Social Engineering from Phishing to Vishing: How a user innocently assists a cyber attacker – Part 1
In SonicWall’s 2022 Cyber threat report, social engineering attacks scored the highest percentage across the cyberthreat landscape. With 623.3 million ransomware attacks, 97.1 crypto-jacking attacks among others, hackers are exploiting less-aware users to gain access to sensitive information usually to sell this data on the dark web or ask for a considerable ransom in exchange for the decryption key from the victim organization. Staying true to the mission, MHE is presenting to you the new Security Awareness blog series, where we will be sharing educational content about cybersecurity to raise the consciousness of individuals and professionals towards the dangers of cyberspace and how to stay safe online.
With 623.3 million ransomware attacks, 97.1 crypto-jacking attacks among others, hackers are exploiting less-aware users to gain access to sensitive information.
In this first part of episode 1 (Social Engineering 1/2), we will be sharing with you 7 common types of hacking tactics that attackers resort to as a means to infiltrate an organization from one of its employees’ accounts. The sad part is that if the employee isn’t aware that he/she are being used as an accomplice to the attack, they can make the attacker’s target easily reachable and save them a lot of time. Keep reading so you don’t find yourself contributing to a much bigger, considerable harm to your organization.
Social Engineering attacks Part 1:
One of many ways an attacker can trick the victim into voluntarily sharing sensitive information whether directly or indirectly. Such information could include login credentials, credit card numbers or other personal information. A typical phishing attempt involves e-mail correspondence that seems to be from a legitimate source. For example, if you work for a company with a domain @companyname.com, you’ll receive an e-mail from what appears to be this domain exactly. Other attackers use well known organization domains in their phishing correspondence to make it seem authentic, they will send an e-mail from a well-known logistics company for instance telling the victim that there’s a parcel waiting for them and that a click on a link within that e-mail is required to claim the parcel. Other tactics follow psychological tricks like scaring the recipient and creating urgency by telling them that their device is compromised, prompting them to click a link or download an attachment to scan their device and remove the threat. Once the victim believes the message and takes the designated action, a malware, spyware, or any other form of malicious script gets deployed onto the victim’s machine and the attack initiates.
2. Spear Phishing:
This is very similar to the phishing attack. However, while typical phishing e-mails target low to mid-level team members, spear-phishing attacks target users with high influence, privilege, and authority; like a system administrator, a security officer or a senior executive, with the intent of gaining access to higher-ranking data.
As mentioned in our previous blog 10 types of malware attacks – A malvertising attack is an online advertising tactic controlled by hackers. Once the victim clicks the ad, malicious scripts get deployed onto the device and the hacker gains access. It is worth noting that leading publications have unknowingly allowed malvertising content on their websites before. One way to check if the ad you are trying to click is safe or not, is to right-click the ad and copy the link without opening it and pasting it in a simple text editor like notes, notepad or word. This will give you an idea of the URL you intended to visit and could also contain a filename/extension that raises red flags. Needless to say, the social engineering aspect of malvertising shows in how the attackers tries to manipulate the user/victim into thinking that they would win something valuable like a mobile phone, the lottery, or meet some attractive partner from the opposite sex. The difference between malvertising and adware is that the earlier waits for you to click on it for the malicious code to be deployed, while adware could be installed from different sources (including phishing links) and from then they start attacking the victim. If you see suspicious websites opening on their own, and pop-ups appearing randomly as you are surfing the internet, you probably have an adware running on your device. If you are surfing trusted websites/blogs and you see a suspicious ad, you are not yet a victim, but you could be if you click on one.
5. Scareware security software:
Have you ever been online, and received a message, whether through your e-mail or an ad telling you that your device is infected and needs to be scanned and fixed? This is exactly what scareware is. An attacker exploit’s a user’s sense of fear, presenting a fake solution to run a malicious antivirus/anti-malware solution to keep their device clean and remove the threat. Some of those tactics even prompt the victim to buy the software, and those who comply willingly submit their financial data to the attackers. To stay safe, make sure you protect your device by installing a trusted antivirus/anti-malware solution on your device from one of the known vendors like Kaspersky, Malwarebytes, Trend Micro or Norton. Individual and corporate licenses may have different features but in the end they both do a good job in protecting your device and the organization’s network from such threats.
Baiting is one of the most silent social engineering tactics and are sometimes hard to avoid if the user is too trusting or not very aware of where and how they could get deployed. By connected a hardware device that is a malware carrier to a victim’s device, the malware gets deployed with no active action required from the victim. This is why many organizations deploy security policies that disable USB ports from accepting any mass-storage devices, in an attempt to protect the valuable assets from being infected due to lack of security awareness from the users’ side. Many endpoint protection solutions have scanners that stop malwares in baiting devices before they find their way to the victim’s device.
Vishing is short for Voice-Phishing. It is a type of attack where the victim receives a phone-call from an impersonator acting to be from a known bank or financial institution to ask for credit card information or personal information. Some attempts of vishing attacks gained popularity in Egypt before where the attackers called trusting victims, claiming to be from known banks that are operating in the country and that they need some information to update accounts data. Sadly, many people fell victim to such attempts and trustingly shared very valuable information like CVV and pin codes, only to find out later that the cards have been used in online transactions. Another type of vishing attempts that also happened in some organization’s target the internal communication telephony system, where an attacker calls the victim over the IP-Phone, claiming to be from the IT department and asking for passwords and credentials to update corporate data.
We hope that the above explanation gave you an idea on where attacks could start from and how you can stay aware to avoid falling victim to such attack types and tactics. In a later episode in the same series, we will continue listing other types of social engineering tactics (Part 2, stay tuned) where we will be telling you about whaling, pretexting, diversion theft, honey traps, tailgating, and pharming. Follow our blog and stay aware!