Mid-term

Assignment
Teach by: Mr. Van Khema
TA: Mrs. Say Sophea
Created by: Mrs. En Sreynich
IDTB100147
Group: 03

Topic:” Design and simulate a social engineering attack scenario

using two techniques like phishing and pretexting”.

In today's digital landscape, technology is integral to our daily lives.

With increasing reliance on technology, safeguarding our information has
become paramount. Among the myriad threats to cybersecurity, social
engineering attacks are particularly pernicious because they exploit human
behavior rather than technical vulnerabilities. This essay explores a
detailed scenario involving a social engineering attack that employs two
sophisticated techniques: phishing and pretexting.

Social engineering exploits human psychology to gain unauthorized access

to information, systems, or physical locations. Attackers manipulate
individuals into breaching standard security protocols. Unlike traditional
cyber-attacks that rely on exploiting software or hardware weaknesses,
social engineering targets the weakest link in the security chain: humans.
Phishing and pretexting are two prevalent social engineering techniques.
Phishing involves tricking individuals into divulging sensitive information
through deceptive emails or messages. Pretexting, on the other hand,
involves fabricating a plausible scenario to obtain information or prompt
actions.
Phishing is a predominant threat among cybercriminals and highly
effective. According to IBM's Cost of a Data Breach report, phishing is the
most common data breach vector, accounting for 16% of all breaches.
Breaches caused by phishing cost organizations an average of USD 4.76
million, which is higher than the overall average breach cost of USD 4.45
million. Phishing is a significant threat because it exploits people rather
than technological vulnerabilities. Attackers don't need to breach systems
directly or outsmart cybersecurity tools. They can trick people who have
authorized access to their target—be it money, sensitive information, or
something else—into doing their dirty work.

Phishing is a major threat because it targets people instead of exploiting

flaws in technology. Attackers don't have to hack into systems or bypass
security measures directly. Instead, they deceive individuals who already
have access to the desired resources, like money or sensitive information,
and manipulate them into unwittingly carrying out the attacker's objectives.
Phishers can be lone scammers or part of organized criminal syndicates.
They can use phishing for many malicious ends, including identity theft,
credit card fraud, monetary theft, extortion, account takeovers, espionage,
and more. Phishing targets range from everyday people to major
corporations and government agencies.

In one of the most well-known phishing attacks, Russian hackers used a

fake password-reset email to steal thousands of emails from Hillary
Clinton's 2016 US presidential campaign. The word "phishing" plays on the
fact that scammers use attractive "lures" to trick their victims, much the
same way that fishers use bait to hook actual fish. In phishing, lures are
fraudulent messages that appear credible and evoke strong emotions like
fear, greed, and curiosity. The kinds of lures phishing scammers use
depend on whom and what they are after. Some common examples of
phishing attacks include bulk email phishing, spear phishing, and Business
Email Compromise (BEC).
In bulk email phishing, scammers indiscriminately send spam emails to as
many people as possible, hoping that a fraction of the targets fall for the
attack. Scammers often create emails that appear to come from large,
legitimate businesses, such as banks, online retailers, or the makers of
popular apps. By impersonating well-known brands, scammers increase
the chances that their targets are customers of those brands. If a target
regularly interacts with a brand, they are more likely to open a phishing
email that purports to come from that brand.

Cybercriminals go to great lengths to make phishing emails appear

genuine. They might use the impersonated sender's logo and branding.
They might spoof email addresses to make it seem like the message
comes from the impersonated sender's domain name. They might even
copy a genuine email from the impersonated sender and modify it for
malicious endings. Scammers write email subject lines to appeal to strong
emotions or create a sense of urgency. Savvy scammers use subjects that
the impersonated sender might actually address, such as "Problem with
your order" or "Your invoice is attached."

The body of the email instructs the recipient to take a seemingly

reasonable action that results in divulging sensitive information or
downloading malware. For example, a phishing link might read, "Click here
to update your profile." When the victim clicks that malicious link, it takes
them to a fake website that steals their login credentials. Some scammers
time their phishing campaigns to align with holidays and other events
where people are more susceptible to pressure. For example, phishing
attacks on Amazon customers often spike around Prime Day, the online
retailer's annual sales event. Scammers send emails about fake deals and
payment problems to take advantage of people's lowered guards.

Spear phishing is a targeted phishing attack on a specific individual. The

target is usually someone with privileged access to sensitive data or special
authority that the scammer can exploit, such as a finance manager who
can move money from company accounts. A spear phisher studies their
target to gather the information they need to pose as someone the target
trusts, such as a friend, boss, coworker, vendor, or financial institution.
Social media and professional networking sites—where people publicly
congratulate coworkers, endorse vendors, and tend to overshare—are rich
sources of information for spear phishing research.

BEC, a class of spear phishing attacks, attempts to steal money or valuable

information—for example, trade secrets, customer data, or financial
information—from a business or other organization. BEC attacks can take
several forms, including CEO fraud and Email Account Compromise (EAC).
CEO fraud is when the scammer impersonates a C-level executive, often
by hijacking the executive's email account. The scammer sends a message
to a lower-level employee instructing them to transfer funds to a fraudulent
account, make a purchase from a fraudulent vendor, or send files to an
unauthorized party.

BEC attacks can be among the costliest cyberattacks, with scammers often
stealing millions of dollars at a time. In one notable example, a group of
scammers stole more than USD 100 million from Facebook and Google by
posing as a legitimate software vendor. Some BEC scammers are shifting
away from these high-profile tactics in favor of launching small attacks
against more targets. According to the Anti-Phishing Working Group
(APWG), BEC attacks grew more frequent in 2023, but scammers asked
for less money on average with each attack.

Let's talk about pretexting, which is a technique that finds its way into many
kinds of cyberattacks. Like any other type of social engineering, the
perpetrator’s goal is to convince their victim to give them something—
generally information, access, or money—under false pretenses. They do
this by creating a believable story, often including characters and specific
details like private information, that plays on the victim’s emotions, sense of
trust, or even fears.
Take the classic “Nigerian Prince” scam as an example. A simple pretext
by today’s standards hinges on the promise of giving a little now for a large
return later, whether the pretext is a locked bank account, a financial
venture, or whatever other explanation. A prince emailing strangers for help
might sound too far-fetched to be effective, but in 2019, electronic security
company ADT estimated Nigerian Prince schemes were still pulling in
$700,000 every year.

Sophisticated pretexting attempts often use more intimate pretexts to be

more convincing, with some involving fake websites, fabricated businesses,
leaked account numbers and credentials, names of victims’ coworkers, and
things of that nature. Because pretexting is fundamentally about
storytelling, it can take many forms and doesn’t always rely on email, the
internet, or malware. For instance, with AI-powered deepfake technology,
threat actors can manipulate voice patterns, facial expressions, and
gestures to produce highly realistic simulations that are difficult to
distinguish from authentic audio and video, and which can be powerful
tools in phishing attacks.

One of the biggest factors working in malicious actors’ favor isn’t a

technique at all but more like a vulnerability in human psychology: for many
people, it’s easier to say “yes” than to say “no.” Simply put, we want to get
along, so we’ll often agree or acquiesce to requests, even when doing so
works against our best interests. Attackers know this, and they know that
many people will let a little trust go a long way. Put those two together and,
often enough, all they need to do to get a credit card number is ask for it.

In one common scam, the perpetrator pretends to be a representative of a

company alerting the victim to a problem with their account, like lapsed
billing information or a suspicious purchase. The scammer includes a link
that takes the victim to a fake website that steals their authentication
credentials, credit card information, bank account number, or social
security number. Another example involves preying on the elderly, where
the cybercriminal poses as the victim's grandchild and pretends they are in
some kind of trouble—e.g., they were in a car accident or arrested—and
need their grandparents to send them money to pay for hospital bills or
post bail.

Phishing and pretexting are prevalent in targeted phishing attacks,

including spear phishing (a phishing attack that targets a specific individual)
and whaling (spear phishing that targets an executive or an employee with
privileged access to sensitive information or systems). Pretexting also plays
a role in non-targeted, ‘spray-and-pray’ email phishing, voice phishing
(vishing), or SMS text phishing (smishing) scams. For example, a scammer
might send a text message such as ‘[GLOBAL BANK NAME HERE]: Your
account is overdrawn’ to millions of people, expecting that some
percentage of the recipients are customers of the bank, and some
percentage of those customers will respond to the message.

Tailgating, sometimes called "piggybacking," occurs when an unauthorized

person follows an authorized person into a location that requires clearance,
like a secure office building. Scammers use pretexting to make their
tailgating attempts more successful—by, say, posing as a delivery person
and asking an unsuspecting employee to open a locked door for them.

Pretexting is the groundwork for these scams, luring people into making
security mistakes and creating the opening for the next stage of the attack.
That can lead to substantial personal or financial damage to the victims.
Thus, it’s important to be alert and skeptical of these tactics, and to
remember that when someone asks for access to your accounts or
information, it’s okay to question them and verify their identity before
complying with the request.

Baiting, a social engineering technique closely related to phishing, involves

luring victims to download and execute malicious software on their devices.
For example, a scammer might offer free software or media on an
illegitimate website, tricking visitors into downloading malware. Baiting can
involve physical media, too: in one notable example, security company IBM
left USB drives loaded with malware in the parking lots of several
businesses and found that nearly half of those drives were plugged into
employees' computers.

Quid pro quo is a form of social engineering where the attacker offers
something to their victim in exchange for information, access, or action.
The pretext might be, for example, an IT support technician offering free
assistance to employees with their computers. By pretending to help them
with their technical problems, the attacker gets access to the employees'
computers and any sensitive data on them.

Social engineering attacks, particularly those employing phishing and

pretexting, are highly effective because they exploit human vulnerabilities
rather than technical flaws. Organizations must invest in comprehensive
security training and awareness programs to mitigate these risks. Regularly
updating employees on the latest social engineering tactics, encouraging
skepticism of unsolicited requests for information, and implementing robust
security policies can help protect against these sophisticated attacks.
Ultimately, fostering a culture of security awareness is the most effective
defense against social engineering threats.

In conclusion, the pervasive threat of social engineering underscores the

critical necessity for heightened vigilance and awareness in today's digital
landscape. These attacks exploit fundamental aspects of human behavior rather
than relying solely on technical vulnerabilities, making them a universal risk
irrespective of one's technological expertise. Phishing and pretexting, as prominent
techniques within social engineering, vividly illustrate how easily individuals and
organizations can be deceived through the manipulation of trust, emotions, and
contextual factors.

Phishing capitalizes on our inclination to trust familiar sources and react swiftly
under pressure, often by impersonating reputable entities or fabricating urgent
situations. This approach not only jeopardizes personal security but also poses
significant financial and data integrity risks to businesses annually. Conversely,
pretexting relies on creating convincing scenarios to extract sensitive information
or influence actions, leveraging personal details and emotional appeals to achieve
its objectives.

Recognizing human susceptibility to these tactics is crucial. Age, cognitive factors,

emotional states, and social dynamics all contribute significantly to vulnerability,
with certain demographics—such as the elderly or individuals experiencing major
life transitions—being particularly at risk. Moreover, emerging technologies like
AI-driven deepfakes add complexity by enhancing the realism of deceptive
communications, challenging traditional detection methods.

Effectively combating social engineering demands interdisciplinary strategies.

Insights from the social sciences illuminate behavioral patterns and vulnerabilities,
while perspectives from the arts and humanities provide cultural context and
ethical considerations essential for understanding and countering manipulation
tactics. By integrating these perspectives into cybersecurity frameworks, we can
better educate and safeguard individuals and organizations against evolving
threats.

Ultimately, fostering awareness, promoting education, and implementing proactive

security measures are paramount in mitigating the multifaceted risks posed by
social engineering. Empowering individuals with knowledge and critical thinking
skills remains our most potent defense in navigating the complexities of our
digitally interconnected world.

This conclusion reinforces the urgency of addressing social engineering through a

multifaceted approach while emphasizing the importance of education and
awareness in protecting against these sophisticated threats.