Social Engineering Phishing Attack & Techniques

 

Social Engineering

Social engineering is the art of manipulating and utilizing human behavior to conduct a security breach. In social engineering, the victim, who is being used as a subject for a security breach, does not realize that he or she is being used. Users are considered to be the weakest link in the security chain and are easy to exploit. The attacker can use various methods in social engineering to gain sensitive and confidential information. The attacker can use methods such as sending an E-mail or redirecting the user to a malicious web page. Several methods can be used, but each method intends to get sensitive and confidential information for a security breach.

In social engineering, the attacker psychologically manipulates the victim and misdirects to obtain the desired information.

Social engineering can be performed in various ways:

• Over the telephone
• In-person
• Performing a task on a system

Social engineering can be considered the base of almost all types of passive information-gathering techniques. The outcomes of social engineering can be devastating. With one user as a target in an organization, the attacker can perform a security breach of the entire network. It is just a matter of getting inside the network using the information provided by the user.

There can be various types of users who can be the target of social engineering. Some of the common targets are:

• Receptionist
• IT Helpdesk
• HR department
• Top management

  Phishing

Phishing is a type of attack that uses social engineering as its base. It uses technical deception to convince a user to provide personal information, such as passwords, social security numbers, credit card numbers, bank account details, and so on. In the phishing attack, the attacker creates a replica Website or web page that tricks the user into providing personal information. The Website or Webpages are real look-alikes of the original Website or Webpages that the user can get tricked. The URLs are close to the original, which users don’t bother to check most of the time. One of the key intents of using phishing is for financial advantage.

Phishing can also be used for getting personal and confidential information from the target. The attacker may simply use an identity, which is legitimate. The attacker does not reveal his or her own identity. Using the legitimate identity of someone else, the attacker requests information from the target. The target may simply be convinced of the legitimate identity and provide the necessary information to the attack, which can then use this information for harmful activities. Generally, phishing takes place using Email. An attacker would pose as an authorized entity and demand information in reply to that mail.

Phishing can be conducted through various methods:

• In-person
• Through a malicious Website
• Through E-mail malware attachments

Phishing and its Types

There are different types of phishing. Some of the common ones are:

Smishing

Smishing is a type of vishing and is a social engineering attack that uses text messaging to obtain sensitive information such as account details.

Vishing

Vishing attack is another form of phishing and is conducted over Voice over IP (VoIP) lines where the attacker pretends to be a legitimate caller from a bank or financial institution. Using the vishing attack, the caller attempts to obtain personal information, such as a bank account number or credit card information.

Watering Hole

A Watering Hole is a more complex type of phishing attack. In this type of attack, an attacker infects a website that is often visited by the target users. The website is infected with malware that is injected into the user’s system when they connect to the website. It is a multi-phased attack in which the attacker first profiles the target, who are employees of an organization or a government agency. In the profiling stage, the attacker learns about the website these employees frequently visit. Then, the website is infected with malware. When the users visit the website, their systems are infected.

The majority of the phishing attacks are performed using E-mails, and mostly in the form of SPAM. Phishers create a database of millions of E-mail accounts, usually from social networking Websites, and then send E-mails to these accounts. Over the years, SPAM E-mails have been well-written and well-designed, making them more convincing. Of late, along with messaging, SPAM SMS has picked up its pace on mobile phones.

Whaling

Whaling is another form of phishing and spear phishing. However, in whaling, the target is highly focused. Whale phishing is meant to target high-profile candidates, such as the CEO or CIO of an organization, or maybe a well-known and established person, such as a film star. High-profile people have high-profile secrets to keep - personal or business-related, which can be used against them. Remember, phishing is just another form of social engineering, and your convincing power plays a major role. The attacker may create a sense of urgency in an E-mail and force a person to click a URL embedded in the E-mail.

Let’s take an example - using whale phishing. You could get your hands on an executive’s official E-mail and official bank account credentials. You cannot only approve monetary transactions but also perform them.

To prevent whale phishing, you need to ensure that you build enough technical and detection controls. Not only in the office, but they also need to be secure at home and when they are using mobile phones.

Pharming

In this type of phishing attack, the user is redirected to a real look-alike Website. When a user types the correct URL in the Web browser, the user is redirected to a real look-alike Website. The user has simply clicked on the URL, which is not incorrect or wrong, but the attack has still occurred. This is done by DNS cache poisoning. The real IP address mapped to the legitimate URL is changed to an IP address to redirect the user to a malicious Website, which is a real look-alike. The user will not be able to suspect anything here because the URL is correct.

Spear Phishing

Spear phishing, unlike general phishing, targets specific individuals and companies. This entity could be an individual or several individuals. An attacker may target a top executive of an organization to steal information, and spear phishing may be used to install malware onto his or her system and eventually get into the network. The spear-phishing Emails are usually designed to look like they originate from a well-known company or a Website. For example, as a firm's top executive, you may receive an email from eBay asking you to reset your account password. The E-mail includes a URL to click and states that there have been unauthorized login attempts, and thus, you should reset your password. Otherwise, your account will be locked. In this example, the E-mail was designed to create a sense of urgency.

Prepending is another type of spear phishing attack. It is a type of Spear phishing attack using machine learning focused on social media accounts like Twitter. Prepending is an automated method to conduct the spear phishing attack. It goes through the user’s posts and makes a note of the most commonly used words. Then, it prepends the tweets from the user. There are links in the tweets that are added based on the user’s engagement with the tweets.

Phishing Methods

Three key methods can be used in phishing:

• Mass mailing: A large number of audiences are targeted. It is quite likely that some of the audiences are going to fall for this method. This method is usually performed using SPAM.
• Instant messaging: In the last few years, instant messaging has been one of the key media in phishing. Malicious URLs are sent with attractive messages to lure users into clicking them
• Malicious Websites: Phishing can also be initiated through malicious Websites.

Phishing Process

Phishing is a four-stage process. These stages are as follows:

• Initiation - The attacker prepares for an attack.
• Execution - The attacker sends out mass mail or instant messages to hundreds or thousands of users.
• User Action - The user performs two tasks - first, clicks on the URL and then enters the personal information on the web page that is loaded.
• Completion - The information that is entered by the user is received by the attacker and saved at his end. It is now up to the attacker to use this information.

By the end of the fourth stage, the phishing attack is completed. In a phishing attack, the attacker can use various attack methods. Some of these attack methods are:

• Man-In-The-Middle
• Session hijacking
• Phishing through search engines
• Link Manipulation
• URL Obfuscation Attacks
• Client-side vulnerabilities
• Cross-site scripting
• Malware / Keyloggers / Screen loggers / Trojans
• E-mails (Deceptive Phishing)
• Hosts file poisoning
• DNS-based Phishing
• Content-Injection

Reasons for Successful Phishing Attacks

There are various reasons for a phishing attack to become successful. Some of the common reasons are as follows:

Lack of knowledge: Users are not trained enough or are completely unaware of the dangers of phishing attacks. Attackers use this method on several hundred and thousands of users at once, and several users fall prey to the attack.

Visual deception: Attackers very smartly use a similar URL or domain name with a replica of the Website. Users are deceived by the website's replica and without realizing enter their user credentials, which are then captured by the attacker and used on the real Website.

Visual Indicators: Users mostly do not pay attention to the URL or the domain name and, therefore, end up being victims of the phishing attack.