{"id":1460,"date":"2019-12-16T15:55:48","date_gmt":"2019-12-16T14:55:48","guid":{"rendered":"http:\/\/65.108.60.219\/?p=1460"},"modified":"2019-12-16T15:55:48","modified_gmt":"2019-12-16T14:55:48","slug":"social-engineering-techniques","status":"publish","type":"post","link":"https:\/\/cyberforces.com\/en\/social-engineering-techniques","title":{"rendered":"Social engineering techniques used by hackers"},"content":{"rendered":"

\u201c<\/span>If the door is locked, try the window\u201d <\/span>\u2014<\/span> that\u2019s the motto, used by more and more cybercriminals, unfortunately, successful. Just replace <\/span>\u201c<\/span>the door\u201d with \u201cthe system security\u201d and \u201cthe window\u201d <\/span>\u2014<\/span> with employees. Today we will talk about techniques that hackers use to perform social engineering attacks.<\/span><\/p>\n

What are the social engineering techniques, and why you should care about it at all?<\/span><\/h2>\n

Perhaps you think that hackers’ attack doesn\u2019t threaten you. What’s more, if you run a business, you’ve probably already done a lot to protect it from cybercriminals. You’ve set strong passwords to your company\u2019s accounts. You’ve taken care of the high-quality source code of the website. You’ve invested in anti-virus software and access cards for your employees. Unfortunately, this is probably still not enough.<\/span><\/p>\n

Security systems are as strong as their weakest point<\/b> \u2014 <\/span>no matter is it a weak firewall or John Doe, who clicked the link in an e-mail from the Nigerian prince.<\/span><\/p>\n

Social engineering techniques are methods of manipulation, used to convince someone to take a specified action. It\u2019s not hard to figure out what actions suit cybercriminals. Giving login and password, allowing access to the building, downloading a virus file <\/span>\u2014<\/span> examples can be multiplied. What they all have in common is that the hacker gets exactly what he wants: financial resources or confidential information belonging to the company.<\/span><\/p>\n

Now you know what are social engineering techniques and why you have to defend your company against them. It\u2019s time to find out more about the methods used by hackers.<\/span><\/p>\n

Social engineering types of attacks<\/span><\/h2>\n

Strategies that cybercriminals use can be divided into virtual, physical, and mixed (hybrid). We’ll look closer at each group one by one.<\/span><\/p>\n

Virtual techniques: phishing, fake news and more<\/span><\/h3>\n

One of the most popular social engineering types of attack is <\/span>phishing<\/b>. It is a non-personalized, usually mass attack, usually via fake emails or fake websites.<\/span><\/p>\n

A variation of <\/span>phishing is spear-phishing<\/strong>. It\u2019s an attack targeted at a specific person. A hacker selects a victim and then plans a strike taking into account their weaknesses.<\/span><\/p>\n

Let’s start with the combination of spear-phishing and the fake news method. Hacker makes a phone call to a person responsible for Public Relations and asks about a big scandal related to the company. The future victim, of course, doesn’t know about what scandal hacker is talking about, so hacker offers to send a link with the news to her e-mail. The article is, of course, fake, so as the whole website. After just a few seconds, on the page appears a pop-up with the link to the virus. The victim clicks to close it and download the virus straight to the computer. What’s more, if the victim sent the link to other people in the company \u2014 which is likely to happen \u2014 the virus will soon spread to the whole firm.<\/span><\/p>\n

There is one more type of phishing \u2014 <\/span>whaling<\/b>. In the case of whaling, a hacker targets his attack at high-level employees such as CEOs or CTOs. This choice isn’t incidental. People at the top of the office hierarchy, usually have full access to confidential data, interesting for hackers.<\/span><\/p>\n

It’s worth to mention also about the deepfake<\/strong>, which is fake audio or video record. All a hacker needs to do is to use the software, which enables to create a digital representation of a voice, based on just a minute’s sample. After that, a hacker can use it, for example, to fake the company’s CEO and depute to make an urgent transfer from the company’s account. <\/span>Deepfake is a relatively new, but a very serious threat.<\/span><\/p>\n

Pretexting<\/strong> is – as the name suggests – an attempt to obtain sensitive data with a credible pretext. For example, a hacker may call a company as a bank’s consultant who is asking for confirmation before providing sensitive information. A worried employee who wants to find out what’s going on as soon as possible will give the criminal the data without a second thought.<\/span><\/p>\n

Physical techniques<\/span><\/h3>\n

When it comes to hackers, many people imagine a man with a hood, sitting in a dark room, lit only by the brightness of a computer screen. This image, well known from newspapers, doesn’t truly reflect the reality. Hackers also work in the real world <\/span>\u2014<\/span> with success.<\/span><\/p>\n

To conduct an attack, hackers may <\/span>dress up<\/b>, for example, as a maintainer who installs printer drivers. He will choose the ideal moment when no one in the office who can confirm whether a professional has been called in. The employee will provide the service technician with a computer to install the drivers and will receive malware as part of the package.<\/span><\/p>\n

Another method used in social engineering attacks is <\/span>baiting<\/b>. The name comes from the word bait. The association with fishing isn’t accidental. Just as a fisherman hangs a worm on a rod to catch a fish, a hacker can drop an infected USB stick in the company.<\/span><\/p>\n

Tailgating<\/b> is gaining access to a given place by an unauthorized person. For example, an employee may hold a door for a rushing person. Tailgating usually takes place in large companies, where employees don’t know all their co-workers.<\/span><\/p>\n

Mixed (hybrid) techniques<\/span><\/h3>\n

The combination of virtual and physical methods is also popular in the world of the cybercriminal.<\/span><\/p>\n

A few months ago, one of the well-known corporations found out about this. Firstly, the employees of the company received a 30% discount on the new pizzeria that opened up in the neighborhood. They were excited and quickly organized a Pizza Day at the office. The pizzeria delivered 8 pizza boxes and free USB drives with LED lamps \u2014 with a virus on it. The employees, of course, suspect nothing and immediately connected gifts to their computers, giving hackers remote access to them.<\/span><\/p>\n

Fortunately for the company, we were responsible for the attack \ud83d\ude42<\/span><\/p>\n

The whole action was a part of the security audit. If you are interested in the topic, you can read more in the article <\/span>The Pizza Method \u2013 a Social Engineering Case Study<\/span><\/a>.<\/span><\/p>\n

The six principles of persuasion by Cialdini<\/span><\/h2>\n

Regardless of the method they choose, cybercriminals often use 6 rules presented in Robert Cialdini’s best-seller: “Influence: The Psychology of Persuasion”. To give you a better idea of how each of them works, we’ve prepared a table with the summary:<\/span><\/p>\n

Reciprocity<\/span><\/h3>\n

How does it work? <\/b>When someone does something for us, we often feel obliged to return the favor.<\/span><\/p>\n

How hackers use it: <\/b>A hacker can set up a situation where he can help his victim, e.g., collect documents that fell out of her hands after he accidentally hit her (“I’m sorry, I’m so clumsy…”). Then, after gaining the victim’s trust, he will ask for what he wants \u2014 for example, entering the building (“I left the card in the office. It’s my first day, my boss can’t know about it…”).<\/span><\/p>\n

Commitment and consistency<\/span><\/h3>\n

How does it work?<\/b> People like to think about themselves as consistent in their actions. When we’ve devoted a lot of time and energy to something, it’ll be much easier for us to do even more than when we didn’t.<\/span><\/p>\n

How hackers use it: <\/b>An employee who has already done one of the hackers’ favor (e.g., let him enter the office) is likely to comply with another one (e.g., let him use a company computer).<\/span><\/p>\n

Social proof<\/span><\/h3>\n

How does it work? <\/b>When other people act in a certain way, it’s easier for us to believe that it’s right and to take the same actions.<\/span><\/p>\n

How hackers use it: <\/b>Do you remember the Pizza Day case? When employees of the unfortunate corporation have gotten infected USB drivers as a gift, it was enough that one of them plug it into a computer <\/span>\u2014<\/span> the rest done the same without a second thought<\/span>.<\/span><\/p>\n

Liking<\/span><\/h3>\n

How does it work? <\/b>When we like someone, we’re more likely to do what he asked.<\/span><\/p>\n

How hackers use it: <\/b>Let\u2019s go back to the example with a hacker pretending to be a new employee, which have forgotten access card and beg others of letting him enter the office (\u201cThat\u2019s my very first day, my boss can\u2019t find out this has happened!\u201d). The liking rule says that many people don\u2019t refuse to help a charming dummy.<\/span><\/p>\n

Authority<\/span><\/h3>\n

How does it work? <\/b>We are more willing to fulfill requests from people who in our opinion have power or authority.<\/span><\/p>\n

How hackers use it: <\/b>A cybercriminal may fake an important person in the company (by e-mail\/phone) or a respectable one \u2014 a firefighter, a police officer (using a costume).<\/span><\/p>\n

Scarcity rule<\/span><\/h3>\n

How does it work?<\/b> We consider things that are rare or hard to achieve as more valuable.<\/span><\/p>\n

How hackers use it: <\/b>Everyone, at least once, has been notified that he has just won a smartphone and needs to hurry to get it? That’s a great example of how hackers use the rule of scarcity.<\/span><\/p>\n

How to protect a company against social engineering attacks?<\/span><\/h2>\n

Of course, the list of social engineering techniques used by hackers isn’t complete. Every year, new methods appear, as well as new viruses. The best strategy of defense against them remains a vigilance and common sense.<\/span><\/p>\n

To protect yourself and your company against social engineering attacks:<\/span><\/p>\n