Social engineering 2022: how dangerous is it? We can say that Social Engineering is living its golden days! Pandemic panic and despair with growing income and health concerns have made it easier for criminals to target new victims.
Social engineering, simply put, means to “hack” the user rather than the computing system itself, and to attempt to extract information or induce the user to take action that will lead to its exposure. It is a method as old as lying itself, but it has a new name that fits the era of computing in which we live today.
Information security professionals know that hackers’ methods are endless. Here are some of the tactics social engineering experts see on the rise in 2022.
Social engineering 2022: how dangerous is it?
Malicious QR:Quick Response
Fraud via this method has surfaced over the past year.
QR codes are becoming an increasingly popular way for businesses to interact with consumers and deliver services in the midst of a pandemic. For example: many restaurants have abandoned printed menus, allowing their customers to scan a QR code with their smartphone.
But many websites that send QR codes allow “third-party” sellers to take advantage of their services. This means that scammers can use a suspicious QR code to divert phones to a malicious destination (just like clicking on a suspicious link, same concept..but in a contemporary style!)
Oz Alashe, CEO of UK-based security firm CybSafe, says he’s heard of some neighborhoods being flooded with leaflets containing fraudulent codes that read “Scan this QR code for a chance to win an Xbox”.
Hijacking (Browser notifications)
Over the past years, websites have asked their visitors to agree to “notifications” from the site. What used to be a useful way to interact with readers and keep them informed is now, of course, a social engineering tool.
The problem is that many users automatically click “Yes” to allow these notifications. Although many users have a certain level of caution about web browsers, these notifications look more like system messages from the device itself, not the browser.
Even for users who do not fall into this trap easily, hackers find ways to install their malware within notifications. These methods include: disguising consent in a way that appears legitimate, such as requiring a CAPTCHA before opting in, or switching the positions of the ‘accept’ and ‘decline’ buttons on alerts.
Once the scammer gets the (unlawful) consent of the user, they start to flood them with messages (usually phishing schemes, or scam notifications containing malware).
Fraud (requests for cooperation)
With this social engineering approach, Alashi says, cybercriminals who specialize in collaborative fields, including designers, developers, and even security researchers, are targeting. Bait: An invitation to collaborate on a new project.
Recent bans and the expansion of working from home have made the concept of remote collaboration more comfortable, so the trick is getting bigger now.
Impersonation (supply chain partner)
George Gerchow, CSO Officer at Sumo Logic, says attacks that exploit parts of an organization’s supply chain are now a big problem.
“For example, there have been a large number of targeted emails that may appear to be from your trusted partners, but are actually hackers impersonating employees you may know within your network.”
He states that this happened to him personally:
I caught this scam when I noticed fraudulent gift card offers made to Sumo Logic employees, disguised as incentives or thanks from the company’s real business partners.
The headline attack (on SolarWinds) is a frightening example of this approach:
A specific version of the Vendor Email Intrusion (VEC) attack has been released. He hacked an email account and used it to access the accounts of targeted SolarWinds employees in technical and technical roles.
Social engineers are now using deepfakes – stunningly realistic recordings that use artificial intelligence to simulate the appearance/voice of a particular person – to deceive victims.
One of the earliest successful examples emerged in 2019, when a fake CEO voice recording was used to instruct an employee to transfer money to an international bank account. The recording was left as a voicemail to the subordinate, who obeyed the fraudster’s instructions and presented him with $243,000 on a silver platter.
A large part of us prefer to communicate via text messages (through WhatsApp, etc.) rather than by phone. The problem is that we are now used to communicating very secret types of information through these messages.
And as the grocery and food delivery sector has grown in the past year, so have delivery scams. Other common types include: texts that promise information about COVID-19 tests that link victims to a government-like website that requests sensitive personal information (such as date of birth and Social Security number).
Experts have noticed scam text messages in which scammers impersonate the Ministry of Health and tell victims that they must take a “mandatory online COVID-19 test” via a suspicious link. Then, similar to other scams, victims are asked for their personal information and malware is often downloaded to their devices.
As with QR codes [the first method], victims simply did not develop the necessary level of awareness and caution.
Domain Names (Similar)
Scammers here impersonate legitimate domain names to trick victims into thinking they are in a safe place.
They do this in a number of ways, including relying on misspelling the domain name (eg: Gooogle instead of Google) or adding a different top-level domain (.uk instead of .co.uk).
Unlike (scam sites) that were often largely exposed from the past, these sites today may feature sophisticated designs and elaborate imitations of the real original sites.
Hackers not only use these sites to spread malware, but also to collect credit card information or other sensitive data through fake login fields or other fake forms.