Social Engineering - The Art Of Exploiting Human

 Hello guys pytools here back again with another artical,  in this article we are going to see that how you can hack anyones with some social Engineering.

first lets us understand

What is Social Engineering?

For those less familiar with this term, social engineering—also known as “human hacking”—uses cunning ways of tricking people to disclose confidential information, such as login credentials, to gain access to networks and accounts (Conteh & Schmick, 2015).

What are these ways you ask? This is the dangerous part—it can be any kind of manipulating technique that gets the targeted person talking. Think flattery, praise, excitement, fear, blackmail, etc. And with technology constantly getting more sophisticated and complex, it is the human element in organisations that is seen as the easiest target to go after. So rather than trying to disable all security cameras and open the heavily guarded safe door using the most innovative and expensive gear, the hacker will use psychological methods to get the teller to practically hand over the gold bars.

 

Social engineering techniques

Social engineering has proven to be a very successful way for a criminal to "get inside" your organization. Once a social engineer has a trusted employee's password, he can simply log in and snoop around for sensitive data. With an access card or code in order to physically get inside a facility, the criminal can access data, steal assets or even harm people.

In the article Anatomy of a Hack a penetration tester walks through how he used current events, public information available on social network sites, and a $4 Cisco shirt he purchased at a thrift store to prepare for his illegal entry. The shirt helped him convince building reception and other employees that he was a Cisco employee on a technical support visit. Once inside, he was able to give his other team members illegal entry as well. He also managed to drop several malware-laden USBs and hack into the company's network, all within sight of other employees. 

You don't need to go thrift store shopping to pull off a social engineering attack, though. They work just as well over e-mail, the phone, or social media. What all of the attacks have in common is that they use human nature to their advantage, preying on our greed, fear, curiosity, and even our desire to help others.

 

Famous social engineering attacks

A good way to get a sense of what social engineering tactics you should look out for is to know about what's been used in the past. We've got all the details in an extensive article on the subject, but for the moment let's focus on three social engineering techniques — independent of technological platforms — that have been successful for scammers in a big way.

Offer something sweet. As any con artist will tell you, the easiest way to scam a mark is to exploit their own greed. This is the foundation of the classic Nigerian 419 scam, in which the scammer tries to convince the victim to help get supposedly ill-gotten cash out of their own country into a safe bank, offering a portion of the funds in exchange. These "Nigerian prince" emails have been a running joke for decades, but they're still an effective social engineering technique that people fall for: in 2007 the treasurer of a sparsely populated Michigan county gave $1.2 million in public funds to such a scammer in the hopes of personally cashing in. Another common lure is the prospect of a new, better job, which apparently is something far too many of us want: in a hugely embarassing 2011 breach, the security company RSA was compromised when at least two low-level employees opened a malware file attached to a phishing email with the file name "2011 recruitment plan.xls."

Fake it till you make it. One of the simplest — and surprisingly most successful — social engineering techniques is to simply pretend to be your victim. In one of Kevin Mitnick's legendary early scams, he got access to Digital Equipment Corporation's OS development servers simply by calling the company, claiming to be one of their lead developers, and saying he was having trouble logging in; he was immediately rewarded with a new login and password. This all happened in 1979, and you'd think things would've improved since then, but you'd be wrong: in 2016, a hacker got control of a U.S. Department of Justice email address and used it to impersonate an employee, coaxing a help desk into handing over an access token for the DoJ intranet by saying it was his first week on the job and he didn't know how anything worked.

Many organizations do have barriers meant to prevent these kinds of brazen impersonations, but they can often be circumvented fairly easily. When Hewlett-Packard in hired private investigators to find out which HP board members were leaking info to the press in 2005, they were able to supply the PIs with the last four digits of their targets' social security number — which AT&T's tech support accepted as proof of ID before handing over detailed call logs.

Act like you're in charge. Most of us are primed to respect authority — or, as it turns out, to respect people who act like they have the authority to do what they're doing. You can exploit varying degrees of knowledge of a company's internal processes to convince people that you have the right to be places or see things that you shouldn't, or that a communication coming from you is really coming from someone they respect. For instance, in 2015 finance employees at Ubiquiti Networks wired millions of dollars in company money to scam artists who were impersonating company executives, probably using a lookalike URL in their email address. On the lower tech side, investigators working for British tabloids in the late '00s and early '10s often found ways to get access to victims' voicemail accounts by pretending to be other employees of the phone company via sheer bluffing; for instance, one PI convinced Vodafone to reset actress Sienna Miller's voicemail PIN by calling and claiming to be "John from credit control."

Sometimes it's external authorities whose demands we comply with without giving it much thought. Hillary Clinton campaign honcho John Podesta had his email hacked by Russian spies in 2016 when they sent him a phishing email disguised as a note from Google asking him to reset his password. By taking action that he thought would secure his account, he actually gave his login credentials away.

Social engineering attacks in 2021

ISACA’s latest report State of Security 2021, Part 2 (a survey of almost 3,700 global cybersecurity professionals) discovered that social engineering is the leading cause of compromises experienced by organizations, while PhishLabs’ Quarterly Threat Trends and Intelligence Report revealed a 22% increase in the volume of phishing attacks in the first half of this year compared to the same period in 2020. Likewise, findings from Verizon’s 2021 Data Breach Investigations Report highlighted social engineering as the most common data breach attack method, observing that 85% of attacks prey upon the human element of cybersecurity in some way. Recent research by Gemini has also illustrated how cyber-criminals use social engineering techniques to bypass specific security protocols such as 3D Secure to commit payment fraud.

Social engineering attack trends

Social engineering attack trends are often cyclical, typically coming and going with regularity. For Nader Henein, research vice president at Gartner, a significant trend is that social engineering has become a standard element of larger attack toolboxes, being deployed in combination with other tools against organizations and individuals in a professional and repeatable approach. “Much of these capabilities, be it phishing or the use of deepfakes to convince or coerce targets, are being delivered in combination as-a-service, with service level agreements and support.” As a result, social engineering awareness and subsequent testing is increasingly required and present within security training at most organizations, he adds.

Jack Chapman, vice president of threat intelligence at Egress, points to a recent rise in “missed messaging” social engineering attacks. “This involves spoofing the account of a senior employee; the attacker will send a more junior colleague an email requesting that they send over a piece of completed work, such as a report,” he tells CSO.

To create additional pressure, the attacker will mention that the report was first requested in a fictional previous email, leading the recipient to believe that they’ve missed an email and haven’t completed an important task. “This is a highly effective way of generating urgency to respond, particularly in a remote work environment,” says Chapman. Furthermore, attackers are increasingly exploiting flattery to encourage recipients to click their malicious links. “A surprising trend we’ve seen is hackers sending birthday cards. Attackers can use OSINT to find out when their victim’s birthday is and send a link to ‘view a birthday e-card’ that is actually a weaponized phishing link. Often, the recipient doesn’t suspect a phishing attack because they’re too busy being flattered to have received a card on their birthday.”

According to Neosec CISO Renan Feldman, most social engineering attacks today leverage exposed APIs. “Most attackers are seeking access to those APIs rather than access to a device or a network, because in today’s world the business runs on application platforms. Moreover, breaching an API is much easier than penetrating an enterprise network and moving laterally to take over most or all key assets in it. Thus, over the next couple of years, it’s likely we will see a rise in single extortion via APIs. With more and more business data moving to APIs, organizations are tightening their anti-ransomware controls.”

 

Social engineering prevention:

Security awareness training is the number one way to prevent social engineering. Employees should be aware that social engineering exists and be familiar with the most commonly used tactics. 

Fortunately, social engineering awareness lends itself to storytelling. And stories are much easier to understand and much more interesting than explanations of technical flaws. Quizzes and attention-grabbing or humorous posters are also effective reminders about not assuming everyone is who they say they are.

But it isn't just the average employee who needs to be aware of social engineering. Senior leadership and executives are primary enterprise targets. 

That's all for today guys hope you are enjoying our content and also guys Pls don't forget to follow us on Instagram and GitHub and do like our content on Instagram.

https://instagram.com/__pytools__

https://GitHub.com/pytools786

 

 

 


Comments

Post a Comment

Popular posts from this blog

what is log4j vulnerability

                                On December 9th, 2021, the world was made aware of a new vulnerability identified as CVE-2021-44228, affecting the Java logging package log4j . This vulnerability earned a severity score of 10.0 (the most critical designation) and offers remote code trivial remote code execution on hosts engaging with software that utilizes this log4j version. This attack has been dubbed "Log4Shell" .   What is the Log4j Vulnerability: Log4j is an extremely popular Apache library used by millions of Java programs and applications. As a result, the actual number of internet-facing applications exposed to the Log4j vulnerability is almost impossible to quantify. Researchers have noted that the vulnerability is likely to impact products and services provided by tech giants such as Apple, Amazon, Steam, Tesla, and Twitter.  The Log4j exploit allows threat act...
Read more

Secure your system from Pegasus spyware

  in last article we have discuss about pegasus spyware now let us understand how you can protect your system from this kind of spywares. There are several means of securing your device from Pegasus, starting from developing good technology practices. Always update your operating system to the latest version. Apple and Google regularly release updates which include security patches for vulnerabilities and malware. Both Apple and Google have released fixes for Pegasus. Apple released a patched version of iOS (starting from iOS 9.3.5) and Google has put in place specific controls to mitigate Pegasus on most Android OS’s (starting April 2017). Pegasus spyware (as well as all sorts of other malware) infiltrates phones by way of the phone user clicking a link in a text message, email, Twitter post, or any other means. When receiving any message with a link, make sure you are familiar with the person sending the link and actually verify that the message along with the link is c...
Read more

Pegasus spyware

  Hello guys Pytools here back again with another Artical,  in this article we are going to discus about Pegasus spyware and how you can secure yourself from this kind of spywares.    so first let us understand                                                              what is spyware? Spyware is software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user. For example, by violating their privacy or endangering their device's security.                          In Short spyware spy on us and send our information to the attackers.                      ...
Read more