All You Need To Know About Social Engineering Attacks:
As we knew Social engineering it’s one of the must powerful attacks that many Hackers use.
It is somehow shocking the first time one hears about “social engineering“. At least it was shocking for me. Hacking is thought of as an activity pursued solely, nocturnally, relentlessly, for hour after midnight hour, by some dazed and nerdish character banging away at a computer keyboard in feverish pursuit of that single golden word which will grant access to the technological secrets of the universe.
That is how it was at some point in the past, until it became impractical. Those brute force methods are certainly valid, and they are the bread and butter of any well-stocked hacker’s arsenal. But there are other ways to learn pass-words; social engineering is one of them.
Not only computers have fails Humans too and Hackers know that:
“Computer crimes deal with people to a far greater degree than they deal with technology.”Donn B. Parker
Understanding Social Engineering Attacks:
Social Engineering comes from two words, social and engineering, where social refers to our day-to-day lives which includes both personal and professional lives; while engineering means a defined way of performing a task by following certain steps to achieving the target.
“Social engineering” is the attempt to talk a lawful user of the system into revealing all that is necessary to break through the security barri-ers. The alternate term for this is “bullshitting the operator.”
Social engineering is a term that describes a nontechnical intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.
The Oak Ridge National Laboratory was forced to terminate the Internet connection for their workers after the federal facility was hacked. According to Thomas Zacharia, Deputy Director of the lab, this attack was sophisticated and he compared it with the advanced persistent threat that hit the security firm RSA and Google last year. The attacker used Internet Explorer to perform zero-day vulnerability to breach the lab’s network. Microsoft later patched this vulnerability in April, 2012. The vulnerability, described as a critical remote-code execution vulnerability, allows an attacker to install malware on a user’s machine if he or she visits a malicious website.
A zero-day vulnerability is a kind of vulnerability present in an application for which the patch has not been released or isn’t available.
According to Zacharia, the employees of the HR department received an e-mail that discussed employee benefits and included a link to a malicious website. This mail was sent to 530 employees, out of which 57 people clicked on the link and only two machines got infected with the malware. So as we can see, it’s not very difficult to get inside a secured network. Many such attacks are covered in the following chapters.
Different Phases in a social engineering attack :
A social engineering attack is a continuous process that starts with initial research, which is the starting phase, until its completion, when the social engineer ends the conversation. The conversation is a brief coverage of the four phases that the social engineer follows to perform an attack.
In the research phase, the attacker tries to gather information about the target company. The information about the target can be collected from various resources and means, such as dumpster diving, the company’s website, public documents, physical interactions, and so on. Research is necessary when targeting a single user.
In this phase the attacker makes the initial move by trying to start a conversation with the selected target after the completion of the research phase.
The main purpose of this step is to make the relationship stronger and continue the dialog to exploit the relationship and get the desired information for which the communication was initiated.
This is the last phase of the social engineering attack, in which the social engineer walks out of the attack scene or stops the communication with the target without creating a scene or doing anything that will make the target suspicious.
In the Next Article we will share with you The Different Types of Social Engineering Attacks.