Information Security

Final Project

Submitted To

Ms. Mukhtiyar Bano

Submitted By

Insia Sharafat_010

Barira Akbar_021

BSE_VI_A

Session (2019 – 2023)

Date: May 13, 2022

Introduction
The term social engineering refers to a wide range of harmful behaviors carried out through
human relationships. It employs psychological tricks to persuade users to make security blunders
or reveal critical information. Social engineering attacks are carried out via a series of steps. To
carry out the attacks, a perpetrator first examines
the intended victim to obtain relevant
background information, including possible areas
of entry and weak security mechanisms. The
attacker then attempts to acquire the victim's
trust and give stimuli for later acts that violate
security protocols, such as disclosing information
or authorizing access to key resources.
Social engineering is not a type of cyberattack at its core. Rather, it is all about influence
psychology.  The goal is to earn targets' trust so that they relax their guard, and then to persuade
them to take risky activities such as disclosing personal information, clicking on harmful web
links, or opening malicious links.
Protecting organization against social engineering
Though psychological attacks put even the most advanced security systems to the test, firms can
reduce the risk of social manipulation by implementing awareness training. Employee training
can help them protect against such cyberattacks and know why their involvement in the
information security is so important to the company.
In addition, companies should have a clear list of security standards to assist employees in
making the right decisions especially when it comes to social control attacks. The following are
examples of important processes to have included:
1) Password management
Guideline such as the amount and type of symbols that must be included in each password, how
often a password must be updated, and even a basic rule that workers should not reveal
passwords to someone irrespective of their position all contribute to the protection of information
assets.
2) Multi-factor authentication
Multifactor authentication is used instead of fixed credentials for network capacity services like 
modem pools & VPNs.
3) Email security with anti-phishing defenses
Hacking or other socialengineering attempts can be mitigated by using many levels of email secu
rity. Antiphishing features are included into certain email security systems.
Social Engineering Attack Techniques
There are some popular sorts of social engineering assaults that your company should educate e
mployees with.There are technical methods to assist prevent social engineering such as mail filte
rs, firewalls, and network or data monitoring tools, the best protection against these methods is h
aving a team of employees that can detect and avoid common social engineering techniques. Her
e's a rundown of some of the most frequent social engineering tactics:
 Baiting
Baiting assaults are carried out by attackers who leave a malware-infected device, such as an
USB flash drive or CD, in a location where it is likely to be discovered.
The success of a baiting attack hinges on the notion that the person who finds the device will
load it into their computer and unknowingly install the malware. Once installed, the malware
allows the attacker to advance into the victim’s system.
 Phishing
Phishing happens when an attacker sends a victim fake communication disguised as authentic,
frequently claiming or appearing to be from a reliable source. A phishing assault deceived the
receiver into downloading malware on their device or disclosing personal, financial, or
commercial information. Phishing attacks most commonly use email, but they can also use chat
applications, phone calls, social media, or faked websites made to look authentic. Some of the
most heinous phishing attempts make charity appeals after natural disasters or tragedy hit, taking
advantage of people's generosity and persuading them to donate to a cause by entering personal
or financial information. 
 Pretexting
When an attacker generates fake conditions in order to convince a victim to provide access to sen
sitive information or protected systems, this is known as pretexting. Pretexting attacks involve a f
raudster stating to really need financial information in order to validate the recipient's identificati
on or impersonating a trusted entity, such as a person of the company's IT department, in order t
deceive the victim into disclosing login details or providing computer access.
 Quid pro quo
When hackers request personal data from someone in return for something valuable or some type
of reward, this is known as a quid pro quo attack. For example, an attacker may ask for login det
ails in return for free gift.
 Spear phishing 
Spear phishing is a sort of phishing assault that is highly focused and focuses on a single individ
ual or organisation. Personal information relevant to the recipient is used in phishing scams to bu
ild trust and appears more credible. This information is frequently obtained from victims' social 
media profiles or other internet behaviour. Spear phishers have a better success rate of deceiving 
victims into allowing access or exposing sensitive material such as bank data or trade secrets by t
ailoring their phishing tactics.
 Tailgating
Tailgating is a physically social engineering approach in which unauthorized persons follow
authorized people into otherwise secure site. Tailgating is done to obtain valuable items or secret
information. Tailgating occurs when someone asks you to leave the door open since they forget
their access card, or when someone borrows your computer or phone to do a simple task but
instead installs malware or stole data.  
Social Engineering and Psychology
Exploiting human emotions is considerably easier than attacking a network or searching for
security flaws. Cyber criminals who are smart understand that social engineering works the best
when it focuses on human emotions and risk. These social engineering examples show how
emotion is exploited to commit cyber-attacks:
Greed
Imagine transferring $10 to an owner and watching it rise to $10,000 with no effort on our part. 
Cyber criminals exploit basic human feelings such as confidence and greed to persuade victims t
hat they may truly get something for free. A wellprepared baiting email informs victims that if th
ey give their bank account details, the payments will be sent the same day.

Fear
We receive a message informing us that we are being investigated for financial crimes and we
must call promptly to avoid arrest and prosecution. This social engineering attack occurs around
tax season, when people are already worried out about paying their taxes. Cyber hackers
capitalize on the tension and worry associated with tax preparation and use these dread feelings
to deceive individuals into responding with the message.
Curiosity
Computer hackers pay much attention to incidents that receive a lot of media attention and then u
se human curiosity to fool social engineering targets into acting. Following the second Boeing M
AX8 jet crash, for example, cyber thieves sent messages with attachments claiming to help each 
other. After exploring a company, cyber criminals aim two or three include leaked information
about the crash. The attachment connected a version of the Worm RAT on the victim’s
computer.
Helpfulness
Humans desire to believe and workers with an email that appears to be from the targeted individu
als' boss. The email requests that they submit the password for the financial database to the boss, 
emphasising that the management requires it to ensure that everyone is paid on time. The messag
e tone is urgent, leading victims to believe that by acting immediately, they are assisting their ma
nager.
Urgency
We receive emails from customer service at a popular online shopping website informing us that 
they need to validate our credit card details in order to protect our account. The email phrasing e
ncourages us to answer immediately in order to prevent hackers from stealing our credit card det
ails.We give your credit card details, email address, and phone number without hesitation becaus
e we trust the online store. After a few days, we receive a call from our credit card provider infor
ming us that our credit card has been hacked or used for hundreds of dollars in fraudulent transac
tions.

Examples of Real Social Engineering Attacks

1) $100 Million Google and Facebook Spear Phishing Scam

Evaldas Rimasauskas, a Lithuanian national, carried out the largest social engineering attack
over two of the biggest companies i.e Google and Facebook. Rimasauskas and his team created a
fictitious corporation, posing as a computer manufacturer company that collaborated with
Google and Facebook. Rimsauskas also opened savings accounts in the name of the company.

The scam artists then sent phishing emails to particular Google and Facebook executives, billing
them for products and services that the manufacturers had legitimately given — but instructing
them to pay money into their fake accounts. Rimasauskas and his friends defrauded the two tech
powerhouses of approximately $100 million between 2013 and 2015.

2) Russian hacking group targets Ukraine with spear phishing

Microsoft warned in February 2022 of a new spear phishing attempt by a Russian hacker outfit
targeted Ukrainian government departments and NGOs, as international leaders debate the
proper reaction to the growing tense situation among Ukraine & Russia.

Since 2021, the team known as Gamaredon has apparently been targeting "organizations crucial
to emergency response and preserving the safety of Ukrainian territory," according to Microsoft.
Gamaredon's initial attack depends on spear phishing mails delivering malware. The messages
also include a plugin that lets attackers know if they've been opened.

The example serves as a powerful reminder of about how cybersecurity is becoming increasingly

crucial in global conflicts, and how all enterprises should enhance their overall security and
safeguard from social engineering attacks.
THE END