Hacking humans: Devious tricks attackers use to infiltrate via employees

/in


When we hear the word “hacking” we typically imagine a hooded bad guy coding in a dark room, using cyber skills to breach technical systems and networks.

But what if we told you that 80-95% of all computer attacks begin with the hacking of a human being? That’s right, hacking human beings (a.k.a. social engineering) is usually “phase one” of any cyberattack. This doesn’t require so many technical skills but rather a clever understanding of how human nature responds to phishing lures.

What is Social Engineering? 

Social engineering is a technique used by threat actors to trick online users into revealing sensitive information (such as passwords) or convince them to perform an action (such as clicking a link) that ends up compromising an identity, a system or network.

While email phishing is probably the most popular form of social engineering, other forms are also on the rise such as smishing (SMS text phishing), quishing (QR code phishing), BEC (business email compromise), and vishing (voice phishing).

How Do Social Engineering Attacks Work?

Regardless of medium or method (email, voice, text) social engineering attacks are typically executed using the following steps:

1. Conducting Reconnaissance

Just like an investigator that surveys, monitors or observes a potential target — who they meet, where they spend time, where they live, etc., attackers too will often do background research on their targets.

This includes combing through social media profiles (checking their social media interactions, mentions and connections), learning about their colleagues, friends and family members; obtaining their contact information and finally using tools like open source intelligence (OSINT) to uncover vulnerable and exploitable assets that they can target or operationalize. 

2. Designing a Pretext

Just like in the old movie “The Talented Mr. Ripley” where a con-artist crafts a fake story to convince everyone that he’s the son of a shipping tycoon, attackers too will create situations or stories to dupe their targets. It can be anything from a discount code to an investment opportunity, from a “verify your email” notification to a notification highlighting…

Source…