Social Engineering-Based Attacks
What is social engineering?
Social engineering is the practice of manipulating people into releasing sensitive information. Social Engineering Attacks can happen in person, l\just like a burglar who dresses up as a delivery man to find a way to get into a building. Here we focus on Social Engineering Cyber Attacks. In most cases, these attacks aim to make the victim give either login credentials or sensitive financial information.
- An attacker sending an email to a victim which appears to come from someone in the victim’s contact list. This email can contain a suspicious link that will execute a malicious Cross-Site Scripting Attack, or direct the victim to a malicious site.
- An attacker traps users online with links that claim to be downloads of popular movies or software, but these downloads actually contain malicious code.
- An attacker contacts a victim claiming to be a wealthy foreigner who needs a foreign bank account information to transfer their fortune, offering to reward the victim handsomely in exchange for their bank account information. In reality, the attacker is out to drain the victim’s accounts.
Social Engineering Example
In addition to these types of small and personal social engineering scams, there are also more sophisticated social engineering attacks that are leveraged against entire organizations, for example, thumb-drive drops. These attacks can target the networks of well-protected companies, even those that are not connected to the Internet. Attackers do this by scattering several USB drives around the parking lot of the target company. They put an enticing label such as ‘confidential’ on these drives in hopes that some curious employees will find one and stick it into their computer. These drives can contain very destructive viruses or worms that will be hard to detect since they are entering the network from a local computer.
Some famous examples of Social Engineering Attacks
The 2011 data breach of RSA created a big stir, primarily because RSA is a trusted security company. This breach disrupted RSA’s popular two-factor authentication service, SecurID. While all the details of the attack have not been publicly disclosed, it is known that it began with a social engineering attack. The attack was initiated with a basic phishing attack, where the attackers sent low-level RSA employees emails that appeared to be company emails regarding recruiting. One of these employees opened an attachment in this email which triggered the attack.
The Associated Press fell victim to a social engineering attack in 2013 that led to a $136 billion stock market plummet. Once again this was carried out by a phishing attack sent out to employees. By simply opening a link in the email, one of the employees triggered the attack which resulted in the AP’s Twitter account being compromised, and the attackers tweeted out a fake news story about an explosion in the White House. This fake news story circulated quickly and led to a 150 point nosedive of the Dow. A Syrian hacker group known as the Syrian Electronic Army claimed responsibility for the attack, but never provided any proof.
The data breach attack leveraged against Target in 2013 has become one of the most infamous cyber-attacks in history thanks to its level of sophistication. Like the others mentioned here, this attack began with social engineering, but the attackers didn’t go after anyone working for Target. Instead, they sent emails to employees of a heating-and-air-conditioning vendor that had high-tech air conditioners installed in Target stores. These air conditioners were linked to Target’s in-store computer systems, and once the attackers were able to compromise the third-party vendor, they were then able to hack into Target’s networks and collect credit card information from credit card scanners in thousands of stores, exposing the financial data of around 40 million Target customers.
How to protect against social engineering attacks
While automated security features like email screening can help prevent attackers from contacting victims, the best defense against social engineering attacks is public-awareness and common sense combined with up-to-date knowledge of popular social engineering attacks. The United States Computer Emergency Readiness Team (US-CERT) advises citizens to be wary of any suspicious communications and to only submit sensitive information over the web on secure web pages (HTTPS and TLS are good indications of website security). They also recommend avoiding clicking on links sent in emails, and instead of typing the URLs of trusted companies directly into the browser. Website owners can do their part by using services that alert them when attackers are using their domain in phishing attacks.