“As we have noticed several followers are enthusiastic to gain more knowledge, we have an exciting world of knowledge created for you. You will have an access to numerous books, courses that we have cascaded together. To enter a new world, click here and take a ride!”

Here we go now. Social engineering is a context of cyber security, it manipulates people into breaking security procedures and to gain access to the system , network or physical location or any financial stuff. It is very popular among hackers because its very easy for them to know about someone and manipulate them on the basis of their weaknesses . Hackers usually use social engineering as a first step towards hacking networks or sensitive data.

What makes social engineering especially dangerous is that it relies on human error, rather than vulnerabilities in software and operating systems. Mistakes made by legitimate users are much less predictable, making them harder to identify and thwart than a malware-based intrusion.

Social engineering cycle

Data or Information Gathering 

It is the act of gathering different kinds of information against the targeted victim or system. The probability of achievement for most attacks relies upon this stage so it is just normal to contribute most of time and consideration here. There are many different ways to gain access to information on an organization or individual. Some of these options require technical skills while others require the “soft skills” of human hacking. A portion of the data accumulated is utilized to decide the attack vector, potential passwords, recognize likely reactions from different people, refine objectives, become comfortable and OK with the objective, and figure solid pretexts. Information Gathering includes several techniques. They are as follows:

• Footpriniting: It is the technique to collect as much information as possible about the targeted network/victim/system. This technique also determines the security postures of the target. Passive footprinting/pseudonymous footprinting involves the collection of data without the owner knowing that hackers gather his/her data. In contrast, active footprints are created when personal data gets released consciously and intentionally or by direct contact of the owner.
• Scanning Techniques: This procedure includes scanning the network to retrieve the information. Hackers do vulnerability scanning for vulnerabilities like bugs, patches, etc. This techniques allows attacker to get aware of the architecture of the system, services on a host, etc.
• Enumeration: It is defined as the process of extracting user names, machine names, network resources, shares and services from a system. In this phase, the attacker creates an active connection to the system and performs directed queries to gain more information about the target. The gathered information is used to identify the vulnerabilities or weak points in system security and tries to exploit in the System gaining phase.

Develop Relationship and Rapport 

This stage builds up a working relationship with the objective. This is a basic point as the nature of the relationship worked by the assailant decides the degree of participation and degree to which the objective will go to enable the aggressor to achieve the objective. It tends to be as brief as rushing towards the entryway with a major grin and eye to eye connection so the objective holds the entryway open for the assailant to stroll through. It could be interfacing on an individual level via telephone or as close to home as indicating family pictures and offering stories to the secretary in the entryway. It can likewise be as broad as building an online relationship with the objective through a phony profile on a dating or long range informal communication web page.

Exploitation

During this phase, an attacker gains a stronger foothold and carries out the attack. Depending on their goals, they will begin disrupting or stealing sensitive and valuable data. Exploitation can be by disclosing passwords, opening an infected email, inserting malicious USB drive to initiate the attack, etc.

Execution

The Execution phase points to the end of the life cycle. The Social Engineer will attempt to remove all traces of their presence and bring an end to their charade. Everything the attacker has gained or learned during the process is then used during a new attack cycle to more effectively on another victim. A well planned and smooth exit strategy is the attacker’s goal and final act in the attack.

Social Engineering Attack Techniques

Attack can be in any form and from any side. Getting aware of all the possible ways make you stronger against the attack. Here are the forms of social engineering attack:

Baiting: A “Lucky winner” getting LED TV ,this type of messages we get more often. This offer comprises any computer it is plugged to, so here comes the method of connection . This is a classical definition example of baiting social engineering. Baiting attacks use a false promise to pique a victim’s greed or curiosity. They lure users into a trap that steals their personal information or inflicts their systems with malware.

Scareware: It is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software. Scareware is part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it. Scareware is distributed via spam email that doles out bogus warnings, or makes offers for users to buy worthless/harmful services.

Pretexting: Here an attacker obtains information through a series of cleverly crafted lies. It is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they use to try and steal their victims’ personal information. In these types of attacks, the scammer usually says they need certain bits of data from their target to confirm their identity. In actuality, they steal that data and use it to commit identity theft or stage secondary attacks.

Phishing: It is a form of social engineering. Phishing attacks use email or malicious web sites to solicit personal, often financial, information. Attackers may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

Spear Phishing: Spear phishing is a social engineering attack in which a perpetrator, disguised as a trusted individual, tricks a target into clicking a link in a spoofed email, text message or instant message. As a result, the target unwittingly reveals sensitive information, installs malicious programs (malware) on their network or executes the first stage of an advanced persistent threat (APT), to name a few of the possible consequences.

Attack Prevention

• Be wary of tempting offers.
• Keep your antivirus/anti malware software updated.
• Don’t open emails and attachments from suspicious sources.
• Use multi factor authentication.
• Never share sensitive information on messages or on voice.
• Do not call any known number from which you received a message seeking for privacy data.
• Do not login to every redirected sites, unless you trust.
• Report suspicious mails or calls causing insecurity.

To gain more knowledge about the social attacks, techniques and their prevention, here are the references:

• Learn Social Engineering
• Protection against attacks.
• More about Footprinting.
• Enumeration.

In this avaricious world, there are always assailants to take control over us. It’s up to us to be aware and show our instincts. For more awareness and knowledge, stay updated with us. Have a happy and safe learning!!

Co-author: @tharunbkittu

Stay Home Stay Safe!!