Objectives Research and identify social engineering attacks Background / Scenario Social engineering is an attack with...

a) Three methods used in social engineering to gain access to information :

1. Phising :

Phising is a very common way of social engeenering attacks. In this attacker tries to obtain personal information such as names, addresses and social security numbers. Attacker sends shortened or misleading links and when target clicks on it, that redirects target to phising webpages.

2. Pretexting :

Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they use to try and steal their victims’ personal information.

3. Baiting :

Here attackers make promise of an item or good that malicious actors use to entice victims. Baiters may leverage the offer of free music or movie downloads, for example, to trick users into handing their login credentials.

b) Examples

1. Phising :

Attacker A duplicates target T's bank login page design and send an email to T that he has a problem in his bank account and he needs to click on the link to view his account.

Now T clicks on the link and gets fooled by the duplicated web page and types his id and password which then A gets all the information and gets access to the T's bank account.

2. Pretexting :

An attacker might impersonate an external IT services auditor so that they can talk a target company’s physical security team into letting them into the building.

c) Social networking is a threat of social engineering as social networking allows people to connect with each other and communicate and share stuffs. So, using social networking attackers can pretend as someone else and contact anyone and gain access to their personal information and cause threat to them.

Social media being social means no information shared there is private and one smart attacker can collect much infomration about his target from the social networking sites like his photo, address, number, hobby, likes, dislikes, interests, type of posts, mindset, political views and much more. These information can be used against the target hence making social networking a threat.

d) Organization can defend itself from social engineering attacks by,

• Educating employees about the the types of attacks and how to tackle such problems if faced. Making them aware about pretexters also.
• Limiting the organisation's important infomration's access and making levels of access as in what people can access what level information
• Never release important comapany information publicly and try to be as private as possible.
• Be cautious and aware if anyone offers a deal for free or make an unexpected deal.
• Invest in an identification system that not only limits access to offices but also tracks an employee’s time in and out.
• Install automatic locks on computers so that whenever there is no activity on them, they automatically enter sleep mode and cannot be accessed again without a password.