When we think of people who usually make computer attacks, the first thing that comes to mind is usually a computer expert capable of deciphering the best of passwords or take advantage of vulnerabilities unknown to ordinary mortals. But usually, to steal your Facebook account or Gmail does not even have to have great computer skills, it is worth waiting for you to give it kindly.
It is what is known as social engineering, a very used attack technique due to its high level of effectiveness. Part of the basis that people are the weakest link in a security system, and either through labia or automatism tries to deceive us so that we end up releasing key data to compromise our systems.
Many attackers decide to study computer science to access systems by taking advantage of software bugs, but some prefer to specialize in cheating and manipulating users themselves. For this you do not need neither vulnerabilities nor incredible hacks, but to know very well the human mind and the way of thinking of your victim, and take advantage of it to give you the necessary data to access your computer, your company servers or What not, to your emails or social networking accounts.
Imagine that to protect an account you enable as a secret question what is the name of your first pet. Well, by applying social engineering, an attacker who has already tried to access your account and know what the question may try to gain your trust and sneak up to the answer. After all, a conversation about pets does not have to make you suspect that they are going to hack you a personal account.
Other attackers simply resort to the phishing way to trick you into pretending to be a service, and send you an email with a fraudulent link by trying to write your password. Imagine that I send you an email telling you that I am Mr. Paypal, that I have detected an error and that I need you to identify yourself immediately through a link that is attached, and that leads to a fake website in which to save everything you write.
The attacker can play with emotions
To dig deeper into the world of social engineering we have been talking to an expert with more than 11 years of experience in the world of computer security . This is Josep Albors, director of communication and head of the laboratory of ESET Spain, who also collaborates with the Civil Guard and the Army of Earth in the formation of new agents in the field of computer security.
Josep tells us that social engineering is a risk that we should take seriously, because it points to the weakest link in most situations: the human being. “The attacker can play with the emotions of the victim,” he tells us, “or even find out personal information about it from publications on social networks to try to convince it to provide information or let you bypass established security systems.”
The people most vulnerable to this type of attack, he explains, are those who handle sensitive information or can allow access to sensitive data. “You do not even need to be the CEO of a company, since many businesses do not establish barriers to accessing important data and systems, and not a few employees can access them, even without knowing it.”
Talking with Josep also learn that there are several types of common attacks. On the one hand there are those who try to trick users into opening a file or clicking on a link posing as some very used services, while on the other is also known as “CEO Fraud.”
“In it criminals target management, obtain private information from them from open sources or spying on them in person, and even supplant vendors of that company to get them to make transfers to account numbers managed by them.”
In other words, if you are the owner of a company someone could be gossiping your social networks or spying in person. With some of the data that you get on you person will try to impersonate you to give your suppliers a fraudulent bank address. With her, instead of paying you, you would be paying directly to the supplanter.
Think about the information you share on social networks, it is safe to enter your full name or your company name . One can also look at how you write on social networks to be more convincing when it comes to imitate you. All you need is a supplier with enough confidence to believe what someone says to be you.
How to know when we want to play
But of course, we live in an era in which every day we are meeting new people and establishing friendships in social networks. So, how do we know if the person we just met is trying to get us information through social engineering rather than simply know more about us?
“It depends on how good the person when using social engineering can become quite difficult to realize that we are trying to get information”, says Josep Albors. “It is best to analyze each one of the answers that we give and to think if they could be used against us or in our company.”
In short, what he wants to tell us is that we be cautious when we meet new people, a classic of offline life times. We need to be aware of what information we share and which can be used against us. We should not hurt feelings by preventing, because the logical thing is that anyone understands that we do not tell our life the first few times we speak.
Another classic methods used by attackers is phishing using social engineering. We can send SMS, emails or a URL to a seemingly real web but that is just a copy of the original designed specifically to trick us and get our data. How can we differentiate them?
Albors tells us that the first thing that should make us suspicious is that it is a message that we do not expect . If you ever find yourself thinking that it is rare for your bank or a website to contact you in this way for a topic that you have never tried in this way, it is better to be suspicious. And beware of opening them out of pure curiosity, because it can play tricks on us.
“Some tips we could offer is wary of attachments, especially if they are executable (the minority) or are compressed and used a rare extension (js, vbs, hypertension, etc.),” he explains, “in addition to reviewing Links that provide us, since they are often shortened or supersede some original website (phising).
Our hacker also explains that there are several tools like the Metasploit framework or the SET (Social-Engineering Toolkit) framework, designed to automate these attacks. He also warns that another method is to abandon USBs with content that may be of interest to the victim and incite open the file.
“For example, leaving an abandoned pendrive in an office with an Excel spreadsheet with the suggestive title ‘Relationship layoffs 2017′”, he tells us. “I’m sure many rehabilitation security measures incorporating MS Office by default, and do not allow the execution of malicious macros, so to see its contents.”
So what would be the main advice for who wants to protect? It’s the last question we ask Josep. “Always be attentive and do not trust,” he replies. You never know when we may be being victims of a social engineering attack , unless we are specially trained, and that so nice person who just met in line boarding an aircraft may be wanting to get us information that we should not share.
Wait, are there any social engineering tools?
Convincing a person to reveal your data, while still surprisingly effective, is still tedious and time consuming. Reason why many attackers prefer throwing the phishing cane and wait for the unwary bite, something for which we have seen for years have several tools exist.
One of the most popular is the Social-Engineering Toolkit or SET. This is a unique collection of tools to perform advanced attacks against human element. This can be useful for both crackers and entrepreneurs who want to test the security of their business and how their employers behave in the face of these threats.
Among other things, this tool allows you to design and create phishing attacks through emails that are sent to the victim. It also allows multiple Web – based attacks to compromise the safety of the potential victim, such as cloning sites like Facebook housing them on our server to get the data to fill in who between.
In turn, the application allows to simplify the creation of malicious .exe files , or perform massive attacks by sending emails to multiple victims personalizing messages. Among its functions SET also offers the possibility of creating infected infected media with metastability that use the autorun.inf file.
As a conclusion we can say that we are indeed the biggest weakness of our security, and that the attackers not only know, but have been taking advantage of it for years. Therefore touches malware of these dangers and be careful, especially trying not to reveal sensitive information to an unknown and being alert to potential scams via email or mobile messages.