SHREE LEARNING ACADEMY

Social engineering is a method of exploitation that preys on the tendencies and actions of humans. The two main forms of social engineering attacks are: convincing individuals to disclose confidential information, or persuading them to carry out an unauthorized operation. For instance, social engineering is when the victim is deceived into trusting the authenticity of an email they receive (such as a hoax), believing that the person on the phone has authority and must be followed (such as a fake tech support or offsite manager), or accepting the identity of someone present with them (such as a false AC repair technician). Social engineering involves persuading the victim to disclose information or perform an action that is unauthorized. In most cases, the attacker aims to obtain access to a secure environment or cause information leakage.

Advertising, in essence, can be perceived as a type of social engineering attack because it aims to entice individuals to buy or use a product or service. However, while advertising is motivated by profit, most social engineering attacks have more malicious objectives. In fact, with the availability of advanced technology, hackers can now employ sophisticated methods to achieve their social engineering goals.

The Social Engineering Toolkit (SET) is a tool utilized for advanced attacks targeting the human element. Its purpose, as described on the http://social-engineer.org website, is to integrate with the Metasploit framework to enable attackers to gain control of a remote computer by luring their intended target into clicking on a pop-up or similar form of bait.

To illustrate, imagine a gamer who is playing the latest popular online game. Suddenly, a pop-up appears claiming that there is temporary internet congestion and provides the user with two options: "Stay Online" if the performance is deemed acceptable or "Reconnect". Regardless of which option is chosen, the attacker's code is executed, potentially resulting in system exploitation. This type of attack is labeled as the Social Engineering Toolkit due to its reliance on user's interaction.

Examples

Below are a few typical examples of social engineering attacks:

• An employee receives an email alerting them to a new virus that is rapidly spreading online. The email instructs the employee to locate a specific file on their computer and delete it, alleging that the file indicates the presence of the virus. In many cases, however, this file is critical to the system's operation.
• The website purports to provide temporary access to its products and services for free, but downloading the access software needs modifications to the web browser and/or firewall.
• A secretary answers a phone call from an individual who identifies themselves as a client and apologizes for being late to their scheduled meeting with the CEO. The caller requests the private cell phone number of the CEO to contact them directly.
• An external call is made to the helpdesk, where the caller identifies themselves as a department manager currently attending a sales meeting in a different city. The caller states that they have forgotten their password and requires a reset to access the system remotely and download an important presentation.
• An individual resembling an AC repair technician enters the office and asserts that a service request was made for a defective unit within the building. The individual is confident that the unit can be accessed from the office work area and requests unrestricted access to repair the AC system.
• You get an unknown call from a person claming to be a senior manager. The caller then asks for an important document to be sent urgently on WhatsApp as he/she does not have access to email currently.
• A sudden pop-up demands some kind of selection.

These examples are merely a handful of potential social engineering attacks. While they could be genuine, they illustrate how an attacker might conceal their intentions and objectives.

Some solutions

To safeguard against social engineering, the following measures can be taken:

• Educating personnel on social engineering attacks and how to identify typical indications.
• Mandating authentication when conducting phone-based activities for personnel.
• Establishing confidential information that is prohibited from being conveyed over the phone.
• Verifying the credentials of a maintenance personnel and confirming that a genuine service request was made by authorized individuals.
• Avoid following email instructions until the information has been confirmed with a minimum of two separate and reliable sources.
• Exercise vigilance at all times when interacting with individuals that are unfamiliar or unknown, regardless of whether it is in person, over the phone, or through the internet/network.

Conclusion