Introduction to Social Engineering Attacks

Various forms of manipulation and techniques used by cyber criminals to gain access to confidential information is called social engineering. This involves luring the target audience into opening links to infected websites, inducing them to download malware into their computers or simply taking control of users’ private data by posing as a representative from the company whose services they use. These attacks on people are possible primarily because of their lack of knowledge and the evolution of technology. Hackers these days use the internet to perform such attacks on a larger scale. The worst hit ones are those who are not well informed about the current world scenario.

Social engineering is the art of compelling users to share their private information by simply confusing them despite data being secure with the company whose product and services you use, clouds which store your personal information or information stored in data centers. It can not only affect individual users but companies as well. For example, if one of the employees falls in trap of a social engineer and provides access to company credentials, it is only a matter of time before everything can get destroyed. Social engineering attacks can be performed in person or through emails, phone calls or even social media. This article discusses the different ways in which cyber criminals gain access to your personal information using social engineering attacks. 

 

Social Engineering Techniques

Phishing

Phishing is one of the most common ways of getting access to confidential information of individual users and large organizations. Phishing attacks are usually performed through emails where hackers send emails from cloned email addresses to the users of a particular website or organization about certain immediate issues that need to be addressed. Users are usually curious, scared, anxious and get worried when it comes to matters related to money. They usually give in to such emails and this is where all the trouble begins. The phishing email links direct users to cloned websites which look similar to the legitimate website they use. Once users enter their login credentials, hackers get access to the original accounts and funds are lost within seconds.

Phishing can also be done through SMSes. 

Read our article on the DCX Learn platform to know more about Phishing.

Virus Attacks

As mentioned earlier, people usually get confused when it comes to matters of safety and protection of funds. Sometimes, when users open illegitimate websites or emails, many a times there might be a pop up or a message that suggests that the system is infected with a virus and needs to be cleaned. Clicking on those links leads to the downloading of softwares which contains viruses. These viruses have many functions. While some copy everything that gets copied to the clipboard, others gain access to bank account details and passwords. Bank account funds soon vanish the moment this information reaches the hackers.

Virus attacks do not only occur through these unknown softwares that we download because of fear but also some mobile applications that we download that steal our data. A recent news article claimed that more than 50 mobile applications on the app stores were probably snooping on Bitcoin addresses and other clipboard data on our cellphones.  

Sometimes getting access to others’ private information can be as easy as intentionally leaving infected hard drives and USB sticks in public places. The next thing we know is that many people have inserted these memory disks into their computers to check the contents which ultimately leads to viruses attacking their systems.

Baiting

If you are given an option to get access to all the new movies that have been released this year or books by famous authors by signing up on a website for free, would you hesitate to do so?

Many people don’t. Often these websites do not offer anything in return. They might instead share links or other stuff through emails which might contain viruses. Then why would they take the effort to take your information by creating a website for that?

Sometimes even some information can lead these hackers to a jackpot. Signing up on the website means providing information like name, date of birth, mobile number and email address. A hacker then impersonates you before a legitimate company you use to gain access to your account without knowing the password by simply getting in contact with the customer support. For example, someone with all your information might call CoinDCX’s customer support to help change the password of your account. Even when all personal information is provided and changes are made, CoinDCX bars users from withdrawing funds for the next 24 hours after the change of password. This action has been set in place to protect our users from losing all their hard earned money.

Recent news

Not many people understand how cryptocurrencies work and that makes people even more vulnerable to scams. We have compiled a list of scams that everyone should be aware of to prevent the loss of funds. Some of these are fake ICOs, Ponzi schemes, Fake Airdrops and a lot more. 

A social engineering attack on Twitter took place on 15 July, 2020. It was a well coordinated and planned hack of various top Twitter accounts of people like Elon Musk and Bill Gates, companies like Apple and Uber and crypto exchanges like Binance and Coinbase. The hacked accounts posted one common message of a giveaway where people would receive double the number of cryptocurrencies that they would send to a given wallet address mentioned in the tweets.  

This hack was possible because individual employees at Twitter had high levels of access to information and control on the platform. One of their tweets from the Twitter Support account even suggested that its own employee tools contributed to the unprecedented hack that provided the hackers with “access to internal systems and tools.”

 

 

After gaining access to the accounts, the hackers must have possibly changed the passwords too. 

This hack also showed the dark side of such centralized platforms. Vice’s Motherboard posted an image which revealed that the internal panel of Twitter had access to the user accounts with information which included the number of strikes logged against each account, when the account was last accessed, which phone numbers were tied to it, and which email addresses were used for verification. The image below is a screenshot of Twitter internal employee panel that has access to Binance account.

Source : Motherboard

 

Conclusion

Protection against social engineering can only start through education where people stop opening emails from unknown and suspicious sources and delete them from their inbox the moment they are spotted. Log-in credentials must always be kept personal and changed at regular intervals to keep the accounts secured. There are many online accounts these days which allow for 2-factor authentication (2FA). CoinDCX has published several blogs time and again to encourage people to enable 2-factor authentication.

For companies that are responsible for storing data and money of its customers, it is important to provide training to its employees to prevent fraudulent activities related to social engineering. They must be taught about phishing activities, suspicious links and attachments in the emails and softwares available online. 

We might not be able to completely stop social engineering attacks but what is important is that we must all stay vigilant when such attacks take place. Red flags must be raised when some suspicious activity is seen happening around you. This was seen during the Twitter hack that took place on 15th July, 2020 where hackers were unable to scam people of even 13 Bitcoins despite being one of the largest hacks in recent times. This was because of the prompt action taken by Twitter that removed all the tweets, people who realised it was a hack started spreading the word to prevent others from getting duped and all hacked accounts eventually got reported and many other potential accounts got barred from tweeting till the security was back in place.