Please develop a scenario where you are a hacker. What method of social engineering would you use and what information or value would you seek? This initial statement should be based in research and be at least 1000 words of significant writing. Remember, I remove all superfluous words prior to reviewing word-count.
Then, respond to at least one of your classmates scenario with at least 200 significant words of critic. I have the same criteria for your statements.
APA format must be followed.
Running head: SOCIAL ENGINEERING 1
SOCIAL ENGINEERING 6
As a hacker, the most successful use case is to target human error as a potential link to data breaches. Social engineering threats target psychological manipulation and human error and manipulate them to identify sensitive data (Krombholz et al., 2015). It can convince users to breach security measures that an attacker can access. Poor cyber security culture is one of the best ways to launch an attack. Social engineering can be implemented in a variety of ways, including whaling, spearfishing, sight checking, and traditional fishing (Hartfield & Loukas, 2015). The reason I use phishing is that I can successfully use social networks, SMS, email and other forms of phishing to get information for personal purposes.
The best way to do business is with microfinance. Although security systems are complex, social engineering can guarantee successful fraud. The first thing to do is to manage employee phishing which could affect access to large amounts of data. A new employee is a good goal with a few safety precautions. For example, it checks the name and contact number of their name tags. After that, the next step is to develop an email equivalent to the main business email. Sending a computer email wherever you need to install a newly needed patch update is an appropriate way to launch an attack (Krombholz et al., 2015). This email is called “Security Update for Windows 7 / 8.1, 8, and 10”. The employee replied to a false e-mail indicating his real e-mail address. To get the data successfully, you need a cloned website.
Another way is to search the names of employees working in the company’s marketing department and access the latest project accounts. Duplicate stolen invoices can be emailed to employees, requiring them to enter a password to unlock the document. Credentials will help you access your corporate network before you know it. This fishing method is effective because the higher the probability of obtaining information, the higher the number of targets. All details are recorded and stored on the cloning site.
After a while, I sent an email to sign up for work services to improve my account security. Look for reliable sources, like the new email management center. If they agree, they can submit login information to my database. The most important information is your username, password, personal identification number (PIN), personal details, credit card details and most recent transaction details.
Targets can be listed through the antivirus you are using. It is important to use DNS spyware to ensure the success of e-phishing campaigns (Fernan et al., 2019). This process helps determine the protection of the malware involved. The next step is to install antivirus software on the virtual machine. This is done before sending an email. Although it has the same version as the antivirus software used, it is not reliable. Common free antivirus software does not run VM antivirus software. Therefore, the possibility should be checked before reaching the email recipient. In the process, I can buy real certificates for binary-dependent targets.
After accessing the employee’s credentials, it is possible to log in as support staff. Changing the IP address to match the location of the micro-finance would be necessary to hinder digital forensics from tracking the remote computer. The next stage is to collect useful customer data, such as bank account details: emails, account numbers, names, residence, and contact details. The hacking tries to minimize the capabilities of the real bank account owner to give commands.
The website can be made to look legitimate and ask for more information regarding the credit card “authenticity check” (Heartfield & Loukas, 2015). Moreover, it should have a tricky link requesting them to download antivirus for their devices. The download of the actual virus will enable the stealing of more data from their computers. Phishing takes advantage of all weaknesses in both security and software. However, it involves convincing, which must be included in drafting the emails. The email should have a deadline for clicking the links to the malicious website. They should also state the consequences of not taking the recommended action – this will lure them into logging in and revealing details.
The stolen emails, credit card details, and account numbers can be useful for account takeover. For instance, an email address would help me act as the owner and gain access to the deposited cash. It also facilitates changing of communication such as alerts, which helps to keep the victim unaware of account activities. Moreover, social engineering can help in making the account owners transfer the money themselves (Krombholz et al., 2015). I can pretend to be a senior bank officer with knowledge of the account information to gain trust. Telephone phishing can trick them into making security changes or authorizing a pending payment.
Wire transfer is an interbank fund transfer that I can use to steal money from the users. The authorization key can be sent by the customer to the fake website as they confuse it with password reset codes. Prior research of countries with lax banking regulations will be made, then connect with a trusted person in the country. The person should ensure that they target new tellers or non-experienced bank workers through social engineering. Such a person can be the weakest point to authorize a withdrawal since wire transfer takes several days to mature (Peng et al., 2016). Another way of making huge withdrawals include bribing some corrupt officers. If the victims realize they can cancel the transaction, and the micro-finance will incur losses.
To conclude, social engineering is conducted by tricking individuals into sharing details willingly. This data can be used to commit social engineering fraud, wire transfer, account take over, and other fraudulent activities. Targeting micro-finance employees provides the most vulnerable point of achieving information. Moreover, phishing through sending malicious emails impersonating corporate leaders can trick employees into sharing their login data. The access of accounts can help to steal bank details, credit card information, PINs, passwords, and other information. More social engineering through phone phishing can be used to convince clients and workers.
References
Farnan, O., Wright, J., & Darer, A. (2019, May). Analysing Censorship Circumvention with VPNs via DNS Cache Snooping. In 2019 IEEE Security and Privacy Workshops (SPW) (pp. 205-211). IEEE.
Heartfield, R., & Loukas, G. (2015). A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks. ACM Computing Surveys (CSUR), 48(3), 1-39.
Krombholz, K., Hobel, H., Huber, M., & Weippl, E. (2015). Advanced social engineering attacks. Journal of Information Security and applications, 22, 113-122.
Peng, W., Jiguo, S., Shiqing, Z., & Gang, W. (2016). Control of wire transfer behaviors in hot wire laser welding. The International Journal of Advanced Manufacturing Technology, 83(9-12), 2091-2100.