Social Engineering

Author: Matthewson Quentin

Social engineering is a type of attack that uses emotional responses and interactions between persons to gain information or access to specific software, network, or knowledge.

Connected Autonomous Vehicles (CAVs) are built and assembled by manufacturers that outsource various parts, sensors, and equipment to other companies, before being sold to transport companies. Any stakeholder here could be the victim of a social engineering attack.

A social engineering attack is usually carried out following those steps :

1.Information harvesting of the victim to prepare the field for the attacker.

2.Interactions with the victim, using emotions, trust, and relationship building.

3.Asking for small benefits, information, or even credentials.

Social engineering aims at the following objectives :

  • Harming the victim's company or the victim themselves.
  • Stealing goods (money, accounts, information, …).

A feeling of urgency is usually used to push the victim to act immediately, pressuring them for fast responses.

Below are short descriptions of the most commonly used types of social engineering attacks.

Scareware

This type of attack spams the victims with multiple alerts informing the user that something is wrong or that he is the target of a cyber-attack. These allegations are of course fallacious and only aim at pushing the user to install malicious software proposed as a solution to get the problem fixed. Once said software is installed, the attacker ceases their false attacks, giving the victim a sense of trust and safety. The software is then used by the attacker to gain access to the victim's system, which is then compromised.

Pretexting

Here the victim is pushed by the attacker to reveal sensitive information or give access to the system. This attack is usually done by someone impersonating an authority, vendor, or co-worker asking the victim questions to confirm their identity using personal details previously obtained. The goal is to build trust to gather sensitive information.

Phishing Attacks

There are 3 types of Phishing :

  • Whaling: Targeting a specific high-ranking staff member or someone important.
  • Spear phishing: Targeting a specific staff member or person.
  • Phishing or Spam phishing: Targeting any unsuspecting persons through a massive phishing campaign.

These types of Phishing can be achieved through different mediums. For example: via phone calls (Vishing), text messages (Smishing), social media (Angler Phishing), search engines, URLs, pop-ups, emails, and, most commonly, emails.

Baiting

Most commonly, attackers leave infected UBS drives in public places as bait. Once plugged into any computer, the malicious software infects the device.

Such malicious programs can also be found within free software or other tempting offers.

Tailgaiting

This attack requires the physical presence of the attacker, who follows a staff member into a restricted section, playing on high emotional factors.

Quid pro Quo

The attacker manages to put the victim into a situation where they are liable and therefore willing to indulge a favor to their attacker.

Water-Holing

This complex attack involves exploiting any weakness that the attackers can find on a website. The goal is to infect the website as well as all the website's visitors.

Malware

The attacker manages to gain the victim's trust and uses this trust to make them believe that their computer is infected. The only option the victim is presented with includes the payment of a certain sum of money to have the malware removed.

The above-mentioned attacks can also be used in correlation with one another.

Preventing social engineering

Simple guidelines can be implemented to help prevent these attacks. Those may include:

  • Thinking before acting. If anything seems suspicious, ask for help.
  • Create awareness campaigns involving different media.
  • Never reveal a personal password to anyone.
  • Knowing email is most commonly used by scammers, never open suspicious content or attached files.
  • Testing and exercising with different scenarios.
  • Politely refuse when identification cannot be guaranteed and confirm with a superior.
  • Be aware of the sensitive information that must not be revealed.
  • Never use the same password for multiple accounts.
  • Be aware of the level of clearance required to access sensitive data and areas.
  • Never use any devices on admin mode.
  • Ensure that procedures are followed when sensitive data is handled.
  • Regularly update your anti-malware and anti-viruses.
  • Use two-factor authentication when possible for important accounts.
  • Be aware that any account can be hacked (email, phone number, social media, etc.).

References

[1] Social Engineering: The Art of Human Hacking by Christopher Hadnagy, Paperback, 2010

[2] "What is Social Engineering? Examples & Prevention Tips", Webroot an opentext company, https://www.webroot.com/us/en/resources/tips-articles/what-is-social-engineering, consulted in July 2021

[3] "Social Engineering", Imperva, https://www.imperva.com/learn/application-security/social-engineering-attack/, consulted in July 2021

[4] "What is Social Engineering?", Kaspersky, https://usa.kaspersky.com/resource-center/definitions/what-is-social-engineering, consulted in July 2021

[5] "Ways to avoid social engineering attacks", Kaspersky, https://www.kaspersky.com/resource-center/threats/how-to-avoid-social-engineering-attacks, consulted in July 2021

[6] "What is "Social Engineering"?", European Union Agency for Cybersecurity, https://www.enisa.europa.eu/topics/csirts-in-europe/glossary/what-is-social-engineering, consulted in July 2021

[7] "Social Engineering Attacks", IT Governance, https://www.itgovernance.co.uk/social-engineering-attacks, consulted in July 2021

[8] Social Engineering: The Art of Human Hacking by Christopher Hadnagy, Paperback, 2010

[9] "What is Social Engineering? Examples & Prevention Tips", Webroot an opentext company, https://www.webroot.com/us/en/resources/tips-articles/what-is-social-engineering, consulted in July 2021

[10] "Social Engineering", Imperva, https://www.imperva.com/learn/application-security/social-engineering-attack/, consulted in July 2021

[11] "What is Social Engineering?", Kaspersky, https://usa.kaspersky.com/resource-center/definitions/what-is-social-engineering, consulted in July 2021

[12] "Ways to avoid social engineering attacks", Kaspersky, https://www.kaspersky.com/resource-center/threats/how-to-avoid-social-engineering-attacks, consulted in July 2021

[13] "What is "Social Engineering"?", European Union Agency for Cybersecurity, https://www.enisa.europa.eu/topics/csirts-in-europe/glossary/what-is-social-engineering, consulted in July 2021

[14] "Social Engineering Attacks", IT Governance, https://www.itgovernance.co.uk/social-engineering-attacks, consulted in July 2021

By accepting you will be accessing a service provided by a third-party external to https://niove.eu/