DataSCG

Understanding Key Social Engineering Techniques

by

scgdata

Understanding Key Social Engineering Techniques

According to the statistical data released by the Office of the Australian Information Commissioner (OAIC), from July to December 2022, 497 data breaches were notified to the OAIC compared with 393 in January to June 2022 – a 26% increase. 45% all data breaches resulted from cyber security incidents, 23% of the cyber incidents were directly caused by Phishing – a form of Social Engineering techniques ( see the figure below).


Source: Notifiable Data Breaches Report July – December 2022, the OAIC
However, other form of social engineering techniques may have indirectly contributed to the overall cyber incidents, although the above figure doesn’t show directly. In other words, Social Engineering is an important topic from cybersecurity perspective. So, in this post, let’s take a closer look at what the social engineering is in the context of information security, and some key social engineering techniques used by threat actors. Understanding key social engineering techniques can help you mitigate the risk of being a victim of social engineering attacks.


What is Social Engineering?


In the context of information security, social engineering is the psychological manipulation of people into revealing specific information or performing specific actions without legitimate reasons. Threat actors use techniques to tick people into sharing their valuable information such as credit card information, account usernames and passwords etc. There are different ways to perform social engineering, also known as social engineering technique. There are over 20 social engineering techniques used by threat actors to some extent. Let’s dig deeper into 10 of the most common types of social engineering techniques.

Top 10 Social Engineering Techniques

  • Phishing. It is a technique that primarily uses emails. In the process of Phishing, emails sent to a targeted group contain messages that look legitimate. The recipient clicks the link as provided in the email, assuming that it is a legitimate link. Once the reader clicks the link, it redirects the user to a fake webpage that looks like an official website. For instance, the recipient may be redirected to a fake bank webpage that then asks for sensitive information. Similarly, clicking on the link may download a malicious script onto the recipient’s system to fetch information.
  • Smishing. It is an alternative type of phishing attack, threat actors use SMS messages that tricks unsuspecting victims into clicking a link. Once on the site, the victim is then prompted to download software or content that are malicious. A smishing attack requires little effort for threat actors and is often carried out by simply purchasing a spoofed number and setting up the malicious link.
  • Vishing. It is a technique relates to phishing but with different focus. A victim may receive a pre-recorded message on their phone which specifies that there has been suspicious activity on their credit card, financial account, or other bank accounts. The victim is told to call a telephone number, where he or she must key in identification information. The identification information is commonly set using account number and pin or password value. The victim thinks this information is being sent to a trusted source, as in their bank. However, it is being recorded by an attacker who intends to use it for fraudulent purposes. When calls are made using VoIP, authorities find it difficult to track because packets might pass through many different switches around the world instead of the circuit switching employed by traditional telephone lines. A recent example, a lot of us may have received phone calls on mobile or landlines, and caller IDs appear to be local numbers, once answered, a pre-recorded messaged is played to claim they are from ATO or Australia Post…sounds familiar?
  • Baiting. It is a type of social engineering technique wherein threat actors make false promises to users in order to lure them into revealing personal information or installing malware on the system. Baiting can be in the form of tempting ads or online promotions, such as free game or movie downloads, music streaming or phone upgrades. The threat actor hopes that the password the target uses to claim the offer is one they have also used on other sites, which can allow the hacker to access the victim’s data or sell the information to other criminals on the dark web. In addition, baiting can also be in a physical form, most commonly via a malware-infected flash drive. The threat actor would leave the infected flash drive in an area where the victim is most likely to see it. This would prompt the victim to insert the flash drive into the computer to find out who it belongs to. In the meantime, malware is installed automatically.
  • Whaling. It is a technique relates to phishing but has different characteristic. Instead of targeting large group of people, it targets one person, typically a high-level executive in an organisation. This type of attack requires a significant amount of research on that individual, which is usually done by reviewing their social media activity and other public behaviour. This in-depth research results in more sophisticated outreach and a higher likelihood of success.
  • Impersonation. As the name suggests, it is the act of impersonating someone or something. Here, impersonation implies pretending to be a legitimate user or pretending to be an authorised person. This impersonation may be either face-to-face or through a communication channel such as email or telephone communication, etc. Personal impersonation is identity theft carried out by a threat actor when he/she has enough personal information about an authorised person. Then, the threat actor impersonates that authorised user by providing the legitimate user’s personal information (either collected or stolen). Impersonating a technical support agent and asking for credentials is a commonly used method of impersonation.
  • Pretexting. It is a form of social engineering technique that involves composing plausible scenarios, or pretext, that are likely to convince victims to share valuable and sensitive data. Pretexters may impersonate someone in a position of authority, such as a member of law enforcement or a tax official, or a person of interest. After explaining the context, the threat actor would then ask the victim questions to gain personal and sensitive information, which they could then use to advance other attack scenarios or access their personal accounts.
  • Tailgating. It is a technique normally used in a physical breach whereby a threat actor gains access to a physical facility by asking the person entering ahead of them to hold the door or grant them access. Or the threat actor may impersonate a delivery driver or other plausible identity to increase their chances. Once inside the facility, the threat actor can use their time to conduct reconnaissance, steal unattended devices or access confidential files.Tailgating can also include allowing an unauthorised person to borrow an employee’s laptop or other device so that the user can install malware.
  • Pharming. It is a form of social engineering attack in which a user is forwarded to a malicious website created by the attacker. Usually, this type of redirection happens without users’ acceptance or knowledge.
  • Typosquatting. Also known as URL hijacking or domain spoofing, threat actors register a misspelled domain of a well-known organisation’s domain as their own. For example, gogle.com instead of the correct one google.com. It relies on mistakes such as typos made by Internet users when inputting a website address into a web browser. We normally can spot the difference for very well-known site if pay more attention, however, for not so well-known with long domain names, a slight change the domain name can be tricky for average users to spot, then lured to the malicious site before realising.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *