Social Engineering
A con man is a person who swindles or misleads his victims through the use of a confidence game. A con man knows that it is human nature to want to trust other individuals. Humans, not computers, are usually the weakest link. The most versatile tool in a hacker’s arsenal is a technique called social engineering.
What is a social engineering attack?
Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. In cybercrime, these “human hacking” scams tend to lure unsuspecting workers into exposing data, spreading malware infections, or giving access to restricted systems.
An attacker may seem unassuming and respectable, possibly claiming to be a new employee, technical support, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.
Scams based on social engineering are built around how people think and act. As such, social engineering attacks are especially useful for manipulating a worker’s behavior. Once an attacker understands what motivates a worker’s actions, they can deceive and manipulate the employee effectively.
Ransomware
Social engineering will remain one of the easiest ways for a cybercriminal to gain access to an information system to employ a ransomware attack. A variety of techniques that include technology and methods of human manipulation will continue to be utilized to collect this information.
Ransomware and Social Networking
Higher education institutions are prime targets for ransomware attacks. Universities and colleges handle large amounts of sensitive personal data, facilitate a campus-wide intranet, and manage student data. These factors combine to make targeting the higher education sector a potentially lucrative operation for threat actors. The more sensitive the data, the more valuable it becomes in the wrong hands. While cyber-attacks are generally considered as technical exercises, successful ransomware operations employ social engineering tactics (phishing) to help identify and exploit vulnerabilities. Ransomware is malicious software that blocks access to networks, systems, and/or files to extort a ransom payment from its victims. Typically, access to valuable resources is blocked through encryption methods with a message indicating a return of those resources upon payment of the ransom.
Recent Ransomware Attacks on Higher Education
University of Colorado, the University of Miami, and the University of California had sensitive data stolen when Clop ransomware compromised a third-party file transfer service. The stolen data included grades and other personal information. This incident highlighted the cyber risks that can come from third-party software vendors.
Clop ransomware uses phishing emails with malicious attachments to get into networks, uses lateral movement to spread quickly, and evasive techniques to avoid detection by security software/tools. Unauthorized data transfer from a computer/network is a feature of Clop; the ransom demand comes with a threat to disclose stolen data to the dark web if the payment is not made.
- Ransomware attacks against universities during 2020 (zdnet) increased by 100 percent compared to 2019.
- 41% of higher education cybersecurity incidents and breaches start with social engineering techniques.
- Education is the 6th most targeted sector for cyber crime out of 20 different sectors.
The Number One Delivery Method for Ransomware
PHISHING
The main purpose of most phishing emails today is to deliver, directly or indirectly,
some form of ransomware.
Cybercriminals take advantage of the information users share about themselves through
social media, to create tailored and more authentic email templates.
Phishing, as part of social engineering schemes, lures victims into executing actions without realizing the malicious drive. The less aware the targeted user is, the more fruitful the attack. Likewise, in case of targeted attacks, phishing emails are created to look like they come from a trustworthy sender, but link to or contain malicious content that executes as soon as users click it, encrypting their data and asking for the ransom. Sophisticated phishing attacks are harder to detect by nature and sometimes even careful users can still fall into the trap.
The human factor is the weakest link in the security chain. Attackers persuade and deceive employees in many ways to gain critical access, but one method stands out in its scale: email. Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons like executing and propagating malicious content by being disguised as a trustworthy entity in electronic communication.
The Main Phishing Types?
Spear Phishing
Spear phishing is a more sophisticated and elaborate version of phishing. Threat actors gather information on key people in a targeted institution to craft a personalized and believable email to encourage specific targeted user(s) (employees) to provide confidential information or deliver certain malicious content. Spear phishing emails are so personalized that traditional spam and reputation filters repeatedly fail to detect the malicious content within.
Business email compromise
Known as CEO fraud or whaling, is also part of the threat landscape. In these attacks, the threat agents typically impersonate an email account belonging to a high-profile executive and then use it to send an email to the institution’s employees with financial authority, asking them to transfer money into bank accounts controlled by the attackers. CEOs, directors, and executive-level, payroll, or human resources staff are part of the institution’s big fish.
Through participating and completing cybersecurity training, users can be empowered to act as both “human sensors” for spotting phishing attacks and partners in thwarting threat actors from gaining a foothold in the institution.
Vishing
Vishing is short for "voice phishing," which involves defrauding people over the phone, enticing them to divulge sensitive information.
Vishing, or voice phishing, takes place over the phone. In this form of social engineering attack, fraudsters represent themselves as legitimate representatives of a bank or other organization in order to trick users into handing over confidential information. These are not technical-based attacks. Social engineers rely on elaborate and very clever scripts to gain people’s confidence and trust so they willingly disclose confidential information. Vishing in particular exploits human fears and the basic desire to help in order to steal information. Advanced vishing attacks can take place completely over voice communications by exploiting Voice over Internet Protocol (VoIP) solutions and broadcasting services. VoIP easily allows caller identity (ID) to be spoofed, which can take advantage of the public’s misplaced trust in the security of phone services, especially landline services.
Smishing
Smishing, or SMS phishing, is the act of committing text message fraud to try to lure victims into revealing account information or installing malware.
Smishing, or SMS phishing, is an emerging form of social engineering attack that cyber criminals are using to target victims on their smart phones. In smishing, fraudsters use text messaging to trick users into giving out confidential information or to download malware or a virus onto their phone. Fraudsters are also using smishing to bypass two-factor authentication. Text messages can contain links to such things as webpages, email addresses or phone numbers that when clicked may automatically open a browser window or email message or dial a number. This integration of email, voice, text message, and web browser functionality increase the likelihood that users will fall victim to engineered malicious activity.