Ethical Hacking : The term social engineering is used for a wide range of malicious activities accomplished through human interactions. It uses emotional manipulation to trick users into making security mistakes or giving away sensitive information.
These attacks happen in one or more steps. A offender first investigates the intended victim to gather required background information, such as potential points of entry and weak security protocols, needed to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provide incentives for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources.
How social engineering Works ?
- Here learns as much as he can about the intended victim. The information is collected from company websites, other publications and sometimes by talking to the users of the target system.
- The attackers outline how he/she aims to execute the attack
- It includes computer programs that an attacker will use when launching the attack.
- Exploit the weaknesses in the target system.
Use acquired knowledge:
- Information gathered through the social engineering strategies such as pet names, birthdates of the association founders, etc. is used in attacks such as password guessing.
The social engineering attacks can be grouped into three types:
Impersonation: Acting like someone else to get access to the information.
They may act as a real user and request for information or they pose as a higher authority and may ask for sensitive information or they pose as a technical support person and try to gather sensitive and confidential details.
Other types are Human-based attacks are:
- When an authorised person arrives into a controlled area, the unauthorised person also enters the restricted AREA without the employee’s knowledge.
- Here the attacker may pose as an employee and ask the authorised employee to allow him to enter along with him. He may give fake reasons like he forgot his smart badge, etc.
- Any confidential document must be correctly shredded before disposed into the dustbin. If not, an attacker may just look into the dustbin to access the confidential information.
- Unauthorised listening to conversations thereby collecting important data is called as eavesdropping.
- It is a direct observation technique like looking over someone’s shoulder to know the sensitive information like password, pin numbers, etc.
- It’s also an individual responsibility.
- There are no hardware or software tools to prevent it.
- It’s hard to detect a social engineering attack.
- Due to loose security policies.
- The individuals are unaware of the consequences of social engineering attacks.
Behaviours Vulnerable to Social Engineering
- Human nature and trust are the base of this attack vector.
- Fear of severe losses.
- Ignoring and neglecting the strength of social engineering makes the association an easy target.
- Victims are asked for help, and with due moral obligation, they fall under the prey of social engineers.
Phases of Social Engineering Attack
- Research on target company: By dumpster driving and information from websites.
- Select the victim: identify any frustrated employee of the targeted company.
- Develop a relationship: With that selected employee.
- Exploit the relationship: Using this relationship, seize all sensitive information and current technologies the target organization uses.