Skip to content

Social Engineering Attacks – Helping you from NOT being victimized (Part I)

You might have got calls many times saying, “Sir, we are calling from ‘X’ bank. This is a call to update our records if any changes. Can you please verify your Date of Birth, Your Birth Location” – The questions might differ. And you answer all the questions. My question to you is, do you try to verify if they are calling really from bank and how to deal with such calls? Now, you might be a victim because one of your enemies would have called you as a impersonator and got the information to get unauthorized access to your e-mail account by using “Forgot Password” where DOB and Place of Birth are the two hurdles to get to Security Question. Now, your enemy has passed the 2 hurdles with so much of ease.

In this post, I will try to educate the readers on different methods of Social Engineering attacks and how you can stop yourselves from being victimized by such attacks,

  • Phishing e-mails

You might have got e-mails in the past asking you to change your password because there were false logins from some IP address. Now, you are tensed and you want to change your password [Immediate if there is a money transaction involved with your account or your e-mail where there is a lot of confidential data]. You click on the hyperlink from the e-mail and it takes you to the page which gives you the same look and feel of the genuine website and you just enter the details [Let’s say current password and new password] and your password is not really changed but you have given the current password to the attacker and thereby, you are victimized.

So, how can you stop yourself from being victimized in this case?

–          Look at the URL of the landing page after you click on the hyperlink from your e-mail

–          No one will ask for your passwords [So, think about it – If they are asking why are they asking it? Any genuine reason?]

–          Check for the headers of the e-mail to verify whether it’s a phishing e-mail or some scam

–          Different e-mail providers have different configuration for seeing the e-mail headers – Learn more about them

  • Seeking information

You meet a friend and he is curious to know about what are you doing through your e-mails. So, let’s say he uses “X” e-mail service provider. Your friend will go and look into the Forget Password feature and what kind of security check it does. Let’s say, it asks for “DOB, PIN code & Security Question”. He can get your DOB from Facebook, PIN code by knowing about where are you staying and when you created this account where were you [Which place?] in order to know your area PIN code. So, now the last hurdle is Security Question [I see that the products / applications / software(s) need to take care while creating these security questions – Some are like “What was your first phone number? Now, is it so difficult to recover it from Phonebook if that person was my friend? – I had similarly cracked into one of my friend’s account where that was a security question and I just got his first phone number from Phonebook and BOOM!!!].

Now, the attacker can victimize you by asking,

–          Hey, I see that there was some fancy phone number of one of our friend’s in college. I think it was yours. What was your phone number man? [This attack would be – If the security question asks for “First Phone Number”]

–          This time I want to give you a cool gift, when is your birthday and how many years old you will be? [What is your DOB as a security question]

–          Hey, I know about astrology – Can you provide me your complete details? [All details and what else do you need]

–          And many more depending on the context

  • Shoulder Surfing

You are typing your password and your friend or enemy is standing behind you but, you are not really conscious about how you can be victimized. Shoulder Surfing is one of the “Social Engineering” attack which is very easy to do and most of them are victimized who do not take special care typing their password during such situation. Let’s say your typing speed is very slower and it is so easy to crack the password as you are typing letters one by one giving enough time intervals for the attacker to get your password.

Want to stop from being victimized in this case?

–          Request the person to move away till you type the password [If you feel your friend or that person will feel bad, then don’t repent after you have been victimized.]

–          If it is not emergency then refrain from logging into your account or entering any confidential data at the time where someone is with you standing behind you and watching you.

–          Increase your typing speed [Like mine, Super Fast]

  • Dumpster Diving [define: dumpster on Google]

Attackers will find the confidential information from different resources within your organization which might include pieces of paper in your dustbin, stick notes on your desk and etc.

How to stop being victimized from this?

–          Don’t write passwords in piece of paper [Even using your pattern or anagram kind might still be crack-able]

–          Don’t place the files in shared folder which contain confidential data and be sure about the permissions given for file or folders

–          While throwing a paper which contains confidential data [Let’s say: Your credit card PIN Number which came via post], make sure that you use good paper shredders or cut it yourself into very tiny pieces so that they cannot be arranged properly and get your PIN number

–          Don’t share the confidential notes via e-mail to a wrong recipient [If done, think about how you can stop some wrong things from happening]

For any questions / doubts / clarifications or to just say Thank You :) Please leave a comment. Have a good time and thanks for your time in reading this blog post. Stay tuned for Part II.

SanthoshTuppad

I have been as a software tester for over 5 years. I am a hands-on tester and I've been winning bug battles & testing competitions across the world. I am a testing enthusiast, who conducts free workshops on security testing across India (Covered locations: Bengaluru, Pune, Hyderabad & Chennai. Invite him to come to your location), and monthly meets for testers in Bengaluru. I am also an avid testing blogger.

My interests include traveling, driving my SUV, health & fitness and many others. I mentor budding entrepreneurs, testers, teams in any profession.

Latest posts by SanthoshTuppad (see all)

Share/Bookmark

2 Comments

  1. Mohit Verma wrote:

    Hi Santhosh,

    Very informative and descriptive. You have reminded us that security is individual’s responsibility.

    Thanks for guiding us.

    Regards
    Mohit

    Santhosh replied: Thanks Mohit.

    Tuesday, January 18, 2011 at 5:43 am | Permalink
  2. Preeti wrote:

    Very informative. Thank u

    Monday, March 3, 2014 at 9:48 pm | Permalink

One Trackback/Pingback

  1. […] This post was mentioned on Twitter by Santhosh Tuppad, Testing News. Testing News said: Social Engineering Attacks – Helping you from NOT being victimized (Part I): You might have… http://goo.gl/fb/zq6WS […]

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*