Social
engineering (or human hacking) is a
confidence trick, designed to gather information that will allow a hacker to
access a computer system in order to commit a fraud or install malicious
software. It is an easier way to get information such as access to a computer
than actually hacking the system.
There
are many ways in which you can be conned into revealing confidential
information. All of these techniques are based on 'bugs in the human hardware',
ie cognitive biases in human decision-making or, in other words, our tendency
to accept a person or scenario at face value.
Social
engineering techniques
There
are literally thousands of ways a hacker can socially engineer a computer
user... the only limit is the hacker's imagination! Here are a few of the most
prevalent of these techniques:
Email
from a friend
If
a malicious person manages to get someone's email password, whether by social
engineering or hacking, they have access to that person's entire contact list.
This enables the miscreant to send emails to everyone on that list.
In
this scenario, you receive an email from a friend that contains a link or an
attachment that you can download. If the email contains a link, you'll trust
the link because it comes from a friend.
So
you click on the link and you are infected with malware that enables the
perpetrator to collect all your contacts and con them into opening a similar
link. At the same time, the malware will play havoc with your machine by
installing viruses, worms, key-loggers, a back door etc.
You
will also trust an email that comes from a friend if it contains an attachment
but, once you download it, malicious software will be embedded with much the
same result as clicking on a link.
The
advice is obvious... do not click links or open attachments in an email unless
you are expecting to receive them. Read the message carefully. If it does not
seem the sort of message your friend would write, as regards language or
content, you can be sure it has been sent by a hacker.
You
should call your friend to check or send the email back to your friend asking
him or her whether they sent it. Also advise them not to click on the link or
open the attachment if it is not their email.
There
are several other types of malicious email you can receive from a friend's
email address.
A
fairly common one is an urgent appeal for help. The email from your friend says
that he or she is stuck in a foreign country having been robbed and cannot get
home without a quick loan. The email will include details of how to send the
money, usually a 'care of' (c/o) address.
The
obvious way to treat this kind of email is either to delete it (if it looks
false) or to reply to the sender seeking confirmation by asking a question to
which only your friend could know the answer.
Another
common malicious email is an appeal for a donation to a charity, with
instructions as to how the money can be sent. Again, seek clarification from
your friend.
Phishing
Phishing
is a fraudulent technique for obtaining sensitive information such as access
codes, bank account numbers, and PINs. A phisher obtains a list of email
addresses from somewhere and sends the entire list emails that appear to come
from a legitimate bank, credit card company or other financial institution.
These emails can take several forms.
The
most common is an email asking you to click on a link in order to confirm or
verify certain information (such as your bank or credit card account number and
PIN) and threatening dire consequences (such as a suspension of your account)
if the information is not provided within a very short time frame. The purpose
of the threat is to get you to act before you have time to think.
The
website to which you will be taken when you click on the link will look very
genuine, an exact replica of the legitimate website, with all the right logos
and content. It may even have a warning about phishing!
Copying
the exact format and content of a web page is easy because the source code for
any page on the internet can be found in your browser. For example, if you are
using Firefox, click on Tools > Web Developer > Page Source or just click
Control+U and you'll see the source code for the page you are on. In fact, the
source code has to be assessable to your browser to enable it to present the
page on your screen.
Of
course, if you click on the link and provide your account number and PIN, you
can be absolutely sure that your account will be cleaned out in a very short
time indeed. This sort of scam relies on fear, fear to being cut off and denied
access to your account.
Another
common type of phishing email is one notifying you that you are a 'winner'...
because your email address won a special internet lottery or you were the
millionth person to click on the site or some similar pretext. However, in
order to claim your prize you will have to prove who you are by sending in your
full name, address, telephone and social services or social security number,
which naturally allows your identity to be stolen.
These
kinds of emails succeed due to greed... people want what is offered and give
away their information even if the pretext isn't really believable.
Other
phishing emails include messages asking for support. These phishes ask for a
donation towards whatever natural disaster, charity or political campaign is
currently in the news. You can make a donation by clicking the link to the
website and there filling in your credit card number and the amount you wish to
donate.
However,
as soon as you click OK or Submit, your money goes straight to the rogue's bank
account. This kind of con preys on your natural charitable instincts.
Baiting
Baiting
is another form of social engineering based on the observation that, if you
dangle something people want, many will take the bait. The bait can be on the
internet or it can be physical bait.
Internet
baiting schemes are most often found on sites offering a movie or music file
for download. They are also found on social networking sites and on websites
you find using search engines. The schemes also show up on auction sites and as
amazingly great deals on classified-ad sites.
In
physical baiting schemes, a CD or USB flash drive is left in a place where it
is bound to be found, such as a bathroom, elevator or table. If it's a disc, it
may have a corporate logo and a title suggesting that it contains financial or
other confidential information... all designed to peak your curiosity and/or
greed, so that you insert it into your computer where the "auto-run"
program will take over.
Either
way, whether you take the bait on the internet or by inserting a strange disc
or flash drive into your machine, you will end up being infected with malicious
software that can generate any number of exploits against you and your
contacts.
Answers
to unasked requests
A
favourite trick for a hacker is to choose a company, such as a well-known
software company or a bank used by hundreds of thousands of people and send
emails to millions of people knowing that some of these people will be
customers.
The
email will state that the company is responding to your 'question or request
for assistance'. Of course if you don't have a question or don't need help, you
will ignore the email. But some recipients will respond because they do have a
question or problem. If you are one of them, you will be happy to respond.
But,
of course, the hacker will ask you to authenticate yourself by logging in to
their system, or to give them remote access to your computer so they can fix
the problem or tell you the commands to use so you can fix it yourself. Rest
assured, if you follow their instructions, you'll end up with a back-door in
your system through which the hacker can enter later at his leisure and do what
he likes.
Telephone
scam
Have
you ever received a phone call from the 'Microsoft Technical Centre' telling
you that your computer is running slowly because of certain problems? It seems
that the sole purpose in life of this seemingly charitable organisation is to
help people improve the performance of their computers... all without charge.
Having
introduced himself and MS Technical Centre, the helpful technician will ask you
if you have problems. If you say 'yes', he will ask you to type a few simple
commands into your computer. If you say 'no', he will also ask you to type a
few simple commands into your computer so that you can see for yourself the
problems you have. Either way, the commands you type will create a back-door
the hacker can use later. Social engineering at its most productive!
How
can you protect yourself?
There
are many ways you can protect yourself from social engineering. The overriding
principle, as always on the internet, is CAUTION.
[1]
Think carefully... social engineers want you to act first and think later, so
never let their urgency prevent you from making a careful review before you
take some action, such as clicking on a link or releasing information.
[2]
Be suspicious of unsolicited emails... if it's from a company search them on
the internet or use a phone directory to see if it, its website or phone number
is genuine.
[3]
Don't send personal information... just delete emails that ask you to confirm
personal data. No reputable bank or other financial institution will ever send
you an email asking you to confirm your banking details.
[4]
Check website addresses... if you receive an email asking you to click on a
link, check the website by using a search engine to find the company's website
and then compare the website address with the address to which the link will
send you. Hovering your mouse over a link will show the actual address (aka
URL).
[5]
Stifle your curiosity... if you are not sure, don't click a link... not before
you have first checked with the sender and confirmed its authenticity.
[6]
Stifle your greed... be very cautious when going for the freebies and
rock-bottom bargains. Why should anyone spend time and money creating something
valuable only to give it away free of charge?
[7]
Never use phone numbers in an email... until you have compared them with the
phone numbers found in a phone book.
[8]
Don't download... unless you know someone personally AND you expect a file from
them.
[9]
Set your spam filters to 'high'... you'll find the spam filters in your email
program under the 'Settings' option.
[10]
Secure your computer... by installing anti-virus software, firewalls, email
filters etc, and keep them up-to-date.
Paul
Kennedy is the marketing manager of Jupiter
Support (Ireland). He can be contacted by email to paul@jupitersupport.ie.
You can also go to jupitersupport.ie where you can use chat
or Skype to talk with a technician free of charge. Alternatively you can call 0766803006 to
speak to a technician and get free advice. Jupiter Support only charges a fixed
fee of€19.99 to rid your computer of any and all viruses on a no-fix/no-fee basis.
Article
Source: http://EzineArticles.com/?expert=Paul_D_Kennedy
Article Source: http://EzineArticles.com/8096518
No comments:
Post a Comment