Social building is the term utilized for an expansive scope of pernicious exercises achieved through human associations. It utilizes mental control to trap clients into committing security errors or giving endlessly delicate data.
Social building assaults occur in at least one stages. A culprit initially explores the expected casualty to assemble important foundation data, for example, potential purposes of passage and frail security conventions, expected to continue with the assault. At that point, the aggressor moves to pick up the casualty’s trust and give jolts to ensuing activities that break security hones, for example, uncovering touchy data or conceding access to basic assets.
Common social engineering attacks
If a criminal manages to hack or socially engineer one person’s email password they have access to that person’s contact list–and because most people use one password everywhere, they probably have access to that person’s social networking contacts as well. Once the criminal has that email account under their control, they send emails to all the person’s contacts or leave messages on all their friend’s social pages, and possibly on the pages of the person’s friend’s friends.
These messages may use your trust and curiosity:
- Contain a link that you just have to check out–and because the link comes from a friend and you’re curious, you’ll trust the link and click–and be infected with malware so the criminal can take over your machine and collect your contacts info and deceive them just like you were deceived.
- Contain a download–pictures, music, movie, document, etc., that has malicious software embedded. If you download–which you are likely to do since you think it is from your friend–you become infected. Now, the criminal has access to your machine, email account, social network accounts and contacts, and the attack spreads to everyone you know. And on, and on.
These messages may create a compelling story or pretext:
- Urgently ask for your help–your ’friend’ is stuck in country X, has been robbed, beaten, and is in the hospital. They need you to send money so they can get home and they tell you how to send the money to the criminal.
- Asks you to donate to their charitable fundraiser, or some other cause – with instructions on how to send the money to the criminal.
Typically, a phisher sends an e-mail, IM, comment, or text message that appears to come from a legitimate, popular company, bank, school, or institution.
These messages usually have a scenario or story:
- The message may explain there is a problem that requires you to “verify” of information by clicking on the displayed link and providing information in their form. The link location may look very legitimate with all the right logos, and content (in fact, the criminals may have copied the exact format and content of the legitimate site). Because everything looks legitimate, you trust the email and the phony site and provide whatever information the crook is asking for. These types of phishing scams often include a warning of what will happen if you fail to act soon, because criminals know that if they can get you to act before you think, you’re more likely to fall for their phish.
- The message may notify you that you’re a ’winner’. Maybe the email claims to be from a lottery, or a dead relative, or the millionth person to click on their site, etc. In order to give you your ’winnings’ you have to provide information about your bank routing so they know how to send it to you, or give your address and phone number so they can send the prize, and you may also be asked to prove who you are often including your Social Security Number. These are the ’greed phishes’ where even if the story pretext is thin, people want what is offered and fall for it by giving away their information, then having their bank account emptied, and identity stolen.
- The message may ask for help. Preying on kindness and generosity, these phishes ask for aid or support for whatever disaster, political campaign, or charity is hot at the moment.
Social Engineering Attac Techniques
As its name implies, baiting attacks use a false promise to pique a victim’s greed or curiosity. They lure users into a trap that steals their personal information or inflicts their systems with malware.
The most reviled form of baiting uses physical media to disperse malware. For example, attackers leave the bait—typically malware-infected flash drives—in conspicuous areas where potential victims are certain to see them (e.g., bathrooms, elevators, the parking lot of a targeted company). The bait has an authentic look to it, such as a label presenting it as the company’s payroll list.
Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in automatic malware installation on the system.
Baiting scams don’t necessarily have to be carried out in the physical world. Online forms of baiting consist of enticing ads that lead to malicious sites or that encourage users to download a malware-infected application.
Scareware involves victims being bombarded with false alarms and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that has no real benefit (other than for the perpetrator) or is malware itself. Scareware is also referred to as deception software, rogue scanner software and fraudware.
A common scareware example is the legitimate-looking popup banners appearing in your browser while surfing the web, displaying such text such as, “Your computer may be infected with harmful spyware programs.” It either offers to install the tool (often malware-infected) for you, or will direct you to a malicious site where your computer becomes infected.
Scareware is also distributed via spam email that doles out bogus warnings, or makes offers for users to buy worthless/harmful services.
Here an attacker obtains information through a series of cleverly crafted lies. The scam is often initiated by a perpetrator pretending to need sensitive information from a victim so as to perform a critical task.
The attacker usually starts by establishing trust with their victim by impersonating co-workers, police, bank and tax officials, or other persons who have right-to-know authority. The pretexter asks questions that are ostensibly required to confirm the victim’s identity, through which they gather important personal data.
All sorts of pertinent information and records is gathered using this scam, such as social security numbers, personal addresses and phone numbers, phone records, staff vacation dates, bank records and even security information related to a physical plant.
As one of the most popular social engineering attack types, phishing scams are email and text message campaigns aimed at creating a sense of urgency, curiosity or fear in victims. It then prods them into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware.
An example is an email sent to users of an online service that alerts them of a policy violation requiring immediate action on their part, such as a required password change. It includes a link to an illegitimate website—nearly identical in appearance to its legitimate version—prompting the unsuspecting user to enter their current credentials and new password. Upon form submittal the information is sent to the attacker.