- 原文 标 题 : Common Social Engineering Attack Strategies
- By Alicia Jones
- The Nuggets translation Project
- Permanent link to this article: github.com/xitu/gold-m…
- Translator: jaredliw
- Proofreader: KimYangOfCat, PingHGao
Common social engineering attack tactics
With the rapid development of technology, the number of cyber threats we face in our daily lives will also increase. Our current era is sometimes called the “data age.” The Web is awash with so much data that some experts see it as another form of wealth. When money is involved, bad guys come along.
These cybercriminals are trying to somehow access that data and use it for their own benefit. These forms range from extortion to the use of data to create chaos.
Cybercriminals use a variety of methods to create problems for companies and individuals, one of which is called social engineering. Let’s see what it is.
What is social engineering?
Although the term “social engineering” sounds like some sort of society of engineers, it means something else. Social engineering is the technique of manipulating human psychology to accomplish malevolent tasks. Social engineering does not involve any technical type of hacking in this process.
In a typical hacking scenario, a hacker tries to gain access to a corporate network by identifying and exploiting vulnerabilities in the network. But in social engineering attacks, attackers try to manipulate employees to reveal sensitive information, which they can use to perform a variety of operations.
These days, social engineering attacks are becoming more common, and attackers are more focused on finding new ways to deceive employees. Social engineering attacks are not easy. First, attackers choose their targets and monitor their activities, looking for any form of psychological weakness. The attacker then tries to gain the employee’s trust by exploiting it. Once the employee falls into the trap, the attacker takes the next step.
Annotation of the text in the picture:
Social engineering attacks can be divided into four stages:
Research (optional)
Know your target in order to set a trap for success.
- Collect background information about individuals and/or organizations.
- Choose the person who is most accessible to the target.
- Plan how to communicate with the target and identify the leverage he or she can bring.
Part of the board/bait
Set the stage for a successful attack.
- Interact with the target.
- Fabricate lies.
- Create intimacy.
- Control communication.
action
Take the information and keep the plan going until it’s done.
- Maintain camouflage.
- Strengthen relationship control.
- Extract information.
The whole body and
End communication without arousing suspicion.
- Bring the “game” to a natural end.
- Provide a good reason for the target to “keep quiet.”
- Cover your tracks.
You can put the best security protocols in place in your organization, but skilled social engineers can still find ways to circumvent the high-end security measures you put in place and try to launch an attack. There have been countless social engineering attacks on even the biggest tech companies. We’ll see some examples of these below.
Who is the target?
Social engineering attacks focus on the organization’s high-value employees. Instead of wasting their time attacking small businesses, attackers will try to target large companies, and sometimes even governments, to cause maximum damage.
Several surveys have shown that new employees are most vulnerable to social engineering attacks because they are not psychologically prepared for such attacks. These attacks are so sophisticated that you never realize you’re being manipulated until the damage is done.
Let’s take a look at common attack techniques.
Common attack techniques
phishing
Phishing is one of the most commonly used social engineering attack techniques. This is a fraudulent way to impersonate a legitimate person and extract sensitive information by email or text message.
Phishing attacks focus on large numbers of people and have no single specific target. It’s like fishing. You don’t try to catch a particular fish, you try to catch any fish. As a result, these phishing campaigns are conducted in batches to cover large numbers of unsuspecting people.
An example of a phishing attack is an email sent to a user highlighting that their PayPal account has been blocked due to suspicious behavior. This creates a sense of panic in the recipient, causing them to click on links in the email in a hurry and ignore suspicious information. When they clicked on the links, they were redirected to a scam site that looked highly similar to PayPal, down to the address. Once the account credentials are submitted, the attacker will also obtain the corresponding credentials. Another possibility is that clicking on the link will download the malware and execute it on your local system.
Because phishing attacks target many users and are carried out in batches, it is easy for email service providers to detect and block attacks before they cause trouble for users.
Spear phishing
Spear phishing is a more targeted version of phishing in which an attacker targets a selected employee or company. This form of attack requires a tremendous amount of effort from the attacker and can even take months of planning and preparation. Attackers need to collect subject-related personal information, such as job, personality, characteristics and even contact information. Once this information is collected, an attacker sends a message via email or SMS, similar to phishing, but tailored to each target to make the attack seem less obvious.
This type of attack is often the most successful if nothing goes wrong. Because mail is sent in small quantities, it is difficult for mail servers to detect and block this type of attack.
The bait
Baiting is an attack technique that uses false promises to trigger greed or curiosity in the victim and turn it to the attacker’s advantage. Its main feature is the well-intentioned promise that hackers use to deceive their victims. Attackers either steal sensitive information or impose malware on unsuspecting victims’ devices.
Bait attacks take the form of physical and online attacks. In a physical attack, malware-infected devices would be placed in publicly accessible areas, places known to be frequented by potential victims. These devices look real and contain tags that say something interesting.
An example scenario is where an attacker leaves a malware-infected USB drive in a public area accessible to the victim. The drive would be tagged with something irresistible, like a high-performing client of the company, or some pornographic material. Once the victim plugs the device into their computer, the malware infects the host and allows the attacker to take action remotely.
If the attack is online, victims will be lured by “too good to be true” ads that lure them to malicious websites or encourage users to download apps that have been infected with malware.
Quid Pro Quo
The quid pro quo is a variation of the bait. Quid Pro Quo is a Latin phrase that means “exchange of services” in Chinese. This form of attack promises to provide a service rather than a good.
One of the most common quid pro quo attacks involves impersonating the Social Security Administration (SSA). The impostors contact unsuspecting people and ask them to confirm their Social Security numbers for technical reasons. Once this is done, an attacker can easily commit identity theft.
In other cases uncovered by the Federal Trade Commission (FTC), fraudsters set up fake SSA websites claiming they could help people sign up for new Social Security cards, but actually stole their detailed personal information.
Under the mask of
Pretence is a social engineering attack technique that manipulates individual victims primarily by building trust. Attackers often present themselves as someone with a right to know, such as a colleague, police officer, bank or tax official, and then ask questions under the pretext of identifying the victim, then use sensitive information for their own use.
While most of these attackers only collect personal data, there have been instances where attackers have used this method to obtain security information related to industrial plants.
The success of this form of attack depends largely on the level of trust the attacker is able to establish with the victim. Many sophisticated types of phoney attacks attempt to trick victims into action, allowing the attacker to find and exploit vulnerabilities within the organization.
intimidation
Intimidation is a type of attack in which victims are bombarded with pop-up Windows and emails with false alarms and fictional threats. These are common, but least effective. You may see pop-ups on multiple web sites that say “Your computer may be infected with a harmful spyware program.” After clicking on these links, you will be directed to install a “Remove Malware” application that either contains malware itself or directs you to a malicious site that can infect your computer.
Another type of scareware is common in your spam inbox. Your spam inbox is filled with “too good to be true” offers or false threats. Your mail server probably does a good job of identifying and isolating these emails, so this form of attack is the least effective.
Social engineering attackers use a variety of strategies to successfully carry out their attacks. One of the most common strategies is to offer something irresistible. The strategy uses human greed to achieve the outcome the attacker wants. Another common tactic is camouflage. This strategy plays an emotional game, posing as a victim and ultimately convincing employees of your story. Displaying permissions is another tactic attackers use when impersonating someone. Since people tend to respect people who have authority, or who appear to have authority, this technique works most of the time.
The most famous social engineering attack in history
Facebook and Google
Over two years, Facebook and Google were swindled out of more than $100 million. A Lithuanian hacker posed as an Asian supplier to the two companies and sent them fake invoices. This is considered one of the most expensive phishing attacks.
Barbara Corcoran (shark Tank)
Barbara, the judge on Shark Tank, almost got caught in a social engineering attack that cost her $400,000. An attacker posing as her assistant contacted her bookkeeper and demanded payment for the renewal of her real estate investment. The attacker used an email address very similar to that of a legitimate assistant. The fraud was discovered when the bookkeeper contacted his assistant about wire transfers.
Even though the money had left Barbara’s account, they managed to freeze the transaction before it reached the attacker’s account in China.
Toyota (TM)
Toyota Boshoku Corporation is a Japanese auto parts manufacturer. It is a member of the Toyota Group of corporations. They are in a social engineering attack [2019] (www.forbes.com/sites/leema… 37 million dollars. It is unclear whether Toyota will be able to recover the lost money. The attacker persuaded someone with financial authority to change the account information for the electronic funds transfer.
Ethereum Classic
[the etheric lane classic version of the web site was hacked in 2017] (www.trendmicro.com/vinfo/us/se…
Sony Pictures
This social engineering attack was one of the biggest topics of the day. SONY Pictures was attacked in 2014 and lost several important documents, including business agreements, financial documents and employee information. The attack was later determined to be a spear-phishing attack, targeting employees lured by emails from Apple products.
How can I stay safe as an individual?
- Do not open emails and attachments from suspicious sources. Be sure to check the sender’s email address, even email addresses from trusted senders can be fraudulent.
- Use multi-factor authentication (MFA). The attacker is very interested in your login credentials. However, if you use multi-factor authentication, an attacker will not be able to do anything with your credentials alone.
- Beware of “too good to be true” deals. If the offer sounds too good to be true, Google the information to find out if it’s legal.
- Make sure your anti-virus software is up to date.
- Always lock the device when it is not in use.
- Always be discreet when talking to people. Think before you speak, you may inadvertently say something that may be confidential.
How can I stay safe as a company/organization?
According to Dan Lohrmann, Chief Security Officer for Security Mentor,
- Focus on training your employees, especially new hires. Make sure you have a comprehensive security awareness training program and update them regularly to address both general phishing threats and new and targeted cyber threats. Keep in mind that attacks don’t just happen when links are clicked.
- Hold regular “roadshow” briefings to explain the latest attack trends. Ensure staff at all levels attend these briefings, including senior management and those with authority over financial transactions.
- Hire an external, independent security team to review your company’s security. These audits should be conducted on a regular basis.
We must maintain proper security measures to avoid getting ourselves and our company into trouble. As we saw above, the costs of these attacks can be very high. We have a responsibility to protect ourselves from the evil eyes lurking around us.
If you find any mistakes in your translation or other areas that need to be improved, you are welcome to the Nuggets Translation Program to revise and PR your translation, and you can also get the corresponding reward points. The permanent link to this article at the beginning of this article is the MarkDown link to this article on GitHub.
The Nuggets Translation Project is a community that translates quality Internet technical articles from English sharing articles on nuggets. The content covers Android, iOS, front-end, back-end, blockchain, products, design, artificial intelligence and other fields. If you want to see more high-quality translation, please continue to pay attention to the Translation plan of Digging Gold, the official Weibo, Zhihu column.