This post expands on November’s article about security incident terminology. This month, we’ll be addressing the various forms of social engineering attacks. Most social engineering attacks will be familiar and relatable to experiences you’ve had or training you have received in the past. It’s important to educate yourself about social engineering because the attacks have matured and have become harder to detect. Social engineering continues to be one of the easiest, non-technical methods for an attacker to gain a foothold into a target’s systems and/or network. Social engineering includes scareware, phishing, vishing, piggybacking, quid pro quo, and other methods that the attacker employs to gain and manipulate a person’s trust to divulge confidential information.

Scareware, as its name suggests, is a scam that scares you into buying or downloading malicious software as a security protection. Have you ever visited a website and the website is flashing a red warning banner that your computer has a virus? That is an example of a scareware attack. It immediately tries to scare you into thinking a virus is on your computer, but the website offers you assurance that if you click the red banner it will remove the virus and protect your computer. Scareware works because the victim is scared and may be curious enough to click the link to find out more about how to remove the virus to protect their system.

However, by clicking the link, the victim may immediately have malicious software installed, or the link may take the victim to a website that further scares them into taking other actions to purchase malicious anti-virus solutions. Of course, it’s highly probable that the promised anti-virus “solution” contains malicious software. The purpose of the malicious software is to collect password credentials, financial information, or other personal or confidential information that can lead to future identity theft crimes.

Phishing is a social engineering technique that uses electronic communications, such as email, instant messaging, or text messaging, which deceives users into providing personal information such as login credentials or credit card information to the attacker. An example of a good phishing attack is an email that appears to be from a trusted entity stating that the trusted entity has recently suffered a breach and is requesting that all customers immediately change their password. The email may appear to be from the trusted entity and may even use formatting, logos, and signature lines that would be expected of the trusted entity. The email will contain a link for the customers to change their password and once the link is clicked, the web page will appear to be very similar to what is expected from the trusted entity, giving the customer confidence to provide their existing username and password on the web page.

But, since this is actually a malicious site and not the trusted entity at all, the attacker has collected the credentials necessary to use the information to create fraud against the individual. This can lead to unauthorized purchases, stealing of funds, or even identity theft. When phishing is used in a government, educational, or corporate environment, it can be even more devastating to the company, allowing the attacker to bypass security perimeters to gain access to the organization’s data. Organizations can sustain financial losses, declining market share, loss of customer confidence and loss of reputation after a phishing attack. In some cases, organizations have a very difficult time or never recover from the attack.

Vishing, or the practice of eliciting information or attempting to influence action via the telephone, is another method attackers use to gain personal information. An example of a vishing attack is when the attacker impersonates a technical support analyst and calls targets to discuss a technical issue. The attacker usually uses technical jargon and provides reasons why it is urgent the target provides their credentials so the attacker can test to ensure everything is now working as expected. These attacks are easy to perform, take no technical knowledge, and only need to succeed once for the attacker to gain unauthorized access to the protected data.

Piggybacking or tailgating are physical social engineering attacks. The terms refer to an unauthorized person tagging along behind another person who is authorized to gain entry into a restricted area. This attack is extremely simple. The attacker can start visiting with someone who is headed toward the authorized area, and then just walk into the restricted area behind the authorized person. If the attacker is questioned, they can quickly make up a feasible excuse as to why they don’t have their access key with them. Or, the attacker can look preoccupied, or have their hands full of paperwork and a laptop when they are going through the door. Usually the authorized person will assist by keeping the door open so the unauthorized person can walk through. This is one case where good manners does not work!

Quid pro quo is Latin for “something for something.” Quid pro quo works well on students who may be offered a free t-shirt, access to an online game, or even a free pizza by simply filling out a form which may ask for personal information and for the student’s school credentials. Once the attacker has the credentials, they can use those to gain unauthorized access to the school or student’s information.

Social engineering attacks usually only require one target to fall victim for the attacker to leverage that information for more malicious activities. Hopefully you have taken the proper precautions to avoid falling victim to a social engineering attack, but if you suspect you have been compromised, report it immediately to the proper channels so it can be addressed quickly to help minimize loss of information and future attacks.

Resources:

3:  Social Engineering article

Homeland Security advice on reporting phishing sites:  https://www.us-cert.gov/report-phishing

Federal Trade Commission provides advice on recognizing and avoiding phishing scams:   https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams

INFOSEC provides information about protecting against social engineering attacks:  https://resources.infosecinstitute.com/protecting-against-social-engineering-attacks/#gref