In our previous episode of the security awareness series, we talked to you about 7 manipulative tactics that cybercriminals use to socially engineer their way into gaining access to sensitive information including credentials, financial data or personal information. We continue adding some more tactics in this episode to conclude the most common Social Engineering practices, giving you tips on how to stay vigilant and protect yourself first and foremost to ultimately avoid falling victim or being an accomplice to a much larger cyber-attack on your organization.
We will agree with our readers if they find that all the tactics are closely related. This is because malicious acts all have one thing in common; gaining access to data or information they have no rights to, whether by taking hold of login credentials and personal information, or by gaining access to large data repositories. Regardless of the means, medium and vehicle, the goal is ultimately the same.
Why cybercriminals exploit users and organizations.
Some criminals use personal information to blackmail users into sending them money or take over their financial accounts. Others force their victims to participate in illegal practices in exchange for keeping the information they hold on them secret. On a corporate level, there is a significant market on the dark web for corporate data that could get used at scale to further infiltrate an organization and hack their way into their systems. We urge our readers to stay aware and keep an open eye for any suspicious correspondence whether through e-mail, SMS or even voice calls. Cyber attacks are becoming less recognizable by the day and the most impactful practices are usually the most silent.
7 additional Social Engineering practices:
A very similar example of a honey trap attack appeared recently in the popular Egyptian sociodrama series “Family Matter” موضوع عائلي where the victim (Ramadan) was in communication with a foreigner (Matryoshka) who lured him into believing that she would visit Egypt if he sent her a picture of his credit card ...
Some sources refer to this as CEO fraud. Whaling is the type of phishing attack aimed at high-level executives. While it can be confused with spear-phishing, Whaling is usually outbound phishing, impersonating a c-level executive rather than targeting them. An example of Whaling (Whale; big fish) could be an IT-team receiving an e-mail from the organization’s CEO, asking them to resend him his account’s credentials for example. In such attempt, if the team falls victim and moves forward with sharing the credentials to the sender’s e-mail (thinking it really is the CEO) some attacker takes hold of this and can gain access into the CEO’s account(s).
Tailgating sounds like a tactic from an action movie and funny to some people, but this does not deny the fact that it still is one of the most effective techniques for criminals. Tailgating is a term derived from a car closely following another on a highway (Gating its tail) and it applies on the attacks as follows: an attacker follows an authorized person closely until they enter an “authorized personnel only” area. Whether it’s a building or a datacenter. While it may sound funny in the beginning, criminals could be someone the authorized person really trusts. The criminal would then either perform an over-the-shoulder practicing by memorizing the login code to that area, or worse, plant a keylogger or a wireless access point in the location to gain remote access.
Other tailgating tactics could include impersonating a delivery courier by carrying a large package and following the authorized person who would -naturally- hold the door open for them, or simply rushing into a building and claiming that they are about to miss an important meeting and forgot their access card.
The attacker gives a false “pretext” to someone to convince them to share sensitive information. A good example of this would be if a criminal is trying to get a user’s login credentials, they would pretend to be from the IT-helpdesk and ask them to share their password. Less-aware users do fall victims to such tactics and could compromise their accounts if the organization is not taking the right response measures.
The attack takes place usually on websites/web applications, where the criminal/attacker redirects the traffic to another fake destination with the intention of capturing login credentials or other sensitive information like online banking details.
5. Honey Trap:
Honey trapp(ing) is another form of impersonation/social engineering. A very similar example appeared recently in the popular Egyptian sociodrama series “Family Matter” موضوع عائلي where the victim (Ramadan) was in communication with a foreigner (Matroushka) who lured him into believing that she would visit Egypt and spend a couple of days with him, but posed a problem on him which is the flight ticket price. The solution for that -as she proposed- was him sharing a picture of his credit card for her to be able to use it for purchasing a ticket online.
A sad ending to the above story would’ve been Matroushka actually depleting the card from all the funds in the account connected to it, but luckily Ramadan’s wife had earlier planted a spyware on his phone -as she claimed- and was faster in transferring the funds to her account before Matroushka made her way to that money. MHE does not condone such behavior.
6. Diversion Theft:
A social engineering tactic that could apply to both physical and digital attacks. It involved an attacker (criminal) posing as another person, intercepting the delivery of a package (physical) or message (digital) to receive it on behalf of the original recipient. To avoid falling victim to this, ensure you use trusted delivery services, and talk to your IT-administrator to understand the cybersecurity measures taken to deploy identity impersonation protection practices and solutions.
Scareware security software was mentioned in the previous episode of our awareness series, it is a specific type of scareware, but scareware in general is any tactic that psychologically manipulates the victim by intimidating them from any problem and offering a fake solution. One type of scareware used to happen to take place on social networks where a fake account sends the victim a message telling them that they saw a private photo of them on the web, sharing a link to that fake destination. The victim, in fear of this information being true clicks on said link. Needless to say, the whole context is fake, and the victim unknowingly deploys a malicious script or arrives at an injected destination that captures some of his sensitive data.
There are further sophisticated means of performing a social engineering attack. But we have not mentioned them for being either too rare (like quid pro quo) or being another variant of an attack that we've already mentioned (like Smishing or SMS phishing). MHE emphasis on how important it is to start employing security awareness trainings to team members of all levels to ensure a proactive approach to avoiding a more impactful compromise of the organization's data. Stay vigilant, stay secure and make sure you are always paying attention to the links you click, the attachments you download and the information you share.