The Attack That Can Fool Anyone. Don’t Ignore Social Engineering

When contemplating cybersecurity, companies often overlook the risks posed by social engineering and focus only on infrastructure and technology. But with humans still forming the weakest part of the security chain, the very real threat of social engineering should definitely not be ignored.

Social engineering is a term that encompasses a wide range of malicious activity, but it’s broadly defined as the use of deception to manipulate individuals into revealing confidential or personal information that may then be used for fraudulent purposes or to gain unauthorized access to a computer network.

Common cyber-attacks that use social engineering techniques to dupe victims into divulging their data include pretexting, tailgating, Business Email Compromise (BEC), quid pro quo, baiting, phishing and spear phishing.

In 2019 alone, 88% of organizations around the world experienced spear phishing attempts in 2019 while 86% were targeted by BEC scammers.

In this episode of CQ Hacks, Paula Januszkiewicz demonstrates some of the ways in which users can be tricked into turning their data over to threat actors.

Paula shows how a seemingly innocent Microsoft Teams notification can actually be a cunning trap laid by a hacker. Using the tool Evilginx, a threat actor can create and deliver their own phishing campaign that allows them to capture a victim’s login credentials.

To the victim, the phishing attack will appear as a legitimate email that has been sent from an address that looks genuine, such as noreply@microsoft.online.com. However, contained within the email is a malicious link that will take the victim to a spoofed website, cleverly built to mimic the real Microsoft Teams login page.

When the victim enters their credentials to login, the attacker is able to steal their username and password and use it for nefarious purposes, such as logging onto another user’s portal.

Take a closer look on social engineering and sign up for CQURE webinar where we will show 5 effective phishing techniques every Red Teamer (or any type of cybersecurity specialist) should know. Let’s go phishing with us – book your seat now on this live and free event with Paula Januszkiewicz and Mike Jankowski-Lorek.

Let's go phishing

 

Comments