"Social
engineering can also be used to launch other types of attacks as well. Some are
web-based, others are more low-tech, but they are still quite effective because
they take advantage of human nature.
Drive-by attacks exploit
vulnerabilities in web browsers or plug-ins. Often they use a popular topic,
such as celebrity gossip, and optimize a malicious website to rank highly in
search engines for that news. When the user finds the site and clicks on it,
their machine gets compromised. This is an untargeted attack, but when it
compromises employees, it can still put company data at risk.
USB drives can be used by attackers to gain access into a
network. The same file format exploit or executable exploit that is put into an
email by an attacker can also put on a USB thumb drive or a CD ROM. A tactic
would be to give the file an enticing name, such as “management salaries” or
“layoff list” and then perhaps attach the USB drive to a couple of keys and
drop it in the parking lot outside the company that the attackers want to
intrude. Then, if an employee walks by and sees it, they would naturally pick
this up. People want to be good citizens, return the key and the USB drive. To
find the owner’s identity, they may plug the USB drive into their computer.
When they see the enticing content, they double click on it, infecting their
machine and opening up the corporate network to attackers.
Physical or in-person
attacks rely on someone
walking into a building, under a false pretense such as a package delivery, to
get access to the building. They can also use a “tailgating” strategy to follow
an authorized person into an off-limits area. Once they have physical access,
they can plug a little device into the network to compromise it by phoning home
to an attacker’s server.
Phone calls are
another way that an attacker may trick users into handing over their
credentials. They may use a ruse such as: “I’m Bob from the IT department; I’m
seeing on our systems that your computer has been a little slow lately. Do you
have time to sort that out right now?” They then walk you through a few steps,
maybe they’ll send you to a malicious website, or maybe they will ask you to
give them your credentials. Since the user believes it’s a helpful person from
the IT department, many fall for this scam.
QR codes,
the square 2D barcodes, are being used in marketing campaigns and could also be
used as an attack vector as well. When scanned with a smartphone, the QR code
sends the user to a website which could be malicious.
Social media including Facebook, LinkedIn, Twitter and other social
media sites, can be used to send posts, updates, tweets or direct messages with
URLs. When the link is clicked on, again victims are sent to malicious sites
and their computers are compromised. With Facebook, user’s accounts can be attacked
and then configured to send messages to their friends, which may entice people
to click on something they normally wouldn’t.
Typical Steps of a Phishing Attack
In
most phishing attacks, the user opens an email, and then clicks on a link in
that email. This results in the user’s browser getting exploited. Maybe there
is also a form on the web page that captures the users credentials as they are
typed in. Alternately, the user could open an email attachment and their
machine gets compromised that way."
By, Rapid7
Sem comentários:
Enviar um comentário