Social Engineering and Attacks

In this blog post, we will study the content on social engineering, the types of social engineering attacks, etc., and summarize the overall content.

Introduction

Social engineering is the art of utilizing human psychology, rather than using technical hacking ways in order to gain access to confidential data, sensitive information, building, secret password credentials, banking details, etc. 

It is one of the few types of attacks that can be classified as non-technical attacks in general but in the meantime, it can be combined with different types of malicious attacks like Trojan and Spyware. 

With the help of social engineering, attackers can easily manipulate people into gaining confidential data and private information which can be useful to them. 

As technology is getting bigger and larger day by day, most business organizations and banks are relying on technology like the internet and smartphone in order to carry out various work and transactions. 

Different organizations are investing a huge amount of money in buying hardware and software security tools but in the meantime, a naïve employee can provide all the information that an attacker wants without going to the trouble of hacking the system which is the weakest factor in any organization or institute. 

Social engineering is difficult to handle as it is an unexpected way of breaching someone’s system which relies heavily on trickery and psychological manipulation rather than technical countermeasures. 

Due to the creativeness and cleverness of social engineers, they use different techniques to deliver malicious software to commit fraud, gain confidential information, and access secure systems. 

Social engineering attacks have been increasing rapidly which has resulted in great financial losses in past few years. 

According to the U.S. Department of Justice SE attacks are one of the most dangerous threats in the world. 

In the year 2016, the cyber security analyst company Cyence stated that the U.S.A was the country that was most targeted by social engineering attacks and had the highest attacking cost followed by Germany and Japan. $121.22 billion was the estimated cost of the attack in the U.S. Equifax company, a consumer credit reporting and monitoring agency that aggregates data of individuals and business consumers to monitor their credit history and prevent fraud was hacked for several months where private and confidential data were stolen, attackers accessed personal information of 145.5 million American consumers in the year 2018. 

According to U.S. Federal Bureau of Investigation (FBI) reported an increase in CEO fraud and email scams where attackers pretended to be the boss of the employees working in a certain company and asked the employees to transfer the fund to the attacker's account who was pretending to become a boss where the companies lost more than $2.3 billion. 

The emerging threat of social engineering has developed along with networks and social media, which has been the subject of increasing attention over the past few years.

Categories of Social Engineering

Social Engineering attempts can be classified into two types which are human-based attempts and computer/technology-based attempts which are described below:

Human-based

In a human-based attack, the attack is executed by the attacker in a person by cooperating with the target to collect required important information. 

Thus, this attempt of attackers influences a limited number of victims where the natural human inclination is to be helpful and liked for this process.

Computer/technology-based

These types of attacks are done with the help of mobile or computer in order to get information from the victim and can make a number of victims in just a few seconds. 

Social Engineering Toolkit is one of the methods used for performing these types of attacks. 

This approach is used for deceiving the victim and making the victim believe that he/she is interacting with the real computer system that will provide him/her required necessary information.

Types of Social Engineering Attacks

There are various types of social engineering attacks which are described below in brief: 

• Phishing 

Phishing is the technique of obtaining confidential information in a fraudulent manner from intended targets such as phone calls or emails. 

It is the most common attack conducted by social engineers. 

In order to obtain confidential information,  attacker misleads people and make their victims. 

Phishing can be done through emails, ads, fake websites, PayPal websites, awards, free offers, fake calls, etc. where a call or an email from a fake department of lottery about winning a prize of a huge sum of money and requesting private information or clicking on a link attached to the emails. 

The asked data can be credit card details, insurance data, mother/father’s name, date of birth, insurance data, etc. in order to log in to private accounts such as online banking or services. 

• Dumpster Diving 

The practice of gathering sensitive information through the trash of private individuals or companies to collect discarded items such as documents, papers, and hardware that includes sensitive information which can be used for compromising a system or a specific user account. 

 • Shoulder Surfing 

The technique which is observed directly to collect personal information is typically used for extracting authentication data, such as looking over someone’s shoulder at their screen or keyboard. 

• Baiting

Baiting is an attack where a malware-infected storage medium is left in a location where it is likely to be found by the targeted victims who may naively plug into the system.

Current Scenario

Due to the pandemic of COVID-19, everyone has to work from their respective home in the lockdown which has made the work of hackers easy for gaining private and confidential information as everyone has to rely on technology for working from home. 

The COVID-19 pandemic has increased the cybercrime rate up to 600%. 

According to the research and survey performed by cyber security statistics, it has come to be known that 98% of cyber attacks relies on social engineering, 43% of the IT professionals were targeted by social engineering in the recent year, 21% of current or former employees uses social engineering for financial gain, revenge on the worked company, out of curiosity or just for fun. 

The number of breach incidents by type where 65% identity theft, 17% account access, 13% financial access, 4% nuisance & 1% existential data was recorded. 

Similarly, 56% malicious outsider, 34% accidental loss, 7% malicious insider, 2% hacktivist, and 1% unknown were recorded as a number of breach incidents by source. 

Lastly, the number of records breached by industry where 2.5 billion records or 56% was recorded by social media, 1.2 billion records, or 27% were recorded by the government, different organization and industries recorded 380 million, or 8%,186 million or, 4% were recorded by retail and 171 million records or 4% was recorder by technology respectively.

Background 

Literature Survey 

The evolution of phishing was started on January 2, 1996, and occurred in a Usenet newsgroup called AOHell, where phishers turned their attention to online payment systems. 

The first phishing attack was performed on E-Gold in June 2001, which was not successful but left an important impact. 

Later in the year 2003, phishers registered dozens of domains that looked like legitimate sites like eBay and PayPal where attackers used email worm programs to deliver spoofed emails to PayPal users who were led to spoofed sites and update their credit card details and personal information and got access to their account. 

In the year 2004, attackers where attackers were successfully attacking banking sites and different organizations and stealing private information and confidential data. 

In order to gain sensitive information from the victim pop-up, Windows was used by the attackers. 

Between May 2004 and May 2005, around $929 million of the amount was lost due to the phishing attack by 1.2 million users in the U.S. Per year organization loses $2 billion due to the phishing attacks. 

According to Intel Security, 97% of users are unable to identify a sophisticated phishing email. In the year 2007, $3.2 billion of the amount was lost due to phishing attacks. 

In the year 2018, a new type of phishing kit was discovered on the Dark Web Systems which enables anyone who downloads it to easily access convincing emails and launch a phishing site that collects private and financial information of unsuspecting targets. 

In the year 2019, a new type of attack emerged known as vendor email compromise which is a variety of business email compromise BEC attack or CEO fraud. 

The attack tricked supplier customer’s into playing fake invoices where vendor email compromise affected nearly 500 organizations globally in 2019. 

In the year 2020, phishing emails related to COVID-19 were popular where themes included working from home, NETFLIX scams, fines for coming out of quarantine, and many more which affected a number of people and were made victims of the attack which resulted in huge loss of money and confidential information.

Electronic Transaction Act 2063 

The electronic transaction act is the transaction of electronic records data by using different types of electronic means which contain electric records and valid digital medium and performs exchange of all types of record which are in the form of electronic. 

According to Section 44 of the ETA Act, if any person knowingly or with bad intention tries to pirate, destroy or alter computer source code to be used for any computer system, computer program, or computer network, the person has to face maximum imprisonment of three years and two hundred thousand rupees fine or both. 

According to section 45, it is illegal to get access to computer materials without the permission of the owner, section 46 states that it is illegal to damage or alter the information of any computer system, section 52 of the act justifies that it is illegal to commit computer fraud like creating fake digital signature or balance amount of any one’s account shall be facing three years of imprisonment and one hundred thousand rupees or both depending on the crime committed. 

The above-stated act can be proved as merit and demerit depending on the situation in ethical hacking. 

Looking at the merit of the act, it will help hackers to stay within the boundary and perform activities according to the rule stated by the country and help them in preventing from committing any type of unethical or illegal activities. 

The demerit of this act for the hacker is that while carrying out any kind of hacking operation one has to cross the border and have to carry out an unethical operation. 

For example, a black hat hacker does not follow any kind of rules and regulations and performs an illegal operation. 

So, in order to stop the illegal operations white hat hackers, need to break the rules and prevent such things from happening.

Conclusion

As technology is increasing rapidly, the risks and threats of cybersecurity are also increasing at the same rate. 

The mostly used cyberattacks are social engineering techniques. 

Social engineering and phishing techniques are easy to deploy as it uses human manipulation and technological deception. 

Phishing can never be removed permanently but it can be reduced through a combination of users, applying safeguards, and server-side measures. 

Different tips can be applied such as not clicking everything that gets mailed, not opening attachments from unknown sources, not opening the attachment from unexpected sources, not opening the link from an unknown sender, and checking URLs to verify authenticity. 

The most important thing is being educated and aware of these types of attacks, strengthening cyber security defenses, hardening the human firewall, and conducting various cyber awareness training to help in decreasing the number of phishing and social engineering cases.