Blog

5 social engineering schemes: be aware and beware

According to statistics, 55% of losses related to violation of information security are caused by employees...
10 July 2018
Cybersecurity testing
Article by a1qa
a1qa

Today information security is one of the greatest concerns of all developers, testers and common users. QA engineers perform testing in order to reveal security flaws and vulnerabilities. Nevertheless, even a high security system can be hacked as it is operated by a human being. For this purpose a special technique is used – social engineering. The article by Anna Andreeva, security testing engineer.

In information security and its offshoot of security testing, the term “social engineering” is used to describe the science and art of psychological manipulation. Social engineering is used to collect data, get confidential information, access systems, etc. According to statistics, 55% of losses related to violation of information security are caused by employees. This number is large enough to pay our attention to the attacks on the human factor.

The psychological manipulation has a number of peculiarities:

  • No considerable expenses
  • No special knowledge
  • Long duration
  • Difficult to monitor (no logging)

A human’s mind sometimes is much more vulnerable, that a complicated system. That is why social engineering is aimed at obtaining information with the help of a person, especially in the cases when a system can’t be accessed (e.g. a computer with vital data is disconnected from the network).

A common approach to attacks includes the following steps:

  • Gathering facts (often using social networks)
  • Developing a relationship of trust
  • Exploitation
  • Suppression of traces

The general principle of an attack is a misrepresentation. To fish for information social engineers use a variety of tactics and schemes aimed at the emotions, weakness, or other personal characteristics, such as:

  • Love
  • Empathy and compassion
  • Greed and a desire for quick results
  • The fear of the authorities
  • Inexperience
  • Laziness

The most widely used social engineering schemes

Phishing scams

Phishing scams are the most common attacks. They aim to gain access to sensitive user data – login and password. Some phishing emails are poorly crafted as their messages often contain mistakes. Nevertheless, these emails are focused on directing victims to a false website where they need to enter login credentials and other personal information.

To harm their victims, phishers make use of email addresses that they collect from open sources alongside with the names of the company’s employees. Once the email addresses are collected, hackers start to prepare emails with a malicious payload.

In the context of a cyber-attack, a payload is a component of the email that will cause harm to the victim. A malicious payload can be of two types:

  1. Link to the fake page of the company’s corporate portal that will steal passwords of all corporate network users.
  2. Malicious email attachment.

To make a fake page, the hackers will copy HTML and JavaScript of the original page and change it in a way to get passwords and login data that will be input by the users.

As for the attachments, malicious code fragments are inserted into the document code. The code is executed when the file is opened. To embed the code, standard Microsoft Office macros  – series of commands that can be run automatically to perform a task – are used. Once a malicious document is opened only one click is required for the macro code to run.

Several minutes after, the document will infect the computer and provide hackers with the access to the information required.

Baiting

This technique exploits the curiosity or greed of the potential victim. The attacker sends an email with an important anti-virus update or a free movie attached. This technique remains effective until users blindly click any hyperlink.

Besides the attachment, the attacker may use any USB or other peripheral device.

The target of the attack is the curiosity of the user who has found a flash disk in the parking area or got it was a precent at the corporate party.

Once such a device is connected, the computer will detect it as a keyboard. After that the flash disk will instruct the computer to install malicious software or steal confidential data. As for the user, it will seem to them like someone is inserting commands from the keyboard.

Here are the examples of the commands that can be performed to attack users with the help of USB devices https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads.

Quid pro quo

These attacks promise a benefit in exchange for facts. For example an attacker can call a company and under the pretext of technical support propose to install the “necessary” software. Once the victim agrees to install the software the attacker gains an access to the confidential data.

Tailgating

Tailgating (also called “piggybacking”) is a method to enter a restricted area simply walking behind a person who has legitimate access. Tailgating can’t be applied in companies where employees have to swipe a card to open the door.

It is evident that social engineering results in the number of such grave problems as financial and reputational losses and information leak. For this reason it is vital to take all the measures to resist it.

Pretexting

Pretexting attacks are used to develop a sense of trust using a made-up scenario. As a result, a person gives certain information, or performs a specific action. This type of attack is usually carried out on the phone. This technique often requires no prior research.

If you don’t want to become the next victim of social engineers remember the following rules of protection:

  • Don’t use the same password for authorization in external systems and the company’s account.
  • Do not open emails from untrusted sources.
  • Lock your computer anytime you leave your workplace.
  • Install anti-virus software.
  • Know your company’s privacy. All employees should be instructed on how to behave with visitors. If you meet a stranger wandering through the building alone, you should have the necessary instructions.
  • Disclose over the phone and in person conversation only the really necessary data.
  • All documents on the projects should be removed from the portable devices.

If you still believe that social engineering doesn’t worth attention read about Victor Lustig (the man who sold the Eiffel Tower twice) or Robin Sage (the fictional femme fatale that gained access to secret information using social networks).

More Posts

2 December 2024,
by a1qa
6 min read
Addressing 4 security issues for digital transformation programs
Find out the top 4 safety challenges of digital transformation and a QA playbook to address them and contribute to a higher level of cybersecurity.
Cybersecurity testing
black-friday
5 November 2024,
by a1qa
4 min read
Get ready for Black-Friday-to-Cyber-Monday shopping: 5 testing types to include in your QA strategy
What’s your nightmare during Black Friday and Cyber Monday shopping? If it’s a loss of sales, read about the ways to prevent this in the article.
Cybersecurity testing
Functional testing
Localization testing
Performance testing
Usability testing
QA for retail software
29 August 2024,
by a1qa
4 min read
QA to address key pain points in retail 
Explore how QA helps address the main challenges that retailers face when developing software.
Cybersecurity testing
Functional testing
Performance testing
Usability testing
QA for fintech
7 May 2024,
by a1qa
5 min read
Navigating the fintech frontier in 2024: QA’s role in delivering high-quality financial software 
Unveil the future of fintech innovations and learn to refine their quality with the help of software testing.
Blockchain app testing
Cybersecurity testing
Quality assurance
Telecom trends 2024
15 April 2024,
by a1qa
5 min read
QA’s role in adopting telecom trends for 2024 
Let’s dive into the transformative trends set to redefine the telco industry in 2024 and discover QA strategies to adopt them with precision.
Cloud-based testing
Cybersecurity testing
Functional testing
General
Migration testing
Performance testing
QA trends
Quality assurance
Test automation
On the pulse of 2024: optimizing the adoption of eHealth trends with QA
15 February 2024,
by a1qa
4 min read
On the pulse of 2024: optimizing the adoption of eHealth trends with QA
Generative AI, cybersecurity, AR/VR — come and explore how these trends are reshaping the future of healthcare and how QA helps implement them with confidence.
Cybersecurity testing
Functional testing
Performance testing
QA trends
Navigating the future: QA trends that will define 2024. Part 2
30 January 2024,
by a1qa
4 min read
Navigating the future: QA trends that will define 2024. Part 2
We continue exploring QA trends, helping businesses remain competitive in 2024.
Cloud-based testing
Cybersecurity testing
QA trends
Quality assurance
The year in valuable conversations: recapping 2023 a1qa’s roundtables for IT executives 
8 December 2023,
by a1qa
3 min read
The year in valuable conversations: recapping 2023 a1qa’s roundtables for IT executives 
From dissecting novel industry trends to navigating effective ways of enhancing software quality — let’s recall all a1qa’s roundtables. Join us!
Big data testing
Cybersecurity testing
Functional testing
General
Interviews
Performance testing
QA trends
Quality assurance
Test automation
Usability testing
Web app testing
6 top reasons why business should invest in software quality
9 November 2023,
by a1qa
4 min read
6 top reasons why business should invest in software quality
We congratulate you on the World Quality Day with the article by Alina Karachun, Account director at a1qa, having 10+ years of QA expertise. Delve into it to explore the reasons why businesses should prioritize software quality.
Cybersecurity testing
Functional testing
General
Interviews
Performance testing
Quality assurance

Get in touch

Please fill in the required field.
Email address seems invalid.
Please fill in the required field.
We use cookies on our website to improve its functionality and to enhance your user experience. We also use cookies for analytics. If you continue to browse this website, we will assume you agree that we can place cookies on your device. For more details, please read our Privacy and Cookies Policy.