Study On Social Engineering Cyber Attacks

Study On Social Engineering Cyber Attacks

The study makes an attempt to understand the importance of cybersecurity and how social engineering attacks affect the security of data and information system. Social engineering attacks are most prevalent cyber attacks in the present digital world. It affects the confidence of nation, investors, conglomerates and the common man above all.

In today’s era of digitization and automation, every business function invests in transformation and upgradation. Technical and technological innovations have made many changes in the economy, productivity increased manifold. Different sectors of the economy achieved rapid growth through digitization and economies of scale. The pandemic and remote working of today, has further accelerated the pace of this revolution. From remote auditing to performing compliance on remote basis, professional firms have also gone reasonably digital. But equally important is to understand the cyber security risks associated with this evolution. No doubt these technologies have made our everyday life easier but coupled with several risks.

WHAT IS INFORMATION SECURITY?

ISACA, the international body concerned with information systems, defines information security as “ensures that within the enterprise, information is protected against disclosure to unauthorized users (confidentiality), improper modification (integrity) and non-access when required (availability)”. Thus information security is the set of systems, processes and mechanisms that protect the information and systems from unauthorized access, modification and destruction.

Cybersecurity and information technology solutions have become increasingly important in our culture, business and economy as a whole. The enormous rise of digital connectivity has resulted in significant increase in cyberattacks as we adopt new digital technology on an ongoing basis. The growing network complexity resulting from digital innovations typically creates new network loopholes for cyber attackers besides leaving long lasting economic and reputational damage to companies. To fix these vulnerabilities companies need to have strong cybersecurity programs.

CYBER ATTACKS

Cyber attacks are malicious and deliberate attempts by individuals or organizations to breach the information system. The attacker tries to gain some benefits from disrupting the victim’s network. Every attacker works with a different malicious intention and exploits the weakness of the system. Cyber threats resulting in an attack can be with an aim to gain unauthorized access, damage, disrupt or steal  IT assets, to gain privileged access to computer network, intellectual property or any other form of sensitive data. Most of the common cyber attacks can include phishing attacks, password thefts, virus or malware attacks, DoS, Corporate espionage, social engineering etc. These threats may be natural or man made (accidental or deliberate). The cyber crimes have increased several fold during recent times. Most of the them are launched with ulterior motives.

SOCIAL ENGINEERING ATTACKS

What is social engineering?

Social engineering is an attack where the attacker relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices to gain unauthorized access to systems, networks or physical locations or for financial gain.

Threat actors use social engineering techniques to conceal their true identities and motives, presenting themselves as trusted individuals or information sources. The objective is to influence, manipulate or trick users into releasing sensitive information or access within an organization. Many social engineering exploits rely on people’s willingness to be helpful or fear of punishment. For example, the attacker might pretend to be a co-worker who has some kind of urgent problem that requires access to additional network resources. Social engineering is a popular tactic among attackers because it is often easier to exploit people than it is to find a network or software vulnerability. Hackers will often use social engineering tactics as a first step in a larger campaign to infiltrate a system or network and steal sensitive data or disperse malware.

How does social engineering work?

Social engineers use a variety of tactics to perform attacks. Following are the common attack points in social engineering:

1.Malicious employees

2.Weak passwords

3.Compromised Credentials

4.Software vulnerabilities

5.Poor encryption                                                           

6.Ransomware

7.Phishing

8.Misconfigured devices

9.Trust relationships

10.Denial of Service attacks

STEPS IN SOCIAL ENGINEERING

Social engineering attacks happen in one or more steps. A perpetrator first investigates the intended victim to gather necessary background information, such as potential points of entry and weak security protocols, needed to proceed with the attack. One common tactic of social engineers is to focus on the behaviors and pattern of employees who have low-level but initial access, such as a security guard or a receptionist; attackers can scan social media profiles for personal information and study their behavior online and in person. Then, the attacker moves to gain the victim’s trust and provide stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources. If the target is an enterprise, for instance, the hacker may gather intelligence on the organizational structure, internal operations, common lingo used within the industry and possible business partners, among other information. From there, the social engineer can design an attack based on the information collected and exploit the weakness uncovered during the reconnaissance phase.

If the attack is successful, he gains access to confidential information, such as Social Security numbers and credit card or bank account information; makes money off the targets; or gains access to protected systems or networks of the organization.

Social Engineering Attack Lifecycle

What makes social engineering especially dangerous is that it relies on human error, rather than vulnerabilities in software and operating systems. Mistakes made by legitimate users are much less predictable, making them harder to identify and thwart than a malware-based intrusion.

DIFFERENT Social engineering attack techniques

Social engineering attacks come in many different forms and can be performed anywhere where human interaction is involved. The following are the  most common forms of digital social engineering attacks.

Baiting

As the very name indicates, baiting attacks use a false promise to pique a victim’s greed or curiosity. They lure users into a trap that steals their personal information or inflicts their systems with malware.

The most important form of baiting uses physical media to disperse malware. For example, attackers leave the bait—typically malware-infected flash drives—in conspicuous areas where potential victims are certain to see them (e.g., washrooms, elevators, the parking lots of a targeted company, eateries etc). The bait has an authentic look to it, such as a label presenting it as genuine. Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in automatic malware installation on the system.

Baiting scams don’t necessarily have to be carried out in the physical world. Online forms of baiting consisting of enticing ads that lead to malicious sites or that encourage users to download a malware-infected application.

Scare ware

Scare ware involves victims being bombarded with false alarms and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that has no real benefit (other than for the perpetrator) or is malware itself. Scare ware is also referred to as deception software, rogue scanner software and fraud-ware.

A common scare ware example is the legitimate-looking popup banners appearing in your browser while surfing the web, displaying such text such as, “Your computer may be infected with harmful spyware programs.” It either offers to install the tool (often malware-infected) for you, or will direct you to a malicious site where your computer becomes infected. Scare ware is also distributed via spam email that doles out bogus warnings, or makes offers for users to buy worthless/harmful services.

Pretexting

Here an attacker obtains information through a series of cleverly crafted lies. The scam is often initiated by a perpetrator pretending to need sensitive information from a victim so as to perform a critical task. The attacker usually starts by establishing trust with their victim by impersonating co-workers, police, bank and tax officials, or other persons who have right-to-know authority. The fraudster asks questions that are ostensibly required to confirm the victim’s identity, through which they gather important personal data.

All sorts of pertinent information and records are gathered using this scam, such as social security numbers, personal addresses and phone numbers, phone records, staff vacation dates, bank records and even security information related to a physical office/ manufacturing plant.

Phishing

As one of the most popular social engineering attack types, Phishing scams are email and text message campaigns aimed at creating a sense of urgency, curiosity or fear in victims. It then prods them into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware.

An example is an email sent to users of an online service that alerts them of a policy violation requiring immediate action on their part, such as a required password change. It includes a link to an illegitimate website—nearly identical in appearance to its legitimate version—prompting the unsuspecting user to enter their current credentials and new password. On submission the information is sent to the attacker. (like asking a bank customer to update his KYC credentials for bank accounts, credit cards etc, through fake links enclosed). Given that identical or near-identical messages are sent to all users in phishing campaigns, detecting and blocking them are much easier for mail servers having access to threat sharing platforms.

Spear phishing

This is a more targeted version of the phishing scam whereby an attacker chooses specific individuals or enterprises. They then tailor their messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous. Spear phishing requires much more effort on behalf of the perpetrator and may take weeks and months to pull off. They’re much harder to detect and have better success rates if done skillfully.

A spear phishing scenario might involve an attacker who, in impersonating an organization’s IT consultant, sends an email to one or more employees. It’s worded and signed exactly as the consultant normally does, thereby deceiving recipients into thinking it’s an authentic message. The message prompts recipients to change their password and provides them with a link that redirects them to a malicious page where the attacker now captures their credentials

Whaling

A specific type of phishing attack, a whaling attack targets high-profile employees, such as the chief financial officer or chief executive officer, to trick the targeted employee into disclosing sensitive information.

Vishing

Also known as voice phishing, vishing involves the use of social engineering over the phone to gather financial or personal information from the target.

Watering hole

 The attacker attempts to compromise a specific group of people by infecting websites they are known to visit and trust with the goal of gaining network access.

Diversion theft

In this type of attack, social engineers trick a delivery or courier company into going to the wrong pickup or drop-off location, thus intercepting the transaction.

Quid pro quo

This is an attack in which the social engineer pretends to provide something in exchange for the target’s information or assistance. For instance, a hacker calls a selection of random numbers within an organization and pretends to be a technical support specialist responding to a ticket. Eventually, the hacker will find someone with a legitimate tech issue whom they will then pretend to help. Through this interaction, the hacker can have the target type in the commands to launch malware or can collect password information.

Honey trap

In this attack, the social engineer pretends to be an attractive person to interact with a person online, fake an online relationship and gather sensitive information through that relationship.

Tailgating

Sometimes called piggybacking, tailgating is when a hacker walks into a secured building by following someone with an authorized access card. This attack presumes the person with legitimate access to the building is courteous enough to hold the door open for the person behind them, assuming they are allowed to be there.

Rogue security software

This is a type of malware that tricks targets into paying for the fake removal of malware.

Ransomware

This is a malicious software designed to block access to a computer/ database until a sum of money is paid.

Dumpster diving

This is a social engineering attack whereby a person searches a company’s trash to find information, such as passwords or access codes written on sticky notes or scraps of paper, that could be used to infiltrate the organization’s network.

Pharming

With this type of online fraud, a cyber criminal installs malicious code on a computer or server that automatically directs the user to a fake website, where the user may be tricked into providing personal information.

Famous social engineering attacks which happened around us in the recent past

Perhaps the most famous example of a social engineering attack comes from the legendary Trojan War in which the Greeks were able to sneak into the city of Troy and win the war by hiding inside a giant wooden horse that was presented to the Trojan army as a symbol of peace.

In more modern times, Frank Abagnale is considered one of the foremost experts in social engineering techniques. In the 1960s, he used various tactics to impersonate at least eight people, including an airline pilot, a doctor and a lawyer. Abagnale was also a check forger during this time. After his incarceration, he became a security consultant for the Federal Bureau of Investigation and started his own financial fraud consultancy. His experiences as a young con-man were made famous in his best-selling book Catch Me If You Can and the movie adaptation from Oscar-winning director Steven Spielberg.

Once known as “the world’s most wanted hacker”, Kevin Mitnick persuaded a Motorola worker to give him the source code for the MicroTAC Ultra Lite, the company’s new flip phone. It was in 1992, and Mitnick, who was on the run from police, was living in Denver under an assumed name. At the time, he was concerned about being tracked by the federal government. To conceal his location from authorities, Mitnick used the source code to hack the Motorola MicroTAC Ultra Lite and then sought to change the phone’s identifying data or turn off the ability for cell phone towers to connect to the phone.

To obtain the source code for the device, Mitnick called Motorola and was connected to the department working on it. He then convinced a Motorola employee that he was a colleague and persuaded that worker to send him the source code. Mitnick was ultimately arrested and served five years for hacking. Today, he is a multimillionaire and the author of a number of books on hacking and security. A sought-after speaker, Mitnick also runs cybersecurity company Mitnick Security.

A more recent example of a successful social engineering attack was the 2011 data breach of security company RSA. An attacker sent two different phishing emails over two days to small groups of RSA employees. The emails had the subject line “2011 Recruitment Plan” and contained an Excel file attachment. The spreadsheet contained malicious code that, once the file was opened, installed a backdoor through an Adobe Flash vulnerability. While it was never made clear exactly what information was stolen, if any, RSA’s SecurID two-factor authentication (2FA) system was compromised, and the company spent approximately $66 million recovering from the attack.

In 2013, the Syrian Electronic Army was able to access the Associated Press’ (AP) Twitter account by including a malicious link in a phishing email. The email was sent to AP employees under the guise of being from a fellow employee. The hackers then tweeted a fake news story from AP’s account that said two explosions had gone off in the White House and then-President Barack Obama had been injured. This garnered such a significant reaction that the Dow Jones Industrial Average dropped 150 points in 5 minutes.

Also in 2013, a phishing scam led to the massive data breach of Target. A phishing email was sent to a heating, ventilation and air conditioning subcontractor that was one of Target’s business partners. The email contained the Citadel Trojan, which enabled attackers to penetrate Target’s point-of-sale systems and steal the information of 40 million customer credit and debit cards. That same year, the U.S. Department of Labor was targeted by a watering hole attack, and its websites were infected with malware through a vulnerability in Internet Explorer that installed a remote access Trojan called Poison Ivy.

In 2015, cyber criminals gained access to the personal AOL email account of John Brennan, then the director of the Central Intelligence Agency. One of the hackers explained to media outlets how he used social engineering techniques to pose as a Verizon technician and requested information about Brennan’s account with Verizon. Once the hackers obtained Brennan’s Verizon account details, they contacted AOL and used the information to correctly answer security questions for Brennan’s email account.

CYBER CRIMES IN INDIA

The advent of Digital India and Smart City initiatives have brought about a paradigm shift in terms of connectivity, services and threat for both urban and rural eco systems. While greater connectivity promises wider deliverables, it also paves way for more vulnerabilities. Leading companies in various sectors are targeted by new age cyber criminals. According to the National Crime Record Bureau Data, there had been a huge increase of 63.5% in cyber crime cases in India in the year 2019 as against year 2018. According to a recent study conducted by technology major IBM, India was the second most targeted country in the Asia-Pacific region as regards cyber crimes with a 7% share in such incidents globally. As per the report ransomware attacks to block access to one’s personal file/data was the most rampant cyber crime accounting for 40% of all the attacks.

Some of the major cyber attacks that took place in recent times: –

• The personal data of 17 million users of Zomato was stolen by a hacker- May 2017
• The container handling functions at J Nehru Port Trust at Mumbai handled by a Danish firm was attacked through Ransomware- June 2017
• Personal information of 1.1 billion citizens were stolen in January 2018, through UIDAI data breach
• In July 2018, fraudsters used skimming devices on Canara Bank ATMs to steal information on debit-card holders and swindled an amount of Rs.20 lacs from different banks
• In August 2018, personal data of 17 million users of Cosmos Bank was stolen.

IMPACT OF CYBER ATTACKS

Cyberattacks and cyber risks are interrelated. Cyber threat is the possibility of a particular attack whereas cyberattack is an offensive action and cyber risk associated with the subject threat estimates the probability of potential losses that may result, such as reputation loss, financial loss, business closure, litigation etc.

 SOCIAL ENGINEERING PREVENTION

Social engineers manipulate human feelings, such as curiosity or fear, to carry out schemes and    draw victims into their traps. Therefore, be wary whenever you feel alarmed by an email, attracted to an offer displayed on a website, or when you come across stray digital media lying about. Being alert can help you protect yourself against most social engineering attacks taking place in the digital realm.

The following tips can help improve your vigilance in relation to social engineering hacks.

• Don’t open emails and attachments from suspicious sources – If you don’t know the sender in question, you don’t need to answer an email. Even if you do know them and are suspicious about their message, cross-check and confirm the news from other sources, such as via telephone or directly from a service provider’s site. Implement secure email and web gateways to scan emails for malicious links and filter them out, thus reducing the likelihood that a staff member will click on one. Remember that email addresses might be spoofed sometimes and even an email purportedly coming from a trusted source may have actually been initiated by an attacker. Implement spam filters to determine which emails are likely to be spam. A spam filter might have a blacklist of suspicious Internet Protocol addresses or sender IDs, or they might detect suspicious files or links, as well as analyze the content of emails to determine which may be fake.
• Use multi factor authentication – One of the most valuable pieces of information, attackers seek are user credentials. Using multi factor authentication helps ensure your account’s protection in the event of system compromise.
• Be wary of tempting offers – If an offer sounds too tempting, think twice before accepting it as fact. Googling the topic can help you quickly determine whether you’re dealing with a legitimate offer or a trap.
• Keep your antivirus/anti malware software updated – Make sure automatic updates are engaged, or make it a habit to download the latest signatures first thing each day. Periodically check to make sure that the updates have been applied, and scan the system for possible infections.
• Make sure information technology departments are regularly carrying out penetration testing that uses social engineering techniques. This will help administrators learn which types of users pose the most risk for specific types of attacks, while also identifying which employees require additional training.
• Start a security awareness training program, which can go a long way toward preventing social engineering attacks. If users know what social engineering attacks look like, they will be less likely to become victims. Phishing, social engineering, password hygiene and secure remote work practices are essential cybersecurity training topics.
• Keep track of staff members who handle sensitive information, and enable advanced authentication measures for them. Implement two factor authentication (2FA) to access key accounts, e.g., a confirmation code via text message or voice recognition.
• Ensure employees don’t reuse the same passwords for personal and work accounts. If a hacker perpetrating a social engineering attack gets the password for an employee’s social media account, he could also gain access to the employee’s work accounts.

HOW TO PROTECT DATA IN OFFICES?

To summarize, the following simple practices are effective for safeguarding from cyberattacks and associated risks.

1. Password Management- ensure that passwords are strong and secure; use multi factor authentication wherever possible.
2. Regularly change passwords and do not share them.
3. Secure Wi-Fi devices and be careful while using public wireless networks.
4. Avoid doing online transaction when we are using public/ complimentary Wi-Fi.
5. Never leave your personal information physically unattended.
6. Restrict guest access to only internet and not to the entire IT infrastructure of your office. Separate Wi-Fi profile can be created for the same.
7. Provide system access to persons only on need to know, need to do basis.
8. Review the access privileges from time to time.
9. Download/ install programs only from trusted sources.
10. Use only licensed version of software as free software can lead to other complications.
11. Make sure that all mobile devices/ operating systems/ software have latest updated versions.
12. Only legitimate and genuine licenses of antivirus are to be in use. Auto updates option be enabled.
13. Don’t use USB or external hardware devices from unknown sources; block USB usages and use them only in dedicated machines and for the purpose of digital signature and encrypted USBs.
14. Prefer sharing of data only over encrypted channels like secured file transfer protocols, or secure cloud applications.
15. Be careful while sharing personal data on social media- keep personal information private and confidential and know the person whom we interact online.
16. Disable locations sharing, third party access to profiles and regularly verify privacy controls.
17. Use a spam filter for your emails and use emails carefully- be careful while downloading attachments or opening links received in emails as it might be a phishing attempt.
18. Prefer use of automated backup besides external hard disks for backups.
19. In case the employees are permitted to use own devices, it is highly recommended to perform a thorough check before giving them access, to ensure that the laptop is genuine and antivirus software  is installed.
20. Declaration may be taken from the employees regarding the careful usage of data and adherence to office policies.

CONCLUSION – NEED FOR INTELLIGENCE IN SECURITY & CYBER THREAT INTELLIGENCE

Gathering discrete bits of information that enables organizations to either prevent/mitigate any type of cyber attacks (by studying the information collected from various sources) and putting them together (to make a coherent image on potential threat to data or systems or applications) is very important. The information collected should point out on the usage of different tools and techniques that might have been deployed by the malicious attacker during exploitation. Based on the information collected and analyzed, it should help in identifying known vulnerabilities, come up with a dynamic plan to prevent/ mitigate attacks by using similar tools and techniques by that of a perpetrator. Cyber Threat intelligence is the proactive process of gathering information from various sources of an organizations systems and processes that may be at risks due to weaknesses in internal controls and likelihood of getting these vulnerabilities exploited. This data is then analyzed to gain better insights on the potential threats. It can help build effective defensive mechanisms to mitigate the risks that could damage/ compromise the systems. For most of the organizations, few of the trending threats may be uncontrollable or impossible to identify during the initial assessment. Strong per-existing defense mechanisms can overcome many of these attacks. And it is necessary that the organizations must be informed of the risks of targeted attacks and advanced persistent threats and as to how to proliferate countermeasures to protect against them.

There are many proactive approaches those can be put in place, like

1. Awareness programmes be imparted among the cyber security team members through blogs, professional associations, conferences etc about current trends in cyber security so that they can swiftly include different tools and techniques to circumvent each of them.
2. Threat assessments be performed at regular intervals to assess existing environment, the impact on systems, if compromised, and choose the best approach to protect the system against the specific threat.
3. Wear the hat of a hacker while conducting penetration testing by modelling real world threats to discover vulnerabilities.

These approaches not only prevent incoming threats but also help to mitigate the vulnerabilities present in the existing environment. This exercise must be dynamic in nature depending on the size of the organization. Significance of cyber security is inevitable across all domains of our everyday life, considering the pace of digitization. Cyber security risk management is important for professionals, industries and economy as a whole. The administration of cybersecurity audits is a crucial component for the success of good cybersecurity mechanism. Organizations should detect the gaps in their cyber security infrastructure by conducting frequent cybersecurity audits, to ensure protection of information and data. However, challenges like lack of top management support, lack of comprehensive cyber law framework, lack of specialists to tackle cyber attacks, weak reporting culture, poor infrastructure, delay in examination of reported cases, data wiping, poor recovery mechanism etc are the bottlenecks we face while countering the cyber attacks.  

                                     ———————–

BIBLIOGRAPHY & REFERENCES

1.https://www.ISACA.org

2.https://www.newindianexpress.com

3.Journal of Cyber Security- “Vulnerabilities, Threats. Intruders and Attacks”, AbomharaM & KolenG M (2015)

4.Manoj K S (2021) “Holistic Approach to Cyber Security. Tools to Mitigate Cyber Risk”- International Journal of Advanced Research in Engineering and Technology.

5.International Journal of Web Technology (June 2015) – “A Study on Cybercrime and Cyber Criminals – A Global Problem”

6.https://www.specopssoft.com-Specops (2020)- “The countries experiencing the most ‘significant’ cyberattacks”

7.https://www.bankinfosecurity.com

8.https://portswigger.net/recent cyberattacks

The study makes an attempt to understand the importance of cybersecurity and how social engineering attacks affect the security of data and information system. Social engineering attacks are most prevalent cyber attacks in the present digital world. It affects the confidence of nation, investors, conglomerates and the common man above all. In today’s era of…