Top 10 Techniques Used By Social Engineers
Understanding the different attack vectors for this type of crime is key when it comes to prevention. This is how the bad guys do it:
Pretexting
An invented scenario is used to engage a potential victim to try and increase the chance that the victim will bite. It's a false motive usually involving some real knowledge of the victim (e.g. date of birth, Social Security number, etc.) in an attempt to get even more information.
Phishing
The process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters. Emails claiming to be from popular social web sites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public. It’s a form of criminally fraudulent social engineering. Also see Spear Phishing.
Phishing
Water-Holing
This technique takes advantage of websites people regularly visit and trust. The attacker will gather information about a targeted group of individuals to find out what those websites are, then test those websites for vulnerabilities. Over time, one or more members of the targeted group will get infected and the attacker can gain access to the secure system.
Quid Pro Quo
Latin for 'something for something', in this case it's a benefit to the victim in exchange for information. A good example is hackers pretending to be IT support. They will call everyone they can find at a company to say they have a quick fix and "you just need to disable your AV". Anyone that falls for it gets malware like ransomware installed on their machine.
Honeytrap
A trick that makes men interact with a fictitious attractive female online. From old spy tactics where a real female was used.
Diversion Theft
A 'con' exercised by professional thieves, usually targeted at a transport or courier company. The objective is to trick the company into making the delivery somewhere other than the intended location.
Spear Phishing
A small, focused, targeted attack via email on a particular person or organization with the goal to penetrate their defenses. The spear phishing attack is done after research on the target and has a specific personalized component designed to make the target do something against their own interest. Here is more about how they do it.
Baiting
Baiting means dangling something in front of a victim so that they take action. It can be through a peer-to-peer or social networking site in the form of a (porn) movie download or it can be a USB drive labeled “Q1 Layoff Plan” left out in a public place for the victim to find. Once the device is used or malicious file is downloaded, the victim’s computer is infected allowing the criminal to take over the network.
Tailgating
A method used by social engineers to gain access to a building or other protected area. A tailgater waits for an authorized user to open and pass through a secure entry and then follows right behind.
Rogue
Also Rogue Scanner, rogue anti-spyware, rogue anti-malware or scareware, rogue security software is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware. Rogue security software, in recent years, has become a growing and serious security threat in desktop computing. It is a very popular and there are literally dozens of these programs.
Scary New Threats in 2018
- Exponential growth of the ransomware plague. This attack isn't going anywhere. We'll see a rise in attacks that exfiltrate data, giving the bad guys a secondary way to get ransom payments with threats of data exposure. Also ransomware-as-a-service strains will grow, allowing newbies to easily get in on the game. Kits sell for anywhere from $10 to a few thousand dollars. Custom-made ransomware attacks focusing on high-value targets (ie healthcare organizations) has been on the rise, that trend will continue. Also POS systems being shut down is in the near future.
- Pseudo-ransomware will continue to be used to distract organizations. They seem like ransomware on the surface, but really in the background hackers are just trying to infiltrate the organization. Multi-vector attacks including smishing, phishing and vishing will increase.
- Phishing automation - bots and intelligent scraping of social media and dark web will make automated spear phishing a very hard to identify problem. The amount of data stolen in breaches over the last couple of years makes it very easy to automate mass spear phishing attacks.
- Extortion scams with a long tail for busineses and individuals. Rather than immediate payment to get files back, a different tactic being used is demand sensitive content (such as ransomware that demands nudes, or in the corporate world demanding customer info to get data back). Expect micro-ransomware; extortion one document at a time.
- Search result tampering that will drive users to compromised websites are nothing new, but we will see an increase in this technique this year.
- Mobile malware - new families are on the way that will target smartphones and mobile-first users.
- Blame-ware and False-Flag operations will increase - The European Union recently delared cyberattacks as acts of war and will appropriately respond to countries carrying out such attacks. Expect to see cyber propoganda operations that are engineered to spark controversy between countries, undermine democracies and destabalize trust globally. Watch out for related clickbait!
Examples of each factor in the threat landscape:
• Phishing
• Spear phishing
• CEO fraud (aka Business Email Compromise or BEC)
Social Media and Internet
• Reconnaissance
• Fake friends
• Watering hole attacks
• Use of breach data
Trends
• Ransomware
• Pseudo-ransomware
• False flag operations
• Extortion
• Automation
• Search result poisoning
Criminal Groups
• Malicious insiders
• Organized crime
• Hacktivists
• Nation states
• Terrorists
Attack Vectors
• Physical on-site attacks
• Endpoint
• Mobile
• Network
• Cloud
• IoT
