5 Social Engineering Attacks and How to Avoid Them.

Did you know that 5,4 billion WannaCry attacks were blocked in 2017 and that 15% of top 10 industries are affected by ransomware? It is not new for the governments to use cybercrime to achieve their political goals: WannaCry (North Korea), Stuxnet and etc. - but with so many attacks happening, a very little number of companies are actually prepared to repel them. In this article, I focus on 5 most common Social Engineering attacks and showcase the way they are used to get access to personal data.

● Pretexting means to learn the information from the person that is affiliated with your target, in order to assume a false identity and receive sensitive information. There are 2 main steps to create a good pretext: data gathering (learning information from the affiliates: management names, vacation dates, types of the locks and etc.) and implementation (creating the false identity, based on the collected data).

If done by the professional, the only way to resist pretexting is through awareness and established organizational policies. This type of attack becomes more popular each year, due to the fact that it exploits our inability to make decisions, caused by the fear of authority. This fear is utilized in many real-life examples, for example, an unknown hacker went to the office, disguised as IT support (ensuring that the target is not present) & lied to the receptionist that her boss made it clear that some issue has to be fixed, or heads will roll.

● FOMO or 'Fear of Missing Out' is described as our subconscious feeling of inferiority towards others, thinking that other people have better lives than us. In the new media age, depression is utilized by the algorithms and marketers to sell brands, however, this is also a strong fundament for a social engineering attack.

Social Media creates a low esteem loop, where people are willing to take more risks in search of validation, but end up on the repetitive downhill path. By losing the sense of self-worthiness we are easily persuaded by the offers of goods and services that claim to solve our problems. The only way to escape this path is to cut the constant source of dopamine that is given to us by the fake fulfillment provided by social networks.

● Baiting entices the targets with material goods in order to get logins and passwords of the users or install keyloggers. This is achieved by exploiting our willingness to receive something for free, for example, by dropping malware-infected USB sticks around the office (with the sticky note 'Confidential') to infect the computers. The safer way to perform the attack is promising free subscription to a popular service in exchange for the survey, email, and password. To stay protected from physical baiting, every unknown USB stick has to be either destroyed or launched on the separate Linux computer, and the online security is all about awareness and common sense of behavior. In one occasion, an employee of a company exchanged his login credentials for a chocolate bar, so everything is possible.

● Quid Pro Quo is a similar attack to baiting, but instead of a good, it offers a free service in exchange for the information. It is less effective than baiting and requires more manual effort. The attacker will typically call every possible employee at the company and offer an IT solution in exchange for account credentials. Another example is a researcher that proposes 100$ to get access to the company network and assess their security as part of some university-wide initiative.

● Whaling attack (evolution of Phishing) is designed specifically to target higher executives in the company. The email is disguised as a notice from a legitimate authority that informs about a critical business issue that requires an immediate reply from the whale (stands for the executive). The scam contains very specific information with the names of employees, the person receiving an email and other relevant facts that legitimize the source.

There are not many attacks that are publicly known, due to their sensitive nature, but in 2016, Snapchat's high ranking manager was tricked into revealing the payroll of employees to the unknown hacker that impersonated the CEO. The best way to prevent this from happening is by establishing verification procedures and automatically marking the email from unknown sources because very commonly the hackers would own the domain with very similar spelling to their target's company, so it completely removes the human mistake from the equation.

This article is inspired by the book 'Social Engineering: The Art of Human Hacking', written by Christopher Hadnagy. This book might be dated by that point of time, but this work gave the direction to the development of social engineering and is Pioneer in the field.

You can find more information on my website.