, or clients, which can then be used for identity theft, fraud, or other cybercrimes.
2.3.3 Baiting
Baiting is a tricky one because it is an attack that exploits the human curiosity and the desire for free to trick individuals into compromising the security of their systems. As you know, the majority of people will prefer to download the free version of a Software instead of paying for that and this is exploited by social engineers or attackers conducting Baiting attacks. For example, attackers might create a fake website offering free software downloads and when users attempt to download the software, they inadvertently install malware or viruses on their systems. As said previously, the human curiosity also is exploited to make people fall in the trap. For example, a Baiting attacker will leave intentionally in public places physical media such as USB drives or CDs with the hope that curious individuals will pick them up and connect them to their computers thus infecting their systems with malware or viruses. So, be careful!
2.3.4 Shoulder Surfing
Shoulder Surfing consists in looking over a person’s shoulder to gather personal and sensitive information such as passwords, PINs, or other confidential data. This type of attack typically occurs in public places, such as cafes, airports, or libraries, where individuals may be using their devices in close proximity to others.
2.3.5 Eavesdropping
Eavesdropping consists in secretely listening to private conversations in order to extract sensitive information, such as personal conversations, confidential business data, or login credentials, which can then be used for malicious purposes, such as identity theft, espionage, or financial fraud.
2.3.5 Influence campaigns
An influence campaign in cybersecurity refers to coordinated efforts, often by state actors or organized groups, to manipulate public opinion through digital means. Influence campaign is powerful tool for shaping public opinion and behavior through social media platforms, websites, and other online channels to disseminate misinformation and disinformation or amplify certain narratives.
Here are some types of influence campaigns you shall be aware of :
- Misinformation : Spreading false or misleading information to deceive the public but without harmful intention
- Disinformation : Spreading false or misleading information to deceive the public with harmful intention
- Social Media Manipulation : Using bots, fake accounts, and troll farms to amplify messages, and make certain viewpoints appear more popular than they are.
- Phishing and Spoofing : making deceptive emails, messages, or websites to impersonate trusted sources and spread false information.
- Hack and Leak Operations : Hacking into sensitive information systems to steal data and then selectively leaking it to influence public perception.
These campaigns can significantly impact public trust, social cohesion, and democratic processes. By manipulating information, they can create division, erode trust in institutions, and even destabilize governments and economies.
2.3.6 Pretexting
Pretexting in cybersecurity is a social engineering technique where an attacker creates a fabricated scenario (or pretext) that seems true to trick an individual into divulging sensitive information or performing an action that benefits the attacker. This method relies heavily on building a believable story and establishing trust with the target.
CONCLUSION
Thank you for following along, dear networkseclearners! By now, you should have a solid understanding of the factors that make people fall in the trap of social engineering attacks and be familiar with various types of these manipulative techniques. From phishing and smishing to vishing and typosquatting, we’ve covered how these techniques are used to exploit trust and trick individuals into compromising their security.
I would like to remind you that social engineering is a critical component of cybersecurity, whether you’re working on the offensive side in penetration testing or the defensive side in protecting organizational assets. By understanding these techniques, you can better defend against them and recognize when they’re being used against you or your organization.
Stay tuned for the upcoming tutorial on mitigation strategies, where we will dive into the measures you can take to prevent or avoid social engineering attacks. If you’re eager to receive updates, don’t forget to subscribe to my newsletter.🤲😉
Please feel free to leave a comment below and share this article with others who might find it useful!
Thank you dear networkseclearners for reading till the end, and until next time, keep networksec learning and stay secure! 😊