Translate

4 Jul 2018

UK Computer Emergency Response Team (CERT) Introduction to Social Engineering


UK Computer Emergency Response Team (CERT) Introduction to Social Engineering


The following guide to social engineering was released by the UK Computer Emergency Response Team (CERT) 
An introduction to social engineering
10 pages
January 2015

Social engineering is one of the most prolific and effective means of gaining access to secure systems and obtaining sensitive information, yet requires minimal technical knowledge. Attacks vary from bulk phishing emails with little sophistication through to highly targeted, multi-layered attacks which use a range of social engineering techniques. Social engineering works by manipulating normal human behavioural traits and as such there are only limited technical solutions to guard against it. As a result, the best defence is to educate users on the techniques used by social engineers, and raising awareness as to how both humans and computer systems can be manipulated to create a false level of trust. This can be complemented by an organisational attitude towards security that promotes the sharing of concerns, enforces information security rules and supports users for adhering to them. Even so, a determined attacker with sufficient skill, resources and ultimately, luck, will be able to retrieve the information they are seeking. For this reason, organisations and individuals should have measures in place to respond to, and recover from, a successful attack.

Phishing

The most prolific form of social engineering is phishing, accounting for an estimated 77% of all social-based attacks with over 37 million users reporting phishing attacks in 2013. Phishing is the fraudulent attempt to steal personal or sensitive information by masquerading as a well-known or trusted contact. Whilst email phishing is the most common, phishing attacks can also be conducted via phone calls, text messages and fax, as well as other methods of communication, including social media.

A large amount of wide scale email phishing attacks remain unsophisticated and will be recognised by most (although not all) computer users as illegitimate. However, email phishing is becoming increasingly sophisticated and attackers will use a variety of techniques to either make the email appear legitimate or to lure the victim into acting before thinking. Attackers may disguise the address the email is sent from so that it appears to be from a well-known organisation and common ones include banks, utility companies, couriers, recruitment agencies and government. Better designed phishing emails will actually appear to be very similar imitations of legitimate emails from these organisations (see example 1). Another common technique is to make use of major news events by posing as having new information on the event, or asking the recipient to take action (donate money, sign a petition, etc.) in relation to the event.

Despite increasing competency in wide scale campaigns, there are still indicators that frequently appear in phishing emails:
Messages are unsolicited (i.e. the victim did nothing to initiate the action)
Messages are vague, not addressed to the target by name and beyond purporting to be from a known organisation, contain little other specific or accurate information to build trust
May be from an organisation with which the target has no dealing with
Contain poor spelling and grammar, typos or use odd phrases; whilst this is becoming less common as attackers are becoming more proficient, mistakes are still made
Are too good to be true or make unrealistic threats, often with a sense of urgency
Are sent from an email address that, whilst perhaps similar, does not match ones used officially by an organisation
Contain incorrect or poor versions of an organisation’s logo, and may contain web links to sites that, whilst perhaps similar, are not ones used by that organisation

Phishing emails often ask the user to follow a link to a website or open an attachment. Some may ask the user to reply to the email, after which they will be engaged in an exchange of messages to elicit confidential information. When asked to click on a link, it may be designed so that the text the victim clicks on appears to be for a known website, but the link takes them to a completely different website (a technique known as obfuscation). At the website, the victim will then be asked to enter confidential information or may unknowingly download a file which will subsequently infect their machine with malware. Likewise, any attachment on a phishing email is likely to contain malware.



Watering hole attacks

Watering hole attacks, similar to baiting, use trusted websites to infect victim’s computers. They are typically more sophisticated than most other social engineering techniques as they also require some technical knowledge. A watering hole attack works by compromise a trusted third party website to deliver malicious code against the intended victim’s computer. As with other targeted social engineering attacks, the attacker will research their intended victim(s) and identify one or more trusted websites that they are likely to access. This may be a supplier’s website, an industry journal, think tank or some other website that the attacker has identified as of interest to the intended victim. Having identified a suitable website (or websites), the attacker will seek out vulnerabilities within the server that hosts the website, and having found one, insert code that will enable malware to be downloaded, sometimes with little or no interaction from the victim (known as a ‘drive-by’ attack).


Attacking on multiple fronts

A determined attacker may adopt a multi-layered approach along with additional techniques to increase their target’s trust, or confusion, in order to maximise the chance of success. Whilst somewhat indiscriminate, an attacker could begin dialling random numbers within an organisation claiming to be IT support (potentially using a real name from the IT support department gleaned from social media) until they eventually find a victim that does have an IT issue. In their attempt to solve the problem, they will trick the user into giving them login, password or other information that will be useful in compromising their computer. Alternatively, the attacker may pretend to be an executive, urgently demanding to be sent an important (and sensitive) document to their personal email address as they cannot access their work account. In both cases, the victim is put under pressure to do something they should know they should not do: they do not want to question someone who knows more than them (IT support), or who is senior to them (the executive), and refusal to comply could get them in trouble. Some attackers may be even more creative (see example 4).

Labels

. (5) 4K (1) a (14) ABANDONED (51) Abandoned Medieval Castle (1) Abandoned Mine (2) Advanced Civilization (36) AI Weapons (16) ALIEN EVIDENCE (29) Alien Life (3) Alien Technology (3) Aliens and Robots (4) Almost DIED (4) ancient (31) Ancient Artifacts (9) Ancient Artifacts Pyramids (9) Ancient Ruins (7) Ancient technology using physics and chemistry. Ancient technology (5) Ancient White People. waga (1) antennas (3) Archaix (2) Artifacts (1) Artificial Sun (1) as IAM a420rhbrh. (1) Best Evidence Proving Aliens Exist (7) bravo (1) CABBAGE PATCH (1) Camping (3) catastrophe (31) Caught on Camera (1) CERN (1) change the future (20) chemical engineering (1) Civilization (1) Classified (2) CLONING (1) Conspiracy (1) Corporate (10) Cover-Ups (29) cp freaks waste of skin trash sicko. repent or die! no more (1) creative frequencies (27) Creepiest TikToks (4) Creepy (1) Creepy and Scary (3) CREEPY TikTok (1) Creepy TikTok's (14) Creepy TikToks (6) Creepy videos (2) CRIMINAL (7) Criminal Messaging Network (1) Crusade (3) Cursed UUnlockednlUnlockedocked (2) Dark Corners of the internet (125) DARK MATTER (14) DARK MATTER EXISTS 2022 (VERIFIED BY THE SHADOW THEORY AND LAW PARTICLE) (2) Dark Matter Portals (1) DARK WEB (2) Defy The Laws Of Physics (3) DEMON (5) DEMONIC ENTITIES (5) Demons (3) destructive modern technologies (22) destructive technology (1) Did a (7) did you catch this??? life from the inanimate (1) dielectric fields (1) Disturbing (1) Disturbing Discoveries (1) Documentary (3) eclipse (1) electric fields (1) Electricity (1) Electrogravitic (1) energy (1) engineering (1) enhancing water (1) entities (12) Evidence (20) existence (1) exowomb (1) facts (1) fake moon (1) fake sun (2) FBI (1) fermi (1) ffake x (6) food (1) Fractal Toroidal Moment (1) fucked up shit (1) funding help (11) genius (9) ghosts (79) giving back (1) Glitch (64) Graveyard (2) guns (4) Harvesting Human Souls (1) HAUNTED (11) HAUNTED f (50) Haunted House (5) he Amazon Rainforest (1) hemisync (17) HIDDEN . (2) history (17) Hole (1) huanitarian aid (1) Human History (1) human psyche. (5) humanity (9) illegal weapons systems (3) investigations (40) ionosphere. HAARP (5) Jerusalem (1) Kryptos Code 4 solved (2) law (8) Levitating Statue (1) Lidar (1) Lost Citied (1) Lost Cities (31) Lost Civilization Found (14) Lost Ruins (7) Lost Technology (89) LOVE (16) magnetic fields (1) magnetism (1) Mandela effect (9) Mansion (2) maps (17) Mars (1) Martian (1) matrix (82) Mega Machines (10) Megalithic (4) megaliths (7) Megastructure (3) military (32) Military Lasers and Directed Energy Weapons (8) missing (7) Monoliths (1) moon (20) moon and sun simulator (1) MORONS (1) mpox the facts (2) Mysterious (9) Mysterious Creatures (4) mysterious discoveries (41) Mystery history (1) n (1) nanobubble (1) NASA and the government (17) NASA government (3) NASA LIES (1) nazi Experiments (8) Nazi in plain-sight (1) Nazi in plainsight (1) nazi inplainsight (9) NEWS (54) non-human entities (16) nvestigations (6) OCCULT (88) Ocean Mysteries (11) on the Moon (2) Paranormal Files Marathon: Mind Boggling Sightings and Abductions (1) PARANORMAL INVESTIGATION (1) Patents (1) Phobos (1) Physics (2) police abuse (1) policy (1) Portal (2) Practical Application (2) Pre-Egyptian Technology (10) Pre-Flood -Civilization (1) Pre-Flood Ruins (9) Project Looking Glass (1) propaganda (16) Propulsion (2) psychological experimen (1) psychological experiment (5) Psychotronics (6) pump (4) Pyramid (8) Pyramids (7) quantum (1) Questions (1) REACTION (1) reaction creepy (11) Reality (9) red vs blue & white triangle (5) relic (4) research (4) Reverse Speech (1) ritual (1) rocket (8) Ruins (1) Secrets (1) sharing is caring (1) shipwrecks (3) SITES LINKED TO THE HIDDEN (5) Skinwalker (1) Sky Trumpets (1) Solomon's Temple (1) solutions (1) Sonic Magic (1) Sound (1) space (16) Space Programs (1) space weather (2) Strange Case (8) Strange Things Caught On Live TV (1) STRANGE Tik Toks. Realitys. R (2) sun (1) symbology (28) Temple (2) Terrifying Creatures From The Bible (1) Terrifying Experiments (5) the dark side of YouTube. (7) The Hidden (53) The Hidden banner ad (2) The Human Mind (6) The Moon (3) the True Cross. Holy (1) The Universe (1) The Unknown. (12) Tik Toks (1) Tik Toks. (2) TikTok (1) TikTok. cult (4) TikTok. culy (1) TikToks (1) time (1) Tomb Discovered (1) Treasure (1) Treasure and Artifact's Finds (2) truth (105) Tunnel (29) Tunnels (2) uap (1) ufo (68) UFOs (11) Underground (3) Unexplained (24) Unexplained Mysteries (2) Unknown Civilization (16) Unsolved Mysteries (166) Vampires Immortals (1) VIMANA (1) water (1) weather sat tools (17) Weird videos (1) Where did this COME FROM (1) white triangle (16)