What is social engineering?
Broadly speaking, social engineering is the practice of manipulating people into giving up sensitive information. Social engineering attacks can happen in person, such as a burglar who dresses up as a delivery man to get buzzed into a building. This article will instead focus on social engineering cyber attacks. In most cases these attacks aim to get the victim to divulge either login credentials or sensitive financial information.
- An attacker sending an email to a victim which appears to come from someone in the victim’s contact list. This email can contain a suspicious link that will execute a malicious cross-site scripting attack, or direct the victim to a malicious site.
- An attacker baits users online with links that claim to be downloads of popular movies or software, but these downloads actually contain a malicious payload.
- An attacker contacts a victim claiming to be a wealthy foreigner who needs US bank account information to transfer their fortune, offering to reward the victim handsomely in exchange for their bank account information. In reality, the attacker is out to drain the victim’s accounts.
In addition to these types of small and personal social engineering scams, there are also more sophisticated social engineering attacks that are leveraged against entire organizations, for example thumb-drive drops. These attacks can target the networks of well-protected companies, even those that are not connected to the Internet. Attackers do this by scattering several USB drives around the parking lot of the target company. They put an enticing label such as ‘confidential’ on these drives in hopes that some curious employee will find one and stick it into their computer. These drives can contain very destructive viruses or worms that will be hard to detect, since they are entering the network from a local computer.
What are some famous examples of social engineering attacks?
The 2011 data breach of RSA created a big stir, primarily because RSA is a trusted security company. This breach disrupted RSA’s popular two-factor authentication service, SecurID. While all the details of the attack have not been publicly disclosed, it is known that it began with a social engineering attack. The attack was initiated with a basic phishing attack, where the attackers sent low-level RSA employees emails that appeared to be company emails regarding recruiting. One of these employees opened an attachment in this email which triggered the attack.
The Associated Press fell victim to a social engineering attack in 2013 that led to a $136 billion stock market plummet. Once again this was carried out by a phishing attack sent out to employees. By simply opening a link in the email, one of the employees triggered the attack which resulted in the AP’s Twitter account being compromised, and the attackers tweeted out a fake news story about an explosion in the White House. This fake news story circulated quickly and led to a 150 point nosedive of the Dow. A Syrian hacker group known as the Syrian Electronic Army claimed responsibility for the attack, but never provided any proof.
The data breach attack leveraged against Target in 2013 has become one of the most infamous cyber-attacks in history thanks to its level of sophistication. Like the others mentioned here, this attack began with social engineering, but the attackers didn’t go after anyone working for Target. Instead they sent emails to employees of a heating-and-air-conditioning vendor that had high-tech air conditioners installed in Target stores. These air conditioners were linked to Target’s in-store computer systems, and once the attackers were able to compromise the third-party vendor, they were then able to hack into Target’s networks and collect credit card information from credit card scanners in thousands of stores, exposing the financial data of around 40 million Target customers.
How to protect against social engineering attacks
While automated security features like email screening can help prevent attackers from contacting victims, the best defense against social engineering attacks is common sense combined with an up-to-date knowledge of popular social engineering attacks. The United States Computer Emergency Readiness Team (US-CERT) advises citizens to be wary of any suspicious communications, and to only submit sensitive information over the web on secure web pages (HTTPS and TLS are good indications of website security). They also recommend avoiding clicking on links sent in emails, and instead typing the urls of trusted companies directly into the browser. Website owners can do their part by using a service like the Cloudflare CDN which will alert them when attackers are using their domain in phishing attacks.