Social engineering is used to get people to divulge confidential information through manipulation – it is seen as a ‘confidence trick’ used to gather information and can do a lot of damage if the information falls into the hands of the trickster at work.
It is done in various ways that might include actually convincing someone to pass over details by pretending they are a figure of authority and there is an emergency at hand, but it might also be done without any exchange of conversation but actually using physical items such as storage devices (USBs, CDs, SD Cards) which have malicious software on them.
In many ways, social engineering relies on people’s weaknesses and their willingness to help.
Here are a few examples of how a social engineering attack may occur:
3. Baiting – This is when the attacker leaves an USB or CD-ROM in a place where they are sure that it will be found by someone. The person who finds the device will connect it to their computer and then the malicious software is installed.
Example: The attacker drops a few USB Sticks (possibly even branded as the targeted company) around the car park of a large law firm. Someone sees a USB stick and wants to find out who it belongs to – they then proceed to put the USB in their computer and infect it with a virus or Trojan horse that allows the attacker access to confidential information.
2. Phishing – You may already be aware of phishing but this is when someone sends a fraudulent email that is made to look as if it has come from a trusted source. The purpose of this is to trick the recipient into installing malware on his computer or sharing personal or financial information.
Example – An email is sent to you from ‘the bank’ with the subject line: ‘Suspicious Activity on account’ – Most will ignore such an email but some will click through to the email out of fear that something might have happened to their bank account. At this point, the victim may be prompted to download something or they may be asked to provide some details. By following the instructions, the attacker can gain confidential information about the victim or put malicious software on their computer.
3. Competition Websites – To some, competition websites are obviously a scam. But to others, it is the chance to win a free holiday or a large amount of money! These websites work by asking you to create an account or sign up to win – you might wander what the harm is using an email and a password, what can they do with that?
The issue lies with where else those details are being used. The attacker will count on the fact that the victim is using the same email, username and password for other websites that contain more confidential information! Remember: If it’s too good to be true, it probably is!
How can we prevent social engineering?
Security awareness training can go a long way in preventing social engineering attacks. If people are aware of what a social engineering attack means and under which form it is expected to happen they will be less vulnerable to fall into the trap.
A lot of people are not aware of the value of the information they are dealing with on a daily basis and how easy it can be to share this information with malicious people.
Much of social engineering is about trust – if something doesn’t look trustworthy, don’t trust it!
A few ways to stay protected:
If you find a USB or storage device on the floor, DO NOT put it in your computer – hand it in to an IT Manager and explain where you found it
DO NOT open any suspicious looking emails or give any bank details in response to emails – your bank will not request bank details by email. If you are worried, call the apparent sender and check if they sent the email.
DON’T use a regular password, username or email for any competitions. Unless it is a completely trusted source, you should avoid online competitions that offer money, gadgets or holidays as prizes.
You can learn more about Cyber Security from the upcoming Cyber Security Conference 2015!