{"id":282744,"date":"2021-06-24T15:00:56","date_gmt":"2021-06-24T12:00:56","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/the-many-faces-of-social-engineering-cloudsavvy-it\/"},"modified":"2021-06-24T15:00:56","modified_gmt":"2021-06-24T12:00:56","slug":"the-many-faces-of-social-engineering-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/the-many-faces-of-social-engineering-cloudsavvy-it\/","title":{"rendered":"#The Many Faces of Social Engineering \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a291c81818f7\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a291c81818f7\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/the-many-faces-of-social-engineering-cloudsavvy-it\/#How_Social_Engineering_Works\" >How Social Engineering Works<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/the-many-faces-of-social-engineering-cloudsavvy-it\/#Hacking_Human_Nature\" >Hacking Human Nature<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/the-many-faces-of-social-engineering-cloudsavvy-it\/#Types_of_Attacks\" >Types of Attacks<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/the-many-faces-of-social-engineering-cloudsavvy-it\/#Phishing_Emails\" >Phishing Emails<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/the-many-faces-of-social-engineering-cloudsavvy-it\/#Phone_Calls\" >Phone Calls<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/the-many-faces-of-social-engineering-cloudsavvy-it\/#Entering_Your_Premises\" >Entering Your Premises<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/the-many-faces-of-social-engineering-cloudsavvy-it\/#Protecting_Against_Social_Engineering\" >Protecting Against Social Engineering<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#The Many Faces of <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">Social<\/a> Engineering \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure style=\"width: 5000px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage wp-image-12170 size-full\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/06\/f755a258.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"mystery man holding masks\" width=\"5000\" height=\"3338\" src=\"https:\/\/www.shutterstock.com\/image-photo\/mystery-man-holding-black-white-mask-691628098\" data-credittext=\"Zephyr_p\/Shutterstock.com\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/mystery-man-holding-black-white-mask-691628098\">Zephyr_p\/Shutterstock.com<\/a><\/span><\/figcaption><\/figure>\n<p>Social engineers know which buttons to press to make you do what they want. Their time-honored techniques really work. so it was inevitable that cybercriminals would <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ly those techniques to cybercrime.<\/p>\n<h2 id=\"how-social-engineering-works\"><span class=\"ez-toc-section\" id=\"How_Social_Engineering_Works\"><\/span>How Social Engineering Works<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>From birth, we\u2019re programmed to be helpful and polite. If someone asks you a question it takes a conscious effort not to answer it\u2014especially if it seems innocuous. This is one of the behaviors that social engineers manipulate to achieve what they want. They do it subtly and slowly, winkling information out of their victim piece by piece. They\u2019ll intersperse harmless questions with the ones that nudge you closer to revealing what they want to know.<\/p>\n<p>Social engineering works by manipulating people using techniques that play on basic human traits. Skilled social engineers can make you feel sympathetic to them or their\u2014fabricated\u2014situation. They can make you want to bend the rules, just this once, either because you empathize with them and want to assist or because they\u2019re a pain and you really want to get them off the phone. They can make you feel worried or panicked, hopeful or excited. They then leverage these emotional responses to make you act in haste, often to avert a supposed disaster or to take advantage of a special offer.<\/p>\n<p>Social engineering attacks can happen in a single phone call. They may play out over a period of time, as they slowly foster a false rapport. But social engineering isn\u2019t limited to the spoken word. The most common social engineering attacks are delivered by email.<\/p>\n<p>The one thing all social engineering attacks have in common is their objective. They want to get through your security measures. With you as their unwitting accomplice.<\/p>\n<h2 id=\"hacking-human-nature\"><span class=\"ez-toc-section\" id=\"Hacking_Human_Nature\"><\/span>Hacking Human Nature<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>People have been using social engineering techniques for as long as there have been con men. The \u201cSpanish Prisoner\u201d scam dates back to the 1580s. A wealthy individual receives a letter from someone claiming to represent a titled landowner who is unlawfully held captive in Spain under a false identity. Their true identity cannot be revealed because it will place him and his beautiful daughter in even more peril.<\/p>\n<p>Their only hope of escape is to bribe their guards. Anyone who contributes to the bribe fund will be rewarded many times over when the captive is freed and has access to his considerable financial assets. Anyone who agrees to donate meets the middleman who collects the donation.<\/p>\n<p>The victim is soon approached again. More difficulties have arisen\u2014the captive and his daughter are to be executed, we only have two weeks!\u2014and of course more money is required. This is repeated until the victim is bled dry or refuses to hand over more money.<\/p>\n<p>Scams like these operate on different people in different ways. Some victims become ensnared because it appeals to their noble qualities like kindness, compassion, and sense of justice. To others, the increasing hostility between Great Britain and Spain would have incited them to act. Others would jump at the chance to make an easy profit.<\/p>\n<p>The Spanish Prisoner scam is the Elizabethan equivalent\u2014and direct ancestor of\u2014the \u201cNigerian Prince\u201d and other bait-and-hook scam emails that are still making cybercriminals money in 2021.<\/p>\n<p>Most people today can recognize these as scams. But most modern social engineering attacks are much more subtle. And the range of human reactions to emotive events hasn\u2019t changed. We\u2019re still programmed the same way, so we\u2019re still susceptible to these attacks.<\/p>\n<h2 id=\"types-of-attacks\"><span class=\"ez-toc-section\" id=\"Types_of_Attacks\"><\/span>Types of Attacks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The threat actor wants you to do something that is to their benefit. Their objective might be gathering account credentials or credit card details. They may want you to inadvertently install malware like ransomware, keyloggers, or back doors. They may even want to gain physical access to your building.<\/p>\n<p>A common trait of all social engineering attacks is they try to generate a sense of urgency. In one way or another, a deadline is approaching. The subliminal message to the recipient is \u201cact now, don\u2019t stop to think.\u201d The victim is compelled to not let the disaster happen, don\u2019t miss the special offer, or don\u2019t let someone else get into trouble.<\/p>\n<h3 id=\"phishing-emails\"><span class=\"ez-toc-section\" id=\"Phishing_Emails\"><\/span>Phishing Emails<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The most common social engineering attack uses phishing emails. These appear to be from a reputable source but are actually fakes dressed up in the livery of the genuine company. Some present an opportunity such as a special offer. Others present a problem that will need addressing, such as an account lock-out issue.<\/p>\n<p>Phishing emails are very easily reskinned to match whatever is in the <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">news<\/a>.\u00a0The COVID-19 pandemic of 2020 gave cybercriminals the perfect cover to send phishing emails with new subject lines. News about the pandemic, access to test kits, and supplies of hand sanitizer were all used as hooks to snare the unwary. Phishing emails either have a link to a tainted website or an attachment that contains a malware installer.<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>Why Do They Spell Phishing With &#8216;ph?&#8217; An Unlikely Homage<\/em><\/strong><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Phone_Calls\"><\/span>Phone Calls<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Phishing emails are sent out by the millions, with a generic body text. Social engineering by phone call is usually tailored to a particular organization, so the threat actors must do reconnaissance on the company. They\u2019ll look at the\u00a0<em>Meet the Team<\/em>\u00a0page on the website and check the LinkedIn and Twitter profiles of the team members.<\/p>\n<p>Information such as who is out of the office on leave, or attending a conference, managing a new team, or being promoted can all be dropped into telephone conversations by the threat actors so that the recipient doesn\u2019t question whether the caller really is from tech support, or from the hotel the sales team are staying in, and so on.<\/p>\n<p>Calling employees and posing as tech support is a common ploy. New employees are good targets. They\u2019re trying hard to please and don\u2019t want to get into any kind of trouble. If tech support calls them and asks if they\u2019ve tried to do something they shouldn\u2019t have\u2014trying to access privileged network shares, for example\u2014the employee can over-compensate and become too willing to be cooperative to clear their name.<\/p>\n<p>A social engineer can work that situation to their advantage and over the course of a conversation they can tease enough information out of the employee to be able to compromise their account.<\/p>\n<p>Tech support can also be the target. Posing as a senior staff member the attacker rings tech support and complains that they\u2019re in a hotel and can\u2019t send an important email from their corporate account. A huge deal is at stake and the clock is ticking. They say they\u2019ll\u00a0send a screenshot of the error message, using their personal email.\u00a0The support engineer wants this resolved as soon as possible. When the email arrives they immediately open the attachment which installs malware.<\/p>\n<p>Anybody can be the recipient of a social engineering phone call. Tech support doesn\u2019t have a monopoly. There are hundreds of variations the attackers can choose from.<\/p>\n<h3 id=\"entering-your-premises\"><span class=\"ez-toc-section\" id=\"Entering_Your_Premises\"><\/span>Entering Your Premises<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Threat actors will pose as almost anyone to gain access to your building. Couriers, caterers, florists, fire inspectors, elevator service engineers, and printer engineers have all been used. They may arrive unexpectedly or they may ring in advance and book an appointment. Booking an appointment helps establish the threat actor is who they claim to be. On the day of the appointment, you\u2019re expecting a printer engineer to arrive and one arrives.<\/p>\n<p>Rather than say they\u2019re going to service the printer they\u2019re likely to say they\u2019re updating its firmware or another task that doesn\u2019t require\u00a0tools or spare parts. They\u2019ll be very reassuring. All they need is a network connection or to jump onto one of your computers for a few moments. The printer won\u2019t even go offline. Once they\u2019re on your premises and on your network they can install any kind of malware. typically it\u2019ll be a backdoor that allows them to remotely access your network.<\/p>\n<p>Another attack type sees requires hiding a small device somewhere. Behind the printer is a popular place. It\u2019s out of sight and there are usually spare mains and network sockets behind there. The device makes an encrypted connection called <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.howtogeek.com\/428413\/what-is-reverse-ssh-tunneling-and-how-to-use-it\/\">an SSH reverse tunnel<\/a> to the threat actors\u2019 server. The threat actors now have easy access to your network whenever they want it. These devices can be built using a Raspberry Pi or other cheap single board computers and disguised as power supplies or similar harmless devices.<\/p>\n<p><strong>RELATED:<\/strong> <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.howtogeek.com\/428413\/what-is-reverse-ssh-tunneling-and-how-to-use-it\/\"><strong><em>What Is Reverse SSH Tunneling? (and How to Use It)<\/em><\/strong><\/a><\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Protecting_Against_Social_Engineering\"><\/span>Protecting Against Social Engineering<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Social engineering operates on people, so the primary defense is staff awareness training, and clear policies and procedures.\u00a0Staff must feel secure that they will not be penalized for sticking to protocol. Some cybersecurity companies offer training and role-playing sessions with their in-house social engineers. Seeing the techniques in action is a powerful way to show that no one is immune.<\/p>\n<p>Establish procedures that give staff clear guidance on what to do if they are being asked to break protocol\u2014no matter who is asking them. For example, they should never tell tech support their password.<\/p>\n<p>Regular network scans should be employed to find new devices that have been connected to the network. Anything that is unexplained needs to be identified and examined.<\/p>\n<p>Visitors should never be left unattended, and their credentials should be checked when they arrive on site.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/12106\/the-many-faces-of-social-engineering\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#The Many Faces of Social Engineering \u2013 CloudSavvy IT&#8221; Zephyr_p\/Shutterstock.com Social engineers know which buttons to press to make you do what they want. Their time-honored techniques really work. so it was inevitable that cybercriminals would apply those techniques to cybercrime. How Social Engineering Works From birth, we\u2019re programmed to be helpful and polite. If&#8230;<\/p>\n","protected":false},"author":1,"featured_media":282745,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/06\/f755a258.jpg","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-282744","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/282744","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=282744"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/282744\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/282745"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=282744"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=282744"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=282744"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}