Social Engineering attacks refers to psychological manipulation of people into making security mistakes or giving away sensitive information. Most common social engineering attacks used to target users are
These attacks are the most common type of attacks leveraging social engineering techniques. Attackers use social media, emails, instant messaging and SMS to trick victims into providing sensitive information or visiting malicious URL in the attempt to compromise their systems.
Common Characteristics In Phishing Attacks :
- Phishing messages aims to gather user’s information presents a sense of urgency in the attempt to trick the victim into disclosing sensitive data to resolve a situation
- Attackers leverage embedded links or shortened URL to redirect victims to a malicious domain that could host exploit codes, or that could be a clone of legitimate websites with URLs that appear legitimate
This kind of phishing attacks are targeted towards Executive level Management (CXOs) to get access to get high valuable information (Sensitive Information). These attacks are difficult to detect than typical phishing attacks because these are targeted to High level professionals (Executives of companies).
Example: Social Media app, Snap chat was one of the victim of this Whaling attack, when high-ranking employee got a mail from cyber criminal impersonating the CEO.
The attacker guesses or observes which websites the group (organization, industry, or region) often uses and infects one or more of them with malware. Hackers observes which websites these groups often use and infects them with malware. Attackers look for specific information may attack users from a specific IP address.
Recent Watering Hole Attack: Country-level watering hole attack in China by the group Lucky Mouse, also known as Iron Tiger.
The biggest hacking threat is Social Engineering. With password cracking being a potentially hard and slow task, prone to leaving digital footprints in its rise, easily compromised corporate accounts are highly desirable. With many employees continues to reuse passwords between accounts, both at office and at home, social engineering attacks which are designed to persuade users to voluntarily give up their credentials on social media sites and other sites can often prove to a good strategy.