In 2003, Ebay users received an email that their account were about to be suspended unless they update their credit card information. The attacker had set up a similar looking website in order to trick the users that they were accessing the legitimate website. A number of people had their credit card information compromised. Information were obtained without the hacker even trying to crack Ebay's servers.
In 2012, a hacker in a devcon event tried to hack a Wal-mart executive in just 20 minutes. He got every detailed information about the executive within that time span just by using his social engineering skills and a little bit of technical tools of the trade. The executive was compromised when he was called and he gave out all the information that the hacker needed. Computer OS version, Web Browser version and Anti Virus Software. Finally he was asked to fill out an online survey form which completed the exploit. This was done at devcon with hundreds of people watching the attack as it happened.
These incidents were made by a hacker which had no direct access to the system's server. This method is by far, easier and more practical because it gave the hacker a broader access to the victim's profile which may directly relate to how he secures his/her online identity. Cracking a system with hacking tools may take time and may not even be successful at worst.
One of the greatest hackers of all time, Kevin Mitnick (who later turned into a security consultant) was, at one time, the most wanted man in America. He gained unauthorized access to various network and systems by using his social engineering skills. He believed that the weakest link in computer security is the human element.
In order to protect yourself from such attacks, you must first know thy enemy.
Commonly Used Social Engineering Techniques
Phishing
Method of acquiring usernames, passwords, credit card information etc. by sending fraudulent emails to users and redirecting them to a non-legitimate website which may collect personal information from them.
Quid Pro Quo
It means "Something for Something"
Hello there buddy. I just need your credit card information.
In 2012, a hacker in a devcon event tried to hack a Wal-mart executive in just 20 minutes. He got every detailed information about the executive within that time span just by using his social engineering skills and a little bit of technical tools of the trade. The executive was compromised when he was called and he gave out all the information that the hacker needed. Computer OS version, Web Browser version and Anti Virus Software. Finally he was asked to fill out an online survey form which completed the exploit. This was done at devcon with hundreds of people watching the attack as it happened.
Yes Sir, please click that link. Thank you very much. We're done.
These incidents were made by a hacker which had no direct access to the system's server. This method is by far, easier and more practical because it gave the hacker a broader access to the victim's profile which may directly relate to how he secures his/her online identity. Cracking a system with hacking tools may take time and may not even be successful at worst.
One of the greatest hackers of all time, Kevin Mitnick (who later turned into a security consultant) was, at one time, the most wanted man in America. He gained unauthorized access to various network and systems by using his social engineering skills. He believed that the weakest link in computer security is the human element.
In order to protect yourself from such attacks, you must first know thy enemy.
Commonly Used Social Engineering Techniques
Phishing
Method of acquiring usernames, passwords, credit card information etc. by sending fraudulent emails to users and redirecting them to a non-legitimate website which may collect personal information from them.
Quid Pro Quo
It means "Something for Something"
- An attacker calls random numbers at a company, claiming to be calling back from technical support. Eventually this person will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and, in the process, have the user type commands that give the attacker access or launch malware.
- In a 2003 information security survey, 90% of office workers gave researchers what they claimed was their password in answer to a survey question in exchange for a cheap pen. Similar surveys in later years obtained similar results using chocolates and other cheap lures, although they made no attempt to validate the passwords
Baiting
This is also known as the physical or the real world Trojan Horse. It uses physical media such as USB, CDs and other removable drives as an attack vector. This kind of attack relies heavily on malware and other malicious codes in order to carry out its goal. This may also trigger a wave of infection, affecting a large number of victims in a short span of time.
Now that we have known thy enemy, we can now protect ourselves from the threat.
Yes we can put him out of work.
How To Protect Yourself From Social Engineering Attacks
Password
- Create a strong and unique password by using combinations of upper and lowercase letters, characters and numbers.
- Do not use easy to guess passwords such as your dog's name or your mothers maiden name.
- Do not use the same password for multiple sites.
Browser Security
- Always log out of devices which you do not own.
- Regularly update your web browsers. They regularly do updates in order to patch malicious exploits.
- Always look for the HTTPS when logging on websites that require personal information.
- Do not click on unfamiliar links.
Computer Security
- Regularly scan your computer for viruses.
- Do not install any unfamiliar applications which may execute malicious codes on your operating system.
- Unless you know what you are doing, steer away from pirated software.
- Do not entrust the security of your computer to strangers.
- Trust only certified technicians when it comes to your PC's maintenance or repair.
Remember, with a little bit of common sense and technical know-how, you can protect yourself from malicious hackers who exploit the human weakness in order to get personal information for their own gains.
Stay tuned and please like our facebook page in order to receive a daily stream of information.
Reference links:
