Early bird prices are coming to an end soon... ⏰ Grab your tickets before January 17

This article was published on November 24, 2018

The frustratingly simple techniques of ‘human hacking’ — and how to fight them


The frustratingly simple techniques of ‘human hacking’ — and how to fight them

Technology has changed the meaning of how we interpret security and privacy in this digital millennium. We’ve made tools that can prevent major vulnerabilities, with years of research, and debugging, to finally prevent disruptions in our workflow from occurring.

What we forget is, the biggest enemy to security is still a human being or as I must state, the mistakes that we commit.

Social engineering exploits those mistakes to get access to your personal information and the worst part is that the attackers, take the information with your consent.

What is social engineering?

Social engineering is the skill of gaining access to sensitive and secure credentials by manipulating through human involvement and interaction.

Perpetrators manipulate human psychology to lure victims into committing mistakes and break their secure routine which as a result, exposes their secretive information to the attacker.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

In order to launch a social engineering attack on an individual or an organization, the attacker goes through a series of steps before harming the victim. The steps may vary from one suspect to another, but the process of gathering information on the soon-to-be victim remains the same.

After the relevant information is gathered, he/she then proceeds to the second phase, gaining victim’s trust which eventually allows the victim to be manipulated. Lastly, the treasure in the form of the data or whatever perpetrator manipulated the victim for.

The whole process of social engineering revolves around the aspect of mistakes committed by humans, which makes it extremely dangerous for data security.

The perpetrators tend to exploit weaknesses in a person’s personality which makes them have a false sense of security with the attacker giving them the green light to get the information they want.

Techniques of social engineering

Social engineering is currently the most used method by criminals trying to infiltrate an organization. The cybercriminals can snoop around with its secure data and leave without a digital footprint of any sort. It can be initiated anywhere, where there is a chance of human error or human involvement.

The main techniques of social engineering can be boiled down to four major types.

Baiting

As the name suggests, baiting attacks use attributes of an individual’s personality against them. It lures them into a trap where everything seems blissful but you end up losing your credentials or inflict your systems with deadly malware.

Believe me, when I say, it’s easier for anybody to fall for a trap like this. In 2016, many enterprises were added to the list of social engineering attack victims.

There are two forms of baiting, one that is physical and the other online. In the physical one, the perpetrator uses a malware infected flash drive and leaves it someplace where it is visible to the victim’s eye.

The perpetrator makes the device visibly familiar to what the victim owns. Once the victim plugs it into an office computer or home computer the malware auto installs and disrupts the computer system.

The online aspect of it requires the user to download malicious software through a website. Different methods can be utilized to bait you into downloading the file. It can happen through an email, a fake website or through a series of ads, redirecting to the malicious website.

Pretexting

Pretexting is another technique used by attackers, this attack forces the attacker to craft a really good yet believable strategy to get the information. The scam is initiated with the perpetrator impersonating a high profile officer of an organization pretending to need your information to perform a critical task.

However, it’s not always the case, they can even impersonate your friend, family member or acquaintances to get what they require.

The attacker often impersonates high ranking officials, like police officers, tax officials, and other important people that have the authority to ask incredibly confidential questions. In order to sound more believable, the attacker often asks the victim information to confirm their identity so that he can move forward with the plan accordingly.

All sort of important and sensitive information is gathered through this attack which can include social security numbers, personal addresses, phone numbers even bank account credentials if needed.

Phishing

Phishing is one of the most famous social security engineering attack types. The attacker targets the victim through different mediums, emails, a fake website with similar URLs can be used to complete the attack. Phishing scams are mostly initiated by impersonating a well-known or familiar organization used by the victim. It then encourages victims to open malicious links to download malicious software or to reveal sensitive information.

Let’s say you receive an email on behalf of an organization that you visit often or you are familiar with so you do not focus on what the email address looks like and you just proceed to open it without any precautions.

You find out that the privacy policy has been changed and it requires you to change your password by visiting the link embedded in the email. You do exactly, what the email said. Congratulations, you just played yourself.

The attackers have thought of everything possible to deceive you, that’s why they succeed at manipulating people to do what they want.

Scareware

Scareware is a type of application, that when installed, makes the end user experience fake malware and threats. The victim is lured into an illusion that their system is under attack or affected by malware. Furthermore, it asks the individual to download a specific software which is “supposedly” removes the malware.

The software that it asks to download does not contain any solution for your problem, it’s only made to disrupt more operations of your computer system.

A common example of scareware would be those popup websites that display threats on your browser screen like “Your computer is infected, please download this software below to remove it.” If not then it will lead you to an infected website instead which will automatically start downloading malware on your computer system.

Scareware is also spread through spam emails which does the same thing, display fake threats and encourage people to buy useless services.

Ways to prevent such attacks

There are many different ways that you can use to prevent yourself from being a victim to social engineering. You can surely, prevent yourself from falling for these traps but having a strong mind presence will surely help you identify such threats.

  • Emails regarding your personal credentials and information are never really legitimate, if you get one, make sure to investigate before rushing to write a reply. If it isn’t from a known organization, delete it immediately
  • Increase the strength of your spam filters. Each and every email service provider lets you setup spam filters according to your preference. Some come with spam filters already on the highest settings. If not you can just configure one to stop receiving all this trash in your mailbox
  • Securing all your operational devices is always a plus. There is an anti-virus program for every platform that a device uses whether it be, Android, Windows, Mac or Linux. Installing one can keep you safe from unwanted malware
  • Keeping your operating system updated is recommended. Almost every OS releases updates once in a while to patch security vulnerabilities. You do not want to miss on such crucial updates

Most importantly, the malware errors or BSOD or even popups that tell you to contact their helpline are straight up lies. Remember, if your computer is infected with malware, your whole desktop would be disrupted not just the browser screen.

Tech giants will never ever contact you to try and fix your problem individually, due to the fact it’s very expensive and will take a lot of time. Instead, they release security updates to patch the vulnerabilities.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with


Published
Back to top