Social Engineering Example
2024-3-27 01:24:25 Author: kalitut.com(查看原文) 阅读量:39 收藏

What is Social Engineering?
Explaining the meaning, methods of attack, examples of damage and countermeasures

Social Engineering Example

Social engineering refers to illegally obtaining important information about a company or community through some means. In the past, it was just a matter of physically stealing passwords, but now the techniques are becoming more sophisticated, including the use of malware. This time, we will explain what social engineering is, what kinds of damage it causes, and what countermeasures can be taken. This is very important for your company’s security measures, so please take this as an opportunity to learn about the techniques.

What is social engineering?

Social engineering is a method of obtaining important information such as passwords and account information needed to enter a company or community network without using information communication such as the Internet.
An important example would be a cyber attack, and an example of something more familiar would be social engineering, such as spying on the passwords of a family member’s computer or smartphone.

It also has implications as a criminal method such as cyber attacks.

Social engineering also includes the connotation of a criminal method, and was once also called “social hacking.”
Social engineering is characterized by clever use of the target’s social relationships. For example, they take advantage of human psychology by impersonating company bosses or important business partners, building trusting relationships with lies, and gathering information.
In other words, social engineering is not a specific criminal method, but a method of fraud and hacking that exploits the user’s psychology and structural gaps in the system, whether digital or analog.

About the increasing number of supply chain attack methods against companies

Even major companies have strengthened their security measures in recent years, and have developed not only systems but also crime prevention manuals. Compared to large companies with sufficient financial and human resources, it is difficult for small and medium-sized enterprises to allocate sufficient resources to security.
Therefore, in social engineering, it is common practice to attack large companies via small and medium-sized enterprises, and the trend in recent years is that small and medium-sized enterprises are more likely to be targeted.
This attack method is called a “supply chain attack,” and refers to an attack on a company’s supply chain, which consists of a series of processes such as procurement of raw materials, product manufacturing, and transportation.

In the supply chain, companies exchange emails and other information related to transactions, and social engineering attempts to spoof a part of the communication and extract information.
Although companies are wary of spoofing, if an email is opened by mistake, information can be extracted from the email, which is social engineering.
There is an increasing number of attacks that target information from small and medium-sized companies to large companies by sending so-called malware onto corporate networks.

Main techniques of social engineering

We will explain the main methods and methods of social engineering and their countermeasures.

1Using spoofing to ask questions over the phone

A long-known social engineering method is to impersonate a specific person and ask for information over the phone. It is a classic but easy way to obtain information, as it is easy to catch the other person’s guard because it is a voice-only communication called the telephone, and it is not face-to-face.
Once they have information about the target company or service, they impersonate the user and call the person in charge to ask for employee and customer information, passwords, etc. In recent years, special scams have sometimes impersonated police officers to catch targets off guard and ask for their passwords.
One measure that companies can take is to make it stricter to not give out passwords or company information over the phone.
Sometimes the person on the other end may use an angry tone or say things that are misleading, but if you set rules for handling telephone calls and standardize them within your company, you won’t have to worry about how to respond.

2-Peeking (shoulder hacking)

Shoulder hacking is a social engineering technique that gets its name from the act of looking over someone’s shoulder to see a password. When you are using your computer or smartphone on a train, at a cafe, at work, etc., someone will casually approach you and look over your shoulder to see your passwords. This is also a classic method, but since many people reuse passwords, it is a social engineering method that can easily lead to serious damage if the password is known.
The problem is that people can physically spy on you, so the best countermeasure is not to enter your password in environments where other people can see you, such as on trains or in cafes. If you really need to enter information, make sure that your back is against a wall and there are no people next to you before entering information.

3-rummaging through trash cans (trashing)

A surprising blind spot is when important information is thrown away in the trash. Even if you put it in a garbage bag, there is a chance that the garbage bag will be searched for or the garbage bag may be translucent and the letters can be seen through.
Trashing is also a common method in social engineering, and passwords for servers and routers may be read from the names and descriptions of discarded documents. If your network is infiltrated, your company’s IP addresses and network information can be freely viewed, so you must be careful about trashing.
The best countermeasure is to physically and systemically lock important information so that third parties cannot view it. Also, when disposing of information, do not just throw it in the trash, but instead shred paper media. If there is data on storage media such as CD-ROM or USB, completely erase the data before disposing of it.
If you are not going to use it again, there is no problem with physically destroying it.

4-spear phishing attack

Spear phishing is one of the phishing techniques. As the name “spear” suggests, it is a method of attacking a specific opponent by aiming at it, like stabbing a spear.
While general phishing targets an unspecified number of people, spear phishing focuses attacks on specific targets. Because the attack method changes depending on the target, it has a higher success rate than regular phishing.
Spear phishing is a method that is easy to deceive, as the phishing is carried out by pretending to be an employee of the company, an employee of an affiliated company, or a business partner.
Countermeasures include not opening suspicious emails, blocking suspicious emails on the mail server side, and implementing anti-malware measures. If you can shut out suspicious emails on the system side in the first place, you won’t become a target for spear phishing.

5-Stealing through malware infection (spyware)

Spyware is software that, when infected, steals information from your device and sends the information to a malicious third party. It is also used to infect internal computers via the network and steal important information such as IDs and passwords.
Possible countermeasures include installing security tools, updating software to the latest version, and thoroughly disseminating company rules.
It is especially important to make employees aware of company rules, not to connect to external networks carelessly, and not to bring in storage media or files from outside.

6-Reverse social engineering

A common method of social engineering involves impersonating someone affiliated with a company to extract important information.
On the other hand, reverse social engineering is a method of announcing password update notifications and support number changes via email, etc., in order to induce the target to proactively contact them.
Countermeasures include not using email for important notifications but instead using another method, standardizing responses to emails based on company rules, and having the system identify suspicious emails from outside. there is.

7-Extracting information by exploiting SNS

There is also a method of using highly anonymous SNS to impersonate a specific person and extract the target’s information. Although there is no immediate effect, it takes time to build trust, so it is difficult for the target to realize that they have been deceived.
As a countermeasure, we provide in-house training on how to use SNS and do not use SNS on work smartphones. Another measure to prevent private company information from being leaked is to refrain from posting information on social media that could identify the company name or department.

Examples of social engineering damage

examples of damage caused by social engineering

There are many actual examples of damage caused by social engineering. We will introduce the types of damage cases.

Case 1. Damage due to fake transfer

I received an email pretending to be a client of Company A, notifying me of a change in the payment destination. In this case, the person in charge transferred money to a fake bank account, which was later discovered when the official bank account pointed out that the payment was delayed.
This attack used reverse social engineering techniques.

Case 2. Virtual currency outflow

There was also an incident where virtual currency was leaked at Company B, which handles virtual currency. The attackers used spear phishing and techniques that exploited human psychology to identify administrators.
The attacker identified a person with administrator privileges by contacting employees at Company B, and once they had built a relationship of trust with the employee, they sent an email containing spyware.
This was an incident in which the computer of a person in charge was infected with a virus and the virtual currency stored by the company was leaked.

Case 3. Employee personal information leaked

The attacker called an office worker at Company C and asked for the trainee’s personal information, pretending to be a related person. The clerk who answered the phone verbally gave the trainee’s name and mobile phone number, which was later discovered when his superior, who became suspicious of the contents of the call, confirmed the call.

Case 4. Account takeover by impersonation

There have also been incidents of hijacking of SNS accounts. There have also been major incidents known as social engineering, where multiple celebrity accounts have been hijacked and have a huge social impact.
In some cases, fraudulent messages were sent from compromised accounts around the world, causing widespread damage worldwide. It was later revealed that the attacker had successfully taken over the account by obtaining the password from an SNS employee over the phone.

Case 5. Information leak incident due to malware infection

A notice purporting to be a business-related proposal was sent to an employee of Organization D via email. When the employee opened the email, the attached malware infected their device.
Due to suspicious communication from the terminal, the infected terminal was isolated and staff were alerted, but the alert was not widely distributed, and as a result, malware infections occurred one after another. .
In the case of such malware infections, post-infection investigations may reveal that a large amount of personal information handled by the organization in question has been leaked from the infected terminal.

What are the characteristics of attackers who use social engineering?

Attackers using social engineering have certain characteristics and tendencies. By knowing their characteristics, you can be prepared not to be fooled by impersonations or lies.

Feature 1. try to create a sense of crisis

A common feature of social engineering is the tendency to use keywords that create a sense of crisis in the viewer. For example, the following keywords are frequently used:

  • Please confirm as soon as possible.
  • Important Notices
  • Open as soon as possible
  • emergency contact

When you receive emails or notifications like this, even if nothing happens, you start to wonder what’s going on. If someone opens the email, they may be infected with malware and risk information leakage.
In addition, if contact information is listed, if you call the listed contact number, there are cases where you will be threatened with special fraud or fictitious claims with the word “lawsuit” flickering, so please do not use text that arouses a sense of crisis. Please be especially careful.
Be sure to ignore emails and notifications from unknown contacts, even if they say “urgent.”

Feature 2. Take bold actions and words

In social engineering, it is impossible to deceive the target if the target becomes suspicious, so the attacker tends to take bold actions and words so that the attacker will not be able to tell that it is a lie.
For example, some daring attackers masquerade as janitors who come to clean, rummaging through trash cans at companies and public institutions. If you see someone timid or looking around, it’s normal to think that person is suspicious.
However, if you act dignified and look like you just came to clean, even if people think you’re a little weird, they won’t really bother you. In cases where you see an unfamiliar face in your usual office or a different vendor than usual, it is important to verify your identity.
Don’t be overconfident in your own attentiveness, and get into the habit of checking on someone who looks different than usual when they approach you.

Feature 3. conduct a computer-based attack

Computer-based attacks are attack methods that maliciously attempt to deceive, such as emails with false information or fake websites that look exactly like the official website. Anyone with some computer skills can freely create a homepage.
A commonly used hacking and cracking software is Kali Linux. It can be easily downloaded from the Internet, and it can also be transferred to and removed from HDDs and USBs, making it easy to hack or create malware.
Nowadays, hacking tools are easily available on the Internet, so people who use computers have no choice but to be careful. You need to take measures to prevent your information from being easily stolen by not responding to suspicious emails or sites.

Five main methods of social engineering attacks

main methods of social engineering attacks

Next, we will explain the main techniques of social engineering that you should keep in mind. There are five main methods:

  • Peeping on PC screens and stealing passwords (shoulder hacking)
  • Making spoofed calls and stealing personal information
  • Searching through trash cans (tracking)
  • Phishing scams (smishing)
  • Scareware

Peeking at PC screens and stealing passwords, etc. (shoulder hacking)

“Shoulder hacking” involves sneaking a peek at the screen of a person using a computer or smartphone from behind , memorizing the ID and password they are inputting, or eavesdropping on the contents of emails containing confidential information. This is the trick.

Shoulder hacking does not leave any traces of the attack, so it is highly likely that you will not realize that your information has been stolen until you are a victim of unauthorized access.

When handling login information, card numbers, etc. , whether outside the company or even inside the company , it is important to check that there is no one around who is looking at the screen and use it in a safe manner. .

Making spoofed calls and stealing personal information

The second common social engineering technique is to impersonate a business partner or other party and make a phone call to steal personal information .

In this method, an attacker pretending to be a related party uses the excuse that “The account used for transactions has changed, so we need to perform a new account registration procedure for the transaction partner,” and uses the current account They use clever storytelling to trick victims, such as stealing information.

According to Verizon’s 2023 survey, approximately 50% of social engineering damage is due to “spoofing,” and the number of cases has approximately doubled from last year.

Reference: verizon | 2023 Data Leak/Breach Investigation Report

If you receive a phone call asking you to share personal information or company secrets, do not immediately trust it and suspect that it is a “spoof call” . In addition, we will contact business partners and clients separately by phone or email to immediately confirm whether they are truly related.

Rubbing through the trash (tracking)

“Tracking” is a method of picking up notes containing personal information from trash cans and fraudulently using them.

If you throw papers containing login information such as computer IDs and passwords, business lists, customer addresses, phone numbers, etc. into the trash can, a malicious third party could steal the information. There is a gender.

In addition, if you dispose of storage media such as URB memory, not just paper, without erasing the data, there is a risk that information will be stolen.

When disposing of paper or storage media containing important information, be sure to take measures to prevent the information from leaking outside, such as shredding, dissolving, or initializing the data .

Phishing scam (smishing)

“Phishing” is a type of cyber attack aimed at stealing information.

The purpose of this attack is to lure the target to a fraudulent URL via e-mail or other means, and have them enter personal information such as their name, phone number, and credit card number through a fake website or form created by the attacker in advance.

■Specific examples of phishing scams

  • Emails such as “You won a gift!” lead you to a URL with a form and ask you to enter your name and address. – Pretending to be
    from a major e-commerce site, you receive messages such as “A system problem has occurred” or ” There was an abnormal login .” Sends an email with similar content and directs the user to a fake website where the user enters personal information.

Among phishing scams, the technique that uses smartphone SMS is called “smishing. ” In recent years, damage caused by smishing has been occurring frequently, and it is important to be wary of suspicious SMS messages that imitate mail order sites or delivery companies.

Scareware

Scareware is a technique that displays warning messages such as You have been infected with a virus '' or There is a security problem ” on your computer screen and tricks you into purchasing paid software or services.

The aim is to make a profit by guiding the target with sentences that incite a sense of crisis, such as “If you want to get rid of the virus, buy this software now!”
The tactics used by scareware to arouse user anxiety are sophisticated, such as making it appear as if a scan is progressing in real time, or making countless browsers appear , making it appear as if the user is infected with a virus. I will.

As a countermeasure, if a warning screen is displayed on your browser, it is important to suspect that it is a “false warning” . Don’t just follow the warning instructions; close your browser and try to remain calm.

Summary
Social engineering techniques are becoming more sophisticated every year. In order to respond to increasingly sophisticated techniques, it is important to learn from past cases and understand how attackers identify targets and carry out attacks.

Social engineering is a method that exploits weaknesses in human psychology. In order to fully protect important company and customer information, it is important that each employee understands social engineering and always acts with caution.
Learn about past incidents, the characteristics of attackers, and strengthen your company’s security measures.


文章来源: https://kalitut.com/social-engineering-example/
如有侵权请联系:admin#unsafe.sh