Was ist Social Engineering?
Everyone makes mistakes. One of the key insights from IBM’s Cyber Security Intelligence Index is that 95 percent of all security incidents involve human error. Many of them involve successful attacks by outside scammers who exploit human weaknesses to trick insiders or outsiders within companies into unwittingly gaining access to sensitive information.
Nowadays, legitimate websites are being hacked more and more often because they are the kind of websites that users generally trust. However, the compromised websites are also used for attacks that target the specific interests of specific users or groups.
Even if you use anonymizing mechanisms, secure (encrypted) communication channels, and a host of other measures to protect and secure your online privacy – what happens if you are the victim of social engineering attacks, someone just gets your credentials and all security barriers bypasses to access your online world. So what is social engineering?
Do you remember the ancient Greek horse as a „gift“ to the city of Troy? A social engineering attack is by no means new, this highly effective tool today captures its victims through phishing, luring out and imitation.
Everyone, including professionals, can be the victim of a social engineering attack. Daniel Cohen, director of knowledge transfer and business development for the FraudAction group at RSA, finds it almost impossible to recognize that you’ve been the victim of a social engineering attack, and states that malicious social engineering is one of the biggest security issues „As long as there is a conscious interface between man and machine, there will always be social engineering.“
After Him! Taking advantage of cultural norms to infiltrate a secure facility
Social Engineering PenTest by Jek Hyde ( @ HydeNS33k )
It is easy money. In the underground online market, you can buy a spam service to over 500,000 emails for only $ 75. Of those 500,000 recipients, some people will inevitably ship bitcoins or whatever you request, „Cohen said,“ so we expect hundreds of millions of phishing losses worldwide. „
In the past, phishing particularly affected the financial sector, as it is easy and lucrative to monetize and sell financial data, now attackers are also expanding their activities to mobile and gaming platforms as well as airline frequent flyer programs. Ultimately, any business can and will be targeted for such attacks.
One of the reasons for the proliferation of phishing attacks is that scammers from all over the world have the opportunity to connect and collaborate anonymously thanks to „Darknet“. Often, they use social engineering skills to partner with the missing parts of the stolen identity so they can use or sell it.
Phishing scams are probably the most common type of social engineering attack used today. Most phishing scams have the following characteristics:
- Search for personal information such as names, addresses and social security numbers.
- Use of link shortener or embedded links redirecting users to suspicious websites in URLs that appear legitimate.
- Threats, fears and a sense of urgency to manipulate the user so that he acts immediately.
Some phishing emails are worse than others because their messages often contain spelling and grammatical errors, but these emails also rely on directing the victims to a fake website or form where they have credentials and others can steal personal information.
They are often combined with malware and thus form a perfect package: the user’s computer not only reveals the access data, it is also compromised.
Pretexting is another form of social engineering in which attackers focus on creating a good pretext or ready- made scenario that they can use to steal the personal data of their victims. This type of attack is usually done in such a way that the fraudster pretends that he needs certain information from his target to confirm his identity.
Pretexting attacks are commonly used to obtain both sensitive and non-sensitive information. In October, a group of scammers pretended to be modeling agencies and escort services, inventing fake background stories and interview questions to get women, including teenage girls, to send nude pictures of themselves, which they later used against big sums of money on porn. Companies forwarded.
Baiting is similar in many ways to phishing attacks. What sets them apart from other types of social engineering, however, is the promise of something or good that hackers use to lure victims. Baits can provide users with free music or movie downloads when they pass their credentials to a specific website.
Bait attacks are not limited to the online area. Attackers can also focus on exploiting human curiosity through the use of physical media.
QUID PRO QUO
One of the most common types of quid pro quo attacks are fraudsters who pretend to be IT service agents and call as many extension numbers as they can find to belong to a company. These attackers then provide IT support to each of their victims – to pursue their own fraudulent goals.
However, it is important to note that attackers often offer far less sophisticated compensation than troubleshooting IT issues.
Another social engineering attack type is known as tailgating or „piggybacking“. In this type of attack, someone who lacks proper authentication is following an employee into a protected area.
Colin Greenless, a security consultant at Siemens Enterprise Communications, used this tactic to gain access to multiple floors and to the data room of a FTSE listed financial firm. He even managed to settle in a third floor meeting room from which he worked for several days.
The fact is that you can fight against a single social engineering attack, but social engineering itself does not disappear. Michele Fincher, Chief Influencing Agent at Social-Engineer, puts it in a nutshell:
„Many of the choices we make are based on basic human nature and behavior, we respond to how people react, good social engineering scammers really understand how to work with them, and that’s something you do not protect yourself with technology can. „
Hackers who engage in social engineering attack their prey with human psychology and curiosity to compromise the information of their target persons. Keeping this human-centered approach in mind, with this focus in mind, it is the most important task for users to be prepared for these fraudulent acts.
In the following article we give you some tips to ward off social engineering attacks .