Friday, 27 January 2017

How to handle Social Engineering and Phishing attacks


Social Engineering is a form of manipulation through which an unauthorized person tries to gain access to the information or an IT System under false pretense. so what does a social engineers do? They hack the humans.

Social Engineering Resource
Social Engineering occurs primarily on the phone but may also happen online via social network. For example facebook, linkedin, written or face to face situations on business trips or meetings, in public places, at home or other external places.

As an impersonal alternative to social engineering, "Phishing" has increased in the recent years. Usually a fraudsters prey especially on those who have valueable or confidential information and senstive data in the hope to sell it profitably to a competitors.

So what are the main objectives of social engineering:
- Finiancial benefits
- Development and optimization of a competing product or services
- Poaching of customer or suppliers
- Acts of revenge

Social engineering is not an IT phenomenon. There is no technical solution to social engineering like anti-virus. It's rather a social phenomenon where only one defence strategy is working that us human being via social awareness trainings. 

How to recognnise a social engineering attacks?
All involved comminication channels should be consistent. If there is a gap or so called incomatability, you should have doubt in the reason of the strangers. Communicative incomatability always manifests itself as a vague unrest or a gut feeling which is your intuition or sixth sense.

See if all the comminication channels are compatible to each other. These commnuication channels include verbal communication like spoken words, non verbal communication like body language, speech behaviour, voice pitch. Clues for the attempts of social engineering attacks are always present but not easy to identify. You need to use your sixth sense to find those clues.

Phishing
Phishing is based on social engineering and often distributed through email. The best way to mitigate the risk of phishing is to educate users to take caution with suspicious Internet communications and not to trust them until verified. Users require adequate training to recognize suspicious web pages and email.

In 2016 every tenth email worldwide was designed as a banking email which shows that banks were the most favorite targets of phishing emails worldwide. Every fourth phishing email was sent to a finiancial institution. Just in US and UK Spear phishing caused an average cost of $1.6 million per incident in 2016.

By using Phishing, fraudsters try to get information and dta via deceptively tempting emails based on fake senders. Phishing is not only limited to emails but social networks are also used to send phishing messages.

Spear phishing is a special form where the attacker directs at special individuals or companies with the use of personal information like address, used internet services. This require more preparation time for social engineer than a generic phishing mail and the success rate is more in this.

What to do when you suspect a phishing attack?
Do not open attachments from phishing emails
Never click on links
Do not reveal confidential information like user id and password

Providing security awareness training is the best method to mitigate the risk of disclosing
confidential information on social networking sites. It is important to remember that users may access these services through other means such as mobile phones and home computers; therefore, awareness training is most critical.

Usually reputed companies like banks and telecommunication organizations never ask for confidential data via email.

Check the email address and the domain name associated in the email. Look for spelling mistake in the domain name for example john.adam@bonkofjapan.com. Did you just notices that I have changed the domain name to bonkofjapan.com (instead of 'a' I have used 'o' in the spelling of bank) or bankofjapan.org if its not a valid domain name of the bank of Japan. This is a simple method to spoof the sender. This is called fake domain name/URLs.

Another way of phishing attack is that set the new display name (first name and the last name) in the email id whereas this email id is hosted on different domain.
these phishing emails will try to show the sense of urgency with a deadline or a threat (fines) so that you temp to perform the action immediately and fall into their trap.
Another example is when you click on the link, look and feel of a webpage is same but there is a minor change in the spelling  of the domain name to disguise you example: http://bonkofjapan.com (note the spelling of bank its bonk)

Usually phishing emails try to tempt the victim to click on malicious links within the email. Various methods are used:
Hyperlink Masquerading
Fake URLs
Open Redirect automatically redirect user to third party website
URL Shortener (use https://goo.gl/ to redirect you to a fake website)
File Hosting Services (pentend that file is too big for an email attachment and therefore a link to file hosting service for example dropbox, iclouds)

Social Engineering Phishing