Why you'll click on this article, explained!

So you did click on this article! ;)


But why is that? In this article, will uncover the reason--it has to do with the human condition! Did you know that you can be HACKED because of bad guys wanting to exploit that weakness? It’s true! But once we become aware of this possibility, we can guard our security intelligently and win the fight for ethicality against those with malicious intentions.


The laydown

The field of social engineering (used by black hats) uses strategic tactics--such as manipulating the inherent curiosity of a person--to get something they might not have otherwise gotten as easily. Attackers use social engineering to gather someone’s credit card numbers and passwords! Every time there is a hack, practically 80% is social engineering and 20% technical vulnerability in the system.

The question then arises: what are the common tactics of social engineering so we can be better equipped to deal with it, and what can we do to protect ourselves?


The techniques and how to become immune:

Pretexting

This is when hackers pretend to be someone else (they create a fake identity by posing as IT professionals or internal staff members, for instance) to obtain private information. This kind of hacking relies on the hacker gaining the trust of the victim. It works like this: an attacker manages to glean details about the victim through artful deception--such as feeding wrong/skewed data and facts. Typically, this is done through the excuse of the attacker needing critical access to the victim's accounts, such as password details; fake identities are assumed, roles of a boss, co-worker, or even the bank official that has a connection. This pretext serves as emotional blackmail because often the targeted are innocent and will unknowingly give away crucial information that jeopardizes their security and leads to harmful repercussions, as the hacker uses the password to sign in to the account and take over valuable assets.

But thankfully there is a solution!

The fix: Don't give credentials away. For instance, the bank will never ask you things like your PIN or your full Social Security number. These are all huge NO-NOs and should raise a red flag whenever you have someone claiming to need that for emergency purposes in "repairing" your account or the like.

Quid Pro Quo attacks

This is when you are promised "something for something"-- if you do something, then you’ll get something in return. Here, the hacker promises a service/benefit for access or information. An example? A classic one is that the hacker calls up a victim and offers a service for free, an installation of a premium service at no cost or an upgrade to a software--the catch is that they must give in their login details, so that they can get the services on their computer, or even uninstall an antivirus program to make sure it "downloads properly." The victim, thinking it's a great deal, agrees.

Alas, that’s often a mislead! The moral: take every offer with a pinch of salt.


Baiting


Did curiosity kill the cat? Well, not if you read on and learn how to protect yourself from this kind of attack! Unfortunately, whenever someone has been a victim of baiting, attackers used a person's natural curiosity to their advantage. The bait, often a prize or a discount, is used to deliberately capture the attention of the victim. For instance, on peer-to-peer networks, there are often claims of free downloads of the latest song from a popular music artist or even of a newly released movie, and those who click on the malicious links have their computers exposed to malware.


But don't let that be you! Now that you know about this technique and how it could lead to the compromise of your devices, share the word. The more awareness there is about cybersecurity, the better we will be able to protect against attacks!

Tailgating


AKA piggybacking, this is when an attacker wants to get into a restricted or private area, like the inside of a bank, by social engineering and bypassing the authentication. Think about the last time you went to a library or a restaurant. Imagine there is a person behind you wanting to enter the same building as you; according to common courtesy, you hold the door open for them when you enter. But what happens if the place you were trying to enter was restricted to someone with the proper authentication, such that it was only supposed to be open for a select group of people? Because people want to be polite, they don't ask if the person they're letting in has the credentials. Hackers then get entry when they might not have otherwise gotten.


Hence, it is generally considered good practice to make sure someone is not tailgating behind you by asking for a visitor badge, secret passphrase, or some other proof to indicate they have permission.


Watering-hole attack

Think back to everything you've done today, starting from the very first activity. Brushed your teeth, had breakfast, showered....did you surf the web? And chances are you opened your bookmarked websites. But wait! Those sites that you visit regularly can be vulnerable and injected with dangerous code that can turn them into an online waterhole (Predators often lurk around waterholes in nature, and this is where the name is derived). Hackers with the technical know-how can create a vulnerability known as open redirects, which is when a link that is supposed to go to a certain website redirects the user to another one created by the hacker. This fake website can run scripts designed by the hacker to gather cookies (leading to cookie exploitation) or tokens (think of it as a proof of your identity on the web). It can even silently cause a keylogger to be installed on your computer, which means all your keystrokes that you type on your computer are recorded and the hacker can thus access information (hint: your passwords) to your accounts! Essentially, hackers determine which websites a person uses and studies it to understand how they can exploit it. They then infect it with malware, which compromises your system when you go onto the website.


An example is when Forbes was attacked with this in 2015, where the attackers made use of zero-day vulnerabilities (vulnerabilities that are novel and not yet known to exist). Consequently, whenever someone visited the site, a malicious Flash widget loaded unbeknownst to them.

How can we stay safe?

* Be suspicious of offers with deals that are too good to be true, or ask you for something in order to give you something

* Slow down/Take a breather so you can be vigilant about what you do on the internet. For instance, don't click on email attachments from those you don't know. When you are sent a link, avoid clicking on it without first hovering over it and checking the web address. This way, you can be sure that the link you are being sent is the correct one.

* Use multi-factor authentication whenever possible.



Author: Rajvi Khanjan Shroff


Sources:
https://www.imperva.com/learn/application-security/social-engineering-attack/
https://us.norton.com/internetsecurity-emerging-threats-what-is-social-engineering.html
https://www.lastline.com/blog/five-high-profile-watering-hole-attacks-highlight-importance-of-network-security/
https://resources.infosecinstitute.com/common-social-engineering-attacks/#gref