Module_2

MODULE 2



Planning and Executing a Social Engineering Attack



What is Social Engineering?

Social engineering is the act of manipulating people, so they surrender confidential information.
The types of information these hackers are seeking can vary, but when individuals are targeted
usually, they try to trick you into giving them your passwords or bank information or access
your computer to secretly install malicious software. This will give them access to your
passwords and bank information and also give them control over your computer.

Social engineering tactics are used because it is usually easier to exploit your natural inclination
to trust than it is to discover ways to hack your software. For example, it is much easier to trick
someone into giving you their password than it is to attempt hacking their password.



Impacts of Social Engineering:

Financial loss
Data leak
Reputation image (company and/or person)
Management time
Loss of public trust
Legal fines
Loss of new or existing customers
Loss of company morale
Increased audit costs

Your enemy is a social engineer, an attacker who focuses on attacking people instead of
computers and uses psychological tricks and manipulation to succeed.



Profile of a social engineer

They take advantage of well-known characteristics of human decision-making for instance:

- Respect for authorities (by pretending to be one)
- Curiosity (by offering something intriguing)

- Feeling of urgency often coupled with greed or fear
- Our willingness to help others

Ways to perform a Social Engineering Attack?

There are many methods to perform a social Engineering attack. Some of them are described
below as follows:

1. Phishing: Attackers use emails, social media and instant messaging, and SMS to trick
victims into providing sensitive information or visiting malicious URL in the attempt to
compromise their systems.

2. Phone: Attacker can manipulate the victim to get confidential information such as: Any
password, credit card information and etc. via calling him or her.

3. Watering whole: A watering hole” attack consists of injecting malicious code into the
public Web pages of a site that the targets used to visit. The method of injection is
commonly used by cyber criminals and hackers. The attackers compromise websites
within a specific sector that are usually visited by specific individuals of interest for the

attacks.

Once a victim visits the page on the compromised website a backdoor trojan is installed
on his computer. Watering Hole method of attacks is very common for cyber
espionage operation or state-sponsored attacks.

4. Pretexting: It is the practice of presenting oneself as someone else to obtain private
information. Usually, attackers create a fake identity and use it to manipulate the
receipt of information.

5. Dumpster Diving: Attacker can also search trash to obtain information.



Prevention Methods:

1. Phishing:
Check the sender’s email address by hovering your cursor above the sender
Check any embedded links by hovering your cursor above the link
Do not open suspicious attachments and links and do not perform requested
actions
Do not respond to suspicious emails
If in doubt report suspicious email to your Help

2. Vishing:

Be suspicious of unsolicited calls seeking internal corporate or personal
information

Do not provide sensitive information over the phone

Verify who is calling: Name, organisational unit or name of an external

company

Do not completely trust Caller ID both with calls and text messages

If unsure, ask the caller to send their request through email and offer to call

back. This gives you time to look for the red flags in the email. Lookup the

contact information yourself and call the employee or an external company

directly

If in doubt report it as a security incident to your Helpdesk

3. USB stick:

If you find a USB stick treat it with utmost suspicion

Do not connect it to your computer and do not run its content

Report such case as a security incident to your local Service Desk



4. Dumpster Diving:

Shred all papers by default when disposing of them and consider only

exceptions that don’t have to be shredded

Shred CDs, DVDs and plastic cards (e.g., IDs, ATM cards, access cards) before

disposing of them

Securely destroy electronic data on hard drives, memory sticks or USB flash

drives when discarding them



References:

The most common Social Engineering Attacks- Infosec
https://resources.infosecinstitute.com/common-social-engineering-attacks/