Social Engineering

Social engineering is about exploiting the weakest part of the password, namely its owner. It is an action were an attacker prays on the password holder’s naivety, gullibility or digital ineptitude as well as people’s trust and wish to help. It is a confidence scheme that could allow for an attacker to gain the password(s) of a single person or many, all without ever trying to crack it.

This can of course be done for other reasons than to gain a person’s password, as well as for legal reasons. Not everyone is utilizing social engineering for a malicious purpose, other possible uses could be to find security holes within an enterprise. There are several different ways to execute a social engineering attack on someone, some of them can be done in a quick and easy way, while some might take some time and research to accomplish. Although they may vary in how they are carried out they are always based on some form of psychological manipulation.

Phishing

Social engineering is typically used as part of phishing scam. This is probably the most used version of social engineering as it does not require much human interventions to pull off, it can easily be automated [58] and can pretty much be completed 100% online. Phishing operations also have the added benefit that they can be outsourced [58]. It is are mainly carried out over email [58], but has also been known to happen over instant message [59]. There are of course other forms that use approaches done over the phone or over text messages, such as vishing and SMishing [58] respectively.

The way these methods work is that the attacker sends out a slew of emails to a list of people, usually obtained by a spam operation [58]. This email typically has a spoofed sender address that is trusted, some form of message that might create some sense of urgency or interest, pray on greed or fear or use other tricks to con a person. All this is done to make the victim open a malicious link that asks for personal and sensitive information, such as usernames and passwords or banking information. Other agendas may be to make the victim open some sort of attachment containing malware or spyware. These scams can end up having a relatively high rate of success [58]. An example of one of these emails can be seen in Figure5.3

Figure 5.3: Example of phising email, claiming to be PayPal [60]

These attacks do not affect the victim of the attack alone, they might also have an effect on the organization that has been used as a shill. This might cause loss of trust, costs on customer service, to handle support or complaints,

or in reimbursements, it can effect their other customers as well, in the form of raised fees to cover costs. Unfortunately another problem concerning these attacks is that a victim is in high risk of being revictimized.

There are obviously some ways to detect or determine if an email is a phishing scam or a legit email.

• The email is poorly written: If it contain misspelled words or uses bad grammarization this is a red flag. The latter more so than the former due to spell check. This could come from the use of google translate.

• If it contains some suspicious links or attachments

• May contain a sense of false urgency so not to think to much about the oddity of the email itself.

• It is sent from some public email domain, such as @hotmail.com,

@yahoo.comand@gmail. Companies usually have their own domain and will not be using these. It is important to check the actual domain and not just the sender, can be seen in Figure5.3. This may be problematic if some form of domain spoofing is used [61].

• Check for misspellings in the domain name.i.e"rnin place ofmor capital Iin place of lowercasel

Spear Phishing

Spear phishing is a sub-category of phishing that works much like the aforementioned attack. Where the two attack methods differ is that general phishing scams is based on sending to the masses, whereas a spear phishing is attacking a specific target. This may be a single person, a company or an organization like a school. A spear phishing attack is thus more reliant on doing some research on the target. Types of reconnaissance information can be; to find out if there is any event to take advantage of, or if there is anyone that can be referenced in the email or maybe an internal protocol that can be mentioned. Another form of this method is known as whaling, where a more senior employee is targeted.

Baiting

Baiting is a lot like phishing, where they differ is that baiting mostly uses physical media. The attack method relies on a person’s curiosity or greed. This technique is performed by enticing the victim with some form of "reward", like a music or movie download, maybe a flash drive or a DVD. This reward is laced with a Trojan or other malware that can gather sensitive information

—login credentials, banking information or other valuable data —on the host system and then replay it to the attacker.

An attack like this was carried out by man called Steve Stasiukonis [62]—VP and founder of Secure Network Technologies Inc. —back in 2006.

The attack was done by filling 20 USBs with Trojans that would gather login information and email it back to them. These USBs were then scattered around the corporation that had hired them and picked up by employees which would then plug them in. The attack was very successful as 15 out of the 20 devices had been found and plugged inn. The benefits of this attack are that it is extremely simple to pull off, and carries very low risks of getting caught.

Quid Pro Quo

Quid Pro Quo means"Something for something"or"This for that". The Quid Pro Quo attack resembles the above mentioned baiting attack. But were baiting offers some form of goods —USB, CDs, etc. —Quid Pro Quo usually offers some kind of service as a bait to trick users to give sensitive, critical information or perhaps login credentials.

These attacks are often perpetrated by someone pretending to be an IT professional that is contacting to help with a piece of spyware or virus. Other and strangely successful versions have been people giving up their passwords for a cheap pen [63] or sweets [64].

Shoulder Surfing

This "attack" can easily be explained by its own dictionary definition, given by the Oxford English Dictionary.

The practice of watching a person who is getting money from a machine, filling out a form, etc., in order to find out their personal information[65].

Mitigations Against Social-Engineering Attacks

When people are the weakness the best choice is then to strengthen people, in this case their knowledge and awareness. The best way to fight social engineering attacks is to teach people what it is and how to recognize it. There are organizations and websites that do this, like FraudWatch International which provides alert of the newest phising scams [66]. A good way to learn is maybe to fall victim, now this would be rather bad, but it can also be done in a somewhat safe environment. Companies can run a controlled and simulated phishing campaign on their employees or they could hire another company to do it. Again, the seemingly almighty principle of multi-factor authentication returns as a viable option in this case as well.

This is not to say that training is the only options or that all the responsibility to avoid attacks falls on the possible victim. The implementation and use of filters on email systems can be effective [67] [68]. What if the phishing does not happen over email, what if it occurs on a website?

Thankfully, web browsers usually come with the ability to warn of suspicious pages [61].