At least once we have surely heard of malware , Trojan horses, ransomware : all names that refer to malicious programs capable of entering and replicating themselves in our systems, exploiting incorrect computer configurations or errors in the applications we use. In recent years, however, we have increasingly refined the weapons at our disposal to protect ourselves from enemies: antivirus systems are extremely more effective, operating systems themselves receive frequent updates that correct any errors or vulnerabilities detected by developers. For this reason , hackers have found new ways to bypass us and equally gain access to private data and personal systems : one of these is Social Engineering.
Social engineering is a set of techniques that exploit interaction with users to access the systems to be attacked. In other words, it is as if a thief comes knocking on your door and you are the one to let him in.
Phishing: beware of the bait
To better understand Social Engineering and this subtle attack method, let's analyze together a case that has affected many Poste Italiane customers . The user receives an SMS which, at first glance, appears authentic. In fact, the sender is PosteInfo, like that of many SMS messages sent by the postal services group. The content, for an average user, seems almost alarming: there is a risk that we will be blocked from accessing the account and payment services. The trap is just around the corner! In fact, following the link at the bottom of the message we will be directed to a site not of the Italian Post Office but similar .
Once the requested data has been entered, we will be the ones to authorize the attackers to access sensitive information but above all to our reserves of money. This type of attack is called phishing (translated “to fish”). Just as in fishing lures are used to catch prey, so attackers use these messages (lures) to catch less attentive users .
Social engineering: pay attention to the operator
There are countless other types of attacks that, as we said at the beginning, fall under the category of social engineering. At this point it should begin to be clearer why this name is given : a relevant part of the attack is given by the social component , that is us! If you are still not convinced, let's try to analyze another pharaonic attack: this time against two Italian telephone operators .
The social attack is just the overture to a far more complex plan that exploits many vulnerabilities to inject a program capable of retrieving sensitive information ( spyware ) into the recipient's phone. The user is somehow directed to bogus sites, made to be credible (same logos, style, language, colors). Here the "let it pass" is behind "Download now": that button, in fact, downloads an application that once installed will have a lot of work to do to recover our personal information. It is clear how important prudence is when we move in the digital world but, above all, a certain amount of attention is needed to find those details that could prevent us from running into unpleasant situations.
How to defend ourselves from Social Engineering
Many will say "we are not all computer engineers": this is certainly true but the bad guys always leave some traces that can be found before falling into their tricks. For example, in the first case, a slightly more attentive eye would have noticed the sentences slightly ungrammatical and with punctuation errors (several commas are missing). A simple Google search would have given us no information regarding Decree 286/336, making it sound strange. Finally, the link shown at the end of the message is not at all among the domains of Poste Italiane (typically poste.it). But above all, they would never have asked you to enter your personal data directly on a site , without asking you to authenticate and therefore without any form of protection.
If you are unsure of what you received or you weren't expecting that "strange" communication, inquire! A simple call to the post office could have avoided worse damage, as the employee probably wouldn't have confirmed the lawfulness of the message received.
The details to check
In suspicious circumstances there are details we can check to avoid running into unpleasant situations:
- pay attention to grammar, spelling errors, punctuation (usually these are obvious errors);
- pay attention to the tone of the communication: often the attackers focus on haste and emergency . In these situations we tend to be more vulnerable as our judgment capacity is impaired by the emergency nature of the moment;
- in e-mails, pay attention to the sender (or in text messages, pay attention to the number if present): do not trust the name you see displayed but look for the real address in the details (for example, it may happen that you receive an e-mail from Amazon.it address amz0nItalya@d0minioAm0n.it, anything but reliable);
- as well as for e-mails, in messages you must be careful in following links to other destinations and, in this case, you must always check the domain (ie the part of the address before the .it, .com …), it could, in fact, not be linked to the sender;
- as a last piece of advice, be careful never to enter extremely personal data (such as credit card number, access codes to the bank via internet, passwords for restricted areas, pins, etc …) in sites of dubious origin!
Living in a connected world increases our exposure to potential bad guys from all angles. For our home life these were some ideas to raise awareness of digital. Of course, these tips are also useful in your workplace. An increasing number of companies are moving to raise awareness among their employees with ad-hoc phishing campaigns. In conclusion, let's not be fooled by false messages and watch out for… don't take the hook of Social Engineering!
Article by Nicola Fioranelli
The article Social Engineering: what it is and how to protect us from social engineering comes from Tech CuE .