Most organisations and people have information about themselves on the Internet. Companies advertise with it and people share tonnes of personal information with their friends and families. With this wealth of information so widely available, it is little wonder that criminals can and do use it for malicious purposes.
Malicious individuals, rival companies and even foreign intelligence agencies can use the information found online to learn more about a target. This method of collecting information is known as reconnaissance and is used for social engineering and phishing attacks.
Social media profiles in particular leave us exposed to hostile or nefarious acts as they reveal both personal and professional information that can be exploited and used to plan cyber-attacks, or in some cases physical attacks.
A hacker’s job is made a lot easier if they have certain details about a network and its users. By using reconnaissance techniques on online profiles, company websites or blogs, the hacker can learn employee job roles, contact details and addresses.
Using the information gleaned from online profiles, a cybercriminal can gain access to an organisations system or target a malware campaign at an individual. Learning a target’s email address for example would allow the hacker to launch spear phishing attacks.
Do not panic
Before you rush off to close your social media accounts in a panic; stop and think.
What is the likelihood of a hacker or spy agency monitoring you? Have you done something to warrant such attention? Do you work for a company that could be an appealing target? If not, then aside from taking common sense precautions you are likely to be safe. However, if you do fall under those categories you should consider taking extra security steps.
Thanks to better education and media attention, most people will not open a random, obviously dodgy email. As a result hackers have altered their game to make Phishing attacks more targeted, hence the name spear phishing. By using the information taken from online profiles, the hacker can tailor the malicious email to better entice the target into opening it. Once on a system, the malware contained in the email will signal to IP addresses owned by the hacker, who may then task the malware to transmit sensitive information from the network, across the Internet.
Reducing the risks
If using social media, ensure that you set the security settings correctly. Never have your profile be public and never share sensitive information in your posts. Ideally, your social media profile should be set so that only your friends and family can see your posts. Posting your phone number, your address or pictures of your workplace should be avoided at all times.
For organisations using social media for marketing purposes the marketer should avoid posting any sensitive information and should keep a close eye on the profile for any sign of hostile reconnaissance taking place.
Make sure that your username does not include any personal information. For example: Rob@Liverpool is a bad choice. You should also set up a separate email account to register and receive email from the site. That way if you want to close down your account/page, you can simply stop using that email account.
Always use strong passwords that have no relation to any of the content on your online profiles and keep an eye on what others say about you online too. A friend could post some private information that could give a hacker a way in.
As well as taking these steps you need to ensure that you have up-to-date antivirus/antispyware software installed.
Social engineering is a method used by hackers to manipulate people into giving up sensitive information. The sort of information the criminal is after are often passwords or bank details.
The experts at PGI say: "Social engineering methods are effective as they take advantage of most people’s natural inclination to trust.
It is a lot easier to trick someone into giving up their password than it is to hack it. Social Engineering is the subtle art of human manipulation in order to control and change the actions of others.
It plays on common psychological vulnerabilities to alter the outcomes in your favour.
You are vulnerable if: You are helpful, you avoid confrontation, you like something for free, you try and be efficient, and you fear repercussions from management. The best defence against social engineering attempts is education."
Basic ways to counter Social engineering
Slow down - if an email conveys a sense of urgency, or uses high-pressure sales tactics, always be sceptical.
Chances are that a criminal is trying to trick you into giving up your information. On the physical side of things always be aware of your surroundings. If you don’t recognise someone do not let them into your building, scammers often rely on people being polite (holding doors open etc…)
Research the facts - You should always be wary of unsolicited messages. If an email looks like it is from a company you use (or have used), do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number, never trust such emails until you are sure that it is the real deal.
Delete any request for financial information or passwords - Any message asking for personal details is a scam. Delete it.
Don’t let a link control where you land – When receiving an email containing links, do not click on them as they may not be legitimate.
By educating people on the threats posed by social engineering, the threat can be reduced significantly. Knowing what looks suspicious, what not to click on and keeping sensitive details secure could safe an organisation a huge amount of money in the long term.
Types of Social engineering
Pretexting – This form of social engineering sees attackers create a fabricated scenario to trick their victims into giving up personal information.
Quid pro quo - A good example of this type of social engineering is a scam where someone claiming to be from a service provider (often they claim to be from an IT service provider) calls asking for details.
The fraudsters often promise a quick fix to an issue in exchange for the victim disabling their antivirus program and for installing malware on their computers that assumes the guise of software updates.
Baiting – Criminals often take advantage of people’s inherent desire for free stuff. Baiters often offer users free music or movie downloads, if they surrender their login credentials to a certain site.
Tailgating – Social engineering also employs physical tactics as well as cyber ones. The best example is tailgating. This is where someone who lacks proper security clearance follows an employee into a restricted area.