Social Engineering Hacker Attacks
You will be tested on security topics on the A+ Exams when seeking your CompTIA A+ Certification. A social engineering attack occurs when a hacker tries to obtain information or gain access to a system through social contact with a user. Typically, the hacker poses as someone else and tries to trick a user into divulging personal or corporate information that allows the hacker access to a system or network.
For example, a hacker calls your company’s phone number, listed in the phone book, and poses as a technical support person for your company. He tells the user who answers the phone that a new application has been deployed on the network, and for the application to work, the user’s password must be reset. After the password is reset to what the hacker wants, he might “verify” with the user the credential that the user uses. A user who is not educated on social engineering might divulge important information without thinking.
A social engineering attack is an attack where a hacker tries to trick a user or administrator into divulging sensitive information through social contact. After the sensitive information is obtained, the hacker can then use that information to compromise the system or network.
This example might sound unrealistic, but it happens all the time. If you work for a small company, you might not experience a social engineering attack. In a large corporate environment, though, it is extremely possible that a social engineering attack would be successful if the company does not educate its users. A large company usually has the IT staff or management located at the head office, but most branch locations have never talked to IT management, so those branch employees would not recognize the voices of the IT folks. A hacker could impersonate someone from the head office, and the user at the branch office would never know the difference.
There are a number of popular social engineering attacks scenarios — and network administrators are just as likely to be social engineering victims as “regular” employees, so they need to be aware. Here are some popular social engineering scenarios:
- Hacker impersonates IT administrator. The hacker calls or emails an employee and pretends to be the network administrator. The hacker tricks the employee into divulging a password or even resetting the password.
- Hacker impersonates user. The hacker calls or emails the network administrator and pretends to be a user who forgot her password, asking the administrator to reset her password for her.
- Hacker emails program. The hacker typically emails all the users on a network, telling them about a security bug in the OS and that they need to run the update.exe file attached to the email. In this example, the update.exe is the attack — it opens the computer up so that the hacker can access the computer.
Educate your users never to run a program that has been emailed to them. Most software vendors, such as Microsoft, state that they will never email a program to a person: Instead, they will email the URL to an update, but it is up to the person to go to the URL and download it.
Phishing is a type of social engineering that involves the hacker sending you an email that is impersonating a site such as a bank or an online site like eBay. The email message typically tells you that a pressing matter exists, such as a security compromise with your account, and that you need to log on to your account to verify your transactions. The email message gives you a link to use to navigate to the site, but instead of navigating to the real site, the hacker is leading you to a fake site that he or she has created. This fake site looks like the real site, but when you type in your username and password, the hacker captures that information and then uses it to access your account on the real site!
One form of phishing is known as spear phishing. Spear phishing is a phishing attack that is targeted toward a specific individual or company. While phishing is a general email sent out to anyone, spear phishing is targeting a specific person or company in hopes of tricking that person into compromising security.
It is important to educate employees about phishing attacks and know that they should not click the link that is available in the email message. Navigate to the site manually through the browser by typing the URL yourself.
Shoulder surfing is another type of social engineering attack where someone hangs out behind you and watches what you type on the keyboard. The person is hoping to discover sensitive information such as a password. The key to protect against shoulder surfing is to educate employees and inform them that they should never type sensitive information while someone is looking over their shoulder or at their screen.