Monday, August 14, 2017

What is Social Engineering?

Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer.
Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software.  For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak).

 Common social engineering attacks

Email from a friend. If a criminal manages to hack or socially engineer one person’s email password they have access to that person’s contact list–and because most people use one password everywhere, they probably have access to that person’s social networking contacts as well.
Once the criminal has that email account under their control, they send emails to all the person’s contacts or leave messages on all their friend’s social pages, and possibly on the pages of the person’s friend’s friends.
These messages may use your trust and curiosity:
  • Contain a link that you just have to check out–and because the link comes from a friend and you’re curious, you’ll trust the link and click–and be infected with malware so the criminal can take over your machine and collect your contacts info and deceive them just like you were deceived.
  • Contain a download–pictures, music, movie, document, etc., that has malicious software embedded. If you download–which you are likely to do since you think it is from your friend–you become infected. Now, the criminal has access to your machine, email account, social network accounts and contacts, and the attack spreads to everyone you know. And on, and on.
These messages may create a compelling story or pretext:
  • Urgently ask for your help–your ’friend’ is stuck in country X, has been robbed, beaten, and is in the hospital. They need you to send money so they can get home and they tell you how to send the money to the criminal.
  • Asks you to donate to their charitable fundraiser, or some other cause – with instructions on how to send the money to the criminal. 
  • Urgently ask for your help–your ’friend’ is stuck in country X, has been robbed, beaten, and is in the hospital. They need you to send money so they can get home and they tell you how to send the money to the criminal.
  • Asks you to donate to their charitable fundraiser, or some other cause – with instructions on how to send the money to the criminal.
Phishing attempts. Typically, a phisher sends an e-mail, IM, comment, or text message that appears to come from a legitimate, popular company, bank, school, or institution.
These messages usually have a scenario or story:
  • The message may explain there is a problem that requires you to "verify" of information by clicking on the displayed link and providing information in their form. The link location may look very legitimate with all the right logos, and content (in fact, the criminals may have copied the exact format and content of the legitimate site). Because everything looks legitimate, you trust the email and the phony site and provide whatever information the crook is asking for. These types of phishing scams often include a warning of what will happen if you fail to act soon, because criminals know that if they can get you to act before you think, you’re more likely to fall for their phish.
  • The message may notify you that you’re a ’winner’. Maybe the email claims to be from a lottery, or a dead relative, or the millionth person to click on their site, etc. In order to give you your ’winnings’ you have to provide information about your bank routing so they know how to send it to you, or give your address and phone number so they can send the prize, and you may also be asked to prove who you are often including your Social Security Number. These are the ’greed phishes’ where even if the story pretext is thin, people want what is offered and fall for it by giving away their information, then having their bank account emptied, and identity stolen.


  • The message may ask for help.  Preying on kindness and generosity, these phishes ask for aid or support for whatever disaster, political campaign, or charity is hot at the moment.

    • How do you avoid being a victim?
      •       Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
      •    Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
      •      Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
      •        Don't send sensitive information over the Internet before checking a website's security. 
      •        Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
      •       If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group.
      •         Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic. 
      •      Take advantage of any anti-phishing features offered by your email client and web browser.




      No comments:

      Post a Comment

      Test Images

      Below images  are being used for the   Hashtag Generator and Content Authenticator research .