In what technique do attackers pose as their victim to elicit information from third parties?

Índice Show

Spear phishing
Best practices
Incorporate strict password policies
Use two-factor authentication
Conduct training sessions
Implement the right technology
What is Social Engineering?
Social Engineering: You should know these 7 methods
1. Phishing & Spear Phishing
2. Pretexting
3. CEO Fraud
5. Tailgating
6. Media Dropping
7. Quid pro Quo
Identify human hacking and protect your own company

In email phishing, the email content of a trusted entity is replicated to display a fraudulent message. Attackers use a lot of techniques to increase their success rate, such as using the same jargon, typefaces, logos and even signatures to make the email look legitimate. Additionally, phishing emails elicit a sense of urgency from the victim, pressuring them to make quick decisions that are more prone to error. The email may notify the user of a malware attack and demand that they download an application to recover their system.

However, when the user clicks the download link, the attacker tries to get access to their confidential information. When email phishing is used as part of a ransomware attack, the attacker sends out thousands of emails. Even a small percentage of clicks or downloads could gain the attacker a substantial amount of money.

Spear phishing

In spear phishing, the attacker, does thorough research into the targeted individual or entity. This type of phishing requires in-depth knowledge of the organisation and its structure for penetrating the network. For instance, the attacker could impersonate an employee of the organisation and send an email to other employees to gain access to the organisation’s confidential data.

Pharming

This type of phishing attack is carried out on a fake website that mimics a real one. Despite the user typing in the correct URL for the real site, the attacker redirects the user to the fraudulent site. These bogus sites are created to retrieve personally identifiable information, such as the login credentials of users.

Best practices

Generally, phishing attackers make subtle mistakes that can be identified if the user is vigilant. Following the best practices below can also help you thwart these attacks or mitigate the damage.

Incorporate strict password policies

Organisations must require employees to follow strict password management policies to keep their systems and user accounts secure. It is good practice to change passwords regularly and not use the same password for multiple applications.

Use two-factor authentication

Two-factor authentication prevents perpetrators from gaining access to an account by prompting another method of verification in addition to the username and password. This acts as an additional layer of security.

Conduct training sessions

Conducting regular training sessions for employees on phishing attacks and other cyberattacks helps them better identify fraudulent communications and report them.

Implement the right technology

As phishing is one of the most common forms of cyberattacks, all organisations need to equip themselves against it. Powerful IT management software can defend against the broad range of phishing attacks that target organisations. ManageEngine‘s comprehensive suite of IT management solutions, including Exchange Reporter Plus and Browser Security Plus, helps identify suspicious emails and prevents users from landing on infected pages, even if they click a malicious link.

If you liked reading this, you might like our other stories
What Is Bumblebee Malware Loader?
What Is Darkverse?

Risks from the web are often difficult to assess – but it is a fact that in 2020 nine out of ten companies were victims of a cyber attack. In our post series on internal and external cyber risks, we shed some light on this topic: This time, we focus on Social Engineering and the question of how companies should react to the manipulation of their employees, which is becoming more explosive during the pandemic. After all, cybercriminals have long since identified humans as the supposed weakest link in IT security.

The term Social Engineering describes a scam used by cybercriminals to elicit confidential data from employees in companies or private individuals or to get them to install malware without being noticed. In most cases, the hackers’ aim is to extort ransom, protection or hush money and thus enrich themselves. For this purpose, they exploit human behaviors such as trust, curiosity, fear, or respect for authority – similar to trickery at the front door.

Since Social Engineering aims at the psychological manipulation of people, this context is also referred to as Human Hacking or Social Hacking. “Amateurs hack systems, professionals hack people,” says renowned computer security expert Bruce Schneier. This is because the human factor constantly provides cybercriminals with new occasions for criminal activity. Nine out of ten security incidents can be traced back to human error, causing immense economic damage every year. It is therefore critical for companies to know the relevant attack techniques in the area of Social Engineering and to equip their own staff with the appropriate knowledge. This ensures that suspicious events can be met with the necessary mistrust in the future.

Social Engineering is becoming increasingly clever and targeted, which is proving to be a major security risk for companies and their employees. Those who know current attack techniques can respond strategically. It is not uncommon for hackers to combine different methods to perfectly disguise the cyber attack:

1. Phishing & Spear Phishing

Phishing is probably the best-known form of Social Engineering: Employees in companies or private individuals are tricked by fake e-mails, SMS or social media messages into clicking on a contaminated link and entering personal login data on a fictitious website. This information is used for data misuse.

In the past, Phishing messages were relatively easy to spot due to grammatical errors, missing salutations or translation mistakes. Today, it is becoming increasingly difficult to identify them. One example of this is Spear Phishing: Unlike conventional Phishing attacks, which are directed at a large number of addressees, cybercriminals use the more targeted Phishing variant to address individual employees or small groups. For individual targeting, search engines are searched for people and e-mail addresses, and personal relationships are analyzed via social networks. This results in messages with a real connection to colleagues, company events or individual interests. According to the German Federal Ministry for Information Security (BSI), this approach increases the potential “hit rate” of hackers.

2. Pretexting

Cybercriminals who use Pretexting want to gain the trust of their potential victims by means of a pretext or a freely invented scenario in order to persuade them to hand over personal data. This is intended to facilitate access to protected IT systems. In Pretexting, attackers pretend to be IT staff or bank employees on the phone, for example: They claim to be trying to help fix an urgent problem, which, however, is fictitious.

Pretexting is often combined with other attack techniques. By faking situations, they repeatedly succeed in bypassing the human mind. As a result, victims make decisions based on emotions – leading to significant cyber security failures.

3. CEO Fraud

As a special form of Pretexting and Spear Phishing, CEO Fraud is a particularly popular method used by Internet fraudsters. Here, the authority of the superior is used and pressure is built up. The Social Engineer slips into the role of the management and requests employees to disclose important data by means of deceptively real-looking e-mails or fictitious telephone calls. Often, an emergency situation is presented that requires courageous action. For example, the accounting department is asked to quickly carry out a business-critical money transfer.

This perfidious procedure is based on the assumption that employees are more likely to put defined security regulations on hold when asked to do so by superiors. Who will not want to assist their boss with urgent business matters? Since hackers have usually spied on the company and employees in question in advance, the messages seem particularly realistic. Quite often, even the characteristic style of superiors is imitated. The attack technique became public, among other things, through an e-mail with the sender @ceopvtmail.com, which the Federal Criminal Police Office warned about a few years ago.

4. Baiting

Baiting can be interpreted as “luring” – and that’s exactly what this Social Engineering tactic is all about. Employees are lured with something interesting to entice them to take a desired action. Bait can be digital media such as links to supposedly free music or movie downloads. If the infected file is downloaded, malware spreads through the networked computer in the system – the attacker can access confidential information unnoticed and turn it into money.

The example of the much sought-after Playstation 5, which is currently sold out everywhere, shows how hackers are currently acting. Here, social engineers use links to a store where you can supposedly still buy the out-of-stock console. Criminal intentions are also pursued with this trick. Baiting is not limited to the digital world: tricksters also use physical objects to exploit human curiosity (more on this under Tailgating and Media Dropping).

5. Tailgating

Social Engineering attacks also take place in the real world – usually in the course of a method called Tailgating. In this case, the attacker gains physical access to a company site or building, for example, to carry out Media Dropping (see below). In a typical scenario, he/she poses as a package delivery person or service technician and follows an employee unnoticed through the entrance area. This is how “slipping through” succeeds. Where electronic access controls or security personnel block the way, additional Pretexting is used. For example, the stranger could pretend to be a new colleague. In many cases, the conversation is sought with employees – with the aim of feigning familiarity and entering the company together.

6. Media Dropping

Media Dropping relies on the interaction of analog and digital activities. Attackers use storage media infected with malware, such as USB sticks, flash drives, or CDs, and leave them behind in companies – often in the course of tailgating. The media are disguised as lost items or giveaways for employees to discover and plug in out of curiosity. Since they usually contain spyware or bots for DDoS attacks, entire systems can be inadvertently taken down. In the past, attackers also chose the postal route and sent letters with attached storage media. Here, too, the aim was to arouse the recipients’ interest so that they would open the medium and inadvertently infect their computers. If employees are specifically enticed to open files by labels on the storage media, such as “Salary increases 2022,” the attacker combines the tactics of Media Dropping and Baiting.

7. Quid pro Quo

According to the Latin expression “Quid pro Quo,” a giving person should receive an appropriate return. Hackers proceed in exactly the same way with their potential victims in the Social Engineering method with the same name: They hold out the prospect of an advantage if requested information is passed on or actions are carried out. This happens, for example, in the course of a fake phone call: The Social Engineer pretends to be a colleague from the IT department and offers support with an allegedly necessary software update. The victim is promised a quick and easy solution, which, however, installs malware on the computer. Often, the personal security password is requested in this scam. In many cases, the approach is also flanked by Spear Phishing messages in order to quickly convince the victim.

Identify human hacking and protect your own company

Social Engineering attacks are steadily increasing, but they can be prevented. However, technical solutions such as firewalls or antivirus programs have no effect here. In view of the human-centric approach, companies are faced with the task of sharpening their own employees’ understanding of security and building them up into a human firewall. Targeted training measures such as Phishing campaigns and Security Awareness Training can make a significant contribution to closing the “human vulnerability”. In this way, employees learn in a practical way how to protect themselves and the company from cyber attacks, even from the home office – and how to identify risks in advance.

In this context, it is worthwhile to address the individual level of knowledge and to offer training courses with different levels of difficulty. When making their selection, decision-makers should also ensure that the training courses are conducted by experienced security specialists. They should be familiar with current attack methods and regularly put a stop to cybercriminals themselves. Last but not least, it is important to conduct the training courses at regular intervals in order to keep the internal level of knowledge up to date – especially in view of the fact that Social Engineering tactics are constantly changing.