Social Engineering & its Attacks

Introduction
➢ Social Engineering as an art of extracting sensitive
information from people.
➢ Social Engineering is the art of convincing people to
reveal confidential information.

➢ By taking advantage of basic human nature like trust

or a lack of knowledge, the attacker deceives people
to reveal sensitive information.
 Introduction cont.
➢ Social Engineering is an attack vector that relies heavily on
human interaction.
It often involves manipulating people into
breaking normal security procedures and best practices to gain
unauthorized access to systems, networks or physical locations
or for financial gain.

➢ Social Engineering is a popular tactic among attackers because

it is often easier to exploit people than it is to find a network
or software vulnerability.
 Introduction cont.
➢ The purpose of Social Engineering is to secretly install
Spyware, other malicious software or to trick persons into
handling over passwords and other sensitive financial or
personal information.

➢ The other name of Social Engineering is Psychological

Manipulation.
It means Trickery or Deception for the purpose of
information gathering.
Social Engineering
Social Engineering Attacks
Social Engineering Attacks

Malware is induced through

this link.
Types of Social Engineering Attacks
Types of Social Engineering Attacks
Social Engineering Attack Life Cycle
Social Engineering Attack Life Cycle
 Baiting
As its name implies, Baiting attacks use
a false promise to attract a victim’s
greed or curiosity.

They lure users into a trap that steals

their personal information or inflicts
their systems with malware.

The most reviled form of Baiting uses

physical media to disperse malware.
 Baiting
For example, Attackers leave the bait—typically
malware-infected flash drives—in conspicuous
areas where potential victims are certain to see
them (e.g., elevators, the parking lot of a targeted
company).

Victims pick up the bait out of curiosity and insert it

into a work or home computer, resulting in
automatic malware installation on the system.
Baiting
 Scareware
Scareware involves victims being bombarded
with false alarms and fictitious threats.

Users are deceived to think their system is

infected with malware, prompting them to
install software that has no real benefit
(other than for the perpetrator) or is
malware itself.
 Scareware
A common Scareware example is the
legitimate-looking popup banners appearing
in your browser while surfing the web,
displaying such text such as, “Your computer
may be infected with harmful spyware
programs.”

It either offers to install the tool (often

malware-infected) for you, or will direct you
to a malicious site where your computer
becomes infected.
19
Scareware
Scareware
 Phishing
“Phishing” refers to an attempt to steal sensitive
information, typically in the form of usernames,
passwords, credit card numbers, bank account
information or other important data in order to
utilize or sell the stolen information.

When a malicious party sends a fraudulent email

disguised as a legitimate email, often purporting to
be from a trusted source. The message is meant to
trick the recipient into sharing financial or personal
information or clicking on a link that installs
malware.
Phishing
Phishing
Phishing
Phishing
 Spear Phishing
Phishing campaigns don't target victims
individually—they're sent to hundreds,
sometimes thousands of recipients.

Spear phishing, in contrast, is highly targeted

and targets a single individual.

This is a more targeted version of the

phishing scam whereby an attacker chooses
specific individuals or enterprises.
Spear Phishing
 Spear Phishing
They then tailor their messages based on
characteristics, job positions, and contacts
belonging to their victims to make their attack
less conspicuous.

Spear phishing requires much more effort on

behalf of the perpetrator and may take weeks
and months to pull off.
An email from an online store about a recent
purchase. It might include a link to a login page
where the scammer simply harvests your
credentials. An automated phone call or text
message from your bank stating that your account
may have been breached
Spear Phishing
 Vishing
Vishing is short for "voice phishing," which
involves defrauding people over the phone, enticing
them to divulge sensitive information.

Here, the attacker attempts to grab the victim's

data and use it for their own benefit—typically, to
gain a financial advantage.
Vishing
Vishing
 Whaling
Whaling is a highly targeted phishing attack - aimed
at senior executives - masquerading as a legitimate
email.

Whaling is digitally enabled fraud through Social

Engineering, designed to encourage victims to
perform a secondary action, such as initiating a wire
transfer of funds.
Whaling
 Smishing
Smishing is a Social Engineering attack that uses
fake mobile text messages to trick people into
downloading malware, sharing sensitive
information, or sending money to cybercriminals.

The term “smishing” is a combination of “SMS”—or

“short message service,” the technology behind text
messages—and “phishing.”
Smishing
Smishing
Smishing
 Pretexting
Here an attacker obtains information through a
series of cleverly crafted lies.

The scam is often initiated by a perpetrator

pretending to need sensitive information from a
victim so as to perform a critical task.

The attacker usually starts by establishing trust with

their victim by impersonating co-workers, police,
bank and tax officials, or other persons who have
right-to-know authority.
Pretexting
 Pretexting

Then, the sensitive information like

First the Attacker establishes trust by
Social Security Number, Bank Details,
getting the user information such as
Personal Address collected through
Name, DOB etc.
Pretexting.
Social Engineering and its Attacks
Human-Based Attacks:
Impersonation: Acting like someone
else to get access to the information.
They may act as a legitimate user and
request for information
or they pose as a higher authority and
may ask for sensitive information or
they pose as a technical support person
and try to gather sensitive and
confidential details.
Social Engineering and its Attacks
Tailgating: When an authorised person
enters into a restricted area, the
unauthorised person also enters the
restricted area without the employee’s
knowledge.

Piggybacking: Here the attacker may pose

as an employee and ask the authorised
employee to allow him to enter along with
him. He may give fake reasons like he forgot
his smart badge, etc.
Social Engineering and its Attacks
Dumpster Diving: Any confidential or sensitive
document should be properly shredded before
disposed into the dustbin. If not, an attacker
may just look into the dustbin to access the
confidential information.
Eavesdropping: Unauthorised listening to
conversations thereby collecting important data
is called as eavesdropping.
Shoulder Surfing: It is a direct observation
technique like looking over someone’s shoulder
to know the sensitive information like password,
pin numbers, etc.
Preventing Social Engineering Attacks
Preventing Social Engineering Attacks
Preventing Social Engineering Attacks
Preventing Social Engineering Attacks
Preventing Social Engineering Attacks
In this case, if the Attacker stolen
the login credentials of the user.
Then, even in this case the user will get
protected as its Login attempt will be
authenticated by more than one means
using Multi – Factor Authentication like
OTP or SMS.
Preventing Social Engineering Attacks

For complete security, equip your system with robust Anti malware software
like MalwareFox and regularly updated for the latest threat definition.
 Conclusion

Social Engineering is a serious and ongoing

threat for many organizations and individual
consumers who fall victim to these attacks.

Education is the first step in preventing your

organization from falling victim to savvy
attackers employing increasingly
sophisticated Social Engineering methods to
gain access to sensitive data.
thank
you