top of page

Information Security series─Social Engineering

What is Social Engineering?

Social engineering is simply fraud, where hackers exploit human weaknesses to achieve their goals. Social engineering often arouses target interest through recent hot topics, whether it is politics, sports, entertainment, celebrity gossip and other events, and even financial management, investment and online shopping, etc., may all be themes used by hackers. Using the target's fear, greed, curiosity, etc., to induce users to click on relevant content, so as to steal the user's account, password, or spread malicious programs. In order to expand the results of the attack, the hackers will use the accounts obtained by the attack to attack their friends, bosses, colleagues and other targets again. Through their familiar relationships, it is easier for the victim to obtain the relevant content, and this step will be repeated to achieve the ultimate goal. the goal of.

What are the common methods?

Nowadays, the technology of network protection equipment is changing with each passing day, and the protection power is also increasing year by year. In order to break through the defense equipment, social engineering is often the easiest attack method to use human nature to break through the protection of the equipment. Before hackers launch hacking operations, they will conduct in-depth investigations on the target, understand their relevant information, and conduct a series of targeted social engineering attacks. The media used are quite diverse and the methods are very extensive. The purpose is to induce users to click on relevant URLs or open files to achieve the purpose of attack. Here are some common methods of social engineering: 1. Social engineering emails: Compiling email content that the target is interested in based on the target's recent shopping, frequently concerned topics, business cooperation cases, etc. When the account is reported or stolen (as shown in the figure below), the user is tricked to operate the computer according to the hacker's instructions, such as clicking on links, installing programs, etc., in order to gain control of the target account. Social engineering emails may also contain malicious attachments. Some malicious programs will disguise themselves as office files, pdf files or image files, and let users click on the file with content that the target is interested in, such as current affairs issues, business contracts, or pornographic images., infecting the computer with malicious programs.

2. Using phishing webpages to deceive private information: Phishing webpages are often paired with the above social engineering emails. With fake URLs that are very close to the correct URLs and almost exactly the same as normal websites, users are asked to enter personal information and account passwords. Privacy information leaked. The URL of the phishing page may be faked by using similar characters, such as changing the number 0 to the English O, or changing the English lowercase l to the number 1, so as to confuse the target judgment, such as faceb00k, g00g1e, etc. Another type of fake URL is to add strings such as gov or edu to the URL, so that the target is misidentified as a government or education website. This is a fake Ministry of Health and Welfare website.

3. Pop-up advertisements: When browsing the web, use pop-up pages to pop up advertisements such as "Your computer/mobile phone is poisoned", "Congratulations on getting an iPhone", and sometimes even make the phone vibrate continuously, or make the target unable to Go back to the previous page to increase the tension of the target, so that you can install malicious patches or fill in the winner information to steal the user's personal information.

The above is just a simple list of common methods. In actual targeted attacks, hackers will use more targeted content and methods. Recently, some Youtuber's Youtube channels with hundreds of thousands of fans have been hacked one after another, and their channel names have been modified to live stream fraud. content. The method is to send fake business cooperation invitations through social engineering emails, inviting the other party to try software and games. Once the channel owner installs the software and games, the computer will be implanted with a Trojan virus and steal the Google login credentials in the device. to bypass Google's secondary verification. After gaining control of the account, the hacker will completely change the password, bound mobile phone number and backup mailbox, making it impossible for the original account owner to restore the account and causing huge losses to the channel.

New Countermeasures for ISO27001:2022 For social engineering, the old version of ISO27001:2013 requires organizations to properly control network services and network access policies through A.13 communication security; Security protection (Web filtering)”, which specifically requires managing access to external websites to reduce exposure to malicious content. Specifically, it is recommended to block websites with information uploading functions, block known or suspected malicious websites, and prohibit access. Servers with command-and-control capabilities, websites that share illegal information are strictly prohibited, etc. If these requirements can be implemented, the aforementioned social engineering methods such as using phishing webpages to deceive private information and pop-up advertisements should be effectively restrained.

The establishment of information security awareness is still the top priority Finally, a reminder that in hacking operations, hackers will do everything they can to get through the negligence of employees, bypass defense equipment, and infiltrate the interior of the enterprise. The information security protection energy of an enterprise is like a wooden barrel. The amount of water that a wooden barrel can hold does not depend on the length of the longest wooden board but depends on how short the shortest wooden board is, and how strong the protection capability of information security equipment is, as long as there is one. Employees who lack information security awareness can make other protections fall short. To prevent social engineering, the most important thing is to develop a good awareness of information security:

1. Do not click on unknown links casually. Even if it is a link shared by an acquaintance, double-check whether it is the correct URL.

2. Whenever you enter the account password, you must double-check whether the URL is correct.

3. Do not execute applications from unknown sources. Before installing and executing, you must double check whether the files are trustworthy.

4. The downloaded files need to be scanned by anti-virus software before opening.

5. There is no free lunch in the world. Don't lose your judgment because of the small profit in front of you.

-ASF Lead Auditor Dan Lin


bottom of page