Social engineering is an expression used to describe persuasion techniques aimed at accessing personal data without exploiting technical vulnerabilities. The typical social engineering attack is definitely phishing, which uses both technical and persuasion to steal the personal information and credentials of a user. Attackers generally attempt to access the victim’s financial and bank credits by exploiting a trademark that distinguishes a specific product or a known service, inviting them to act as soon as possible due to an urgent need. There are different techniques used by cyber criminals. The most widespread are the phishing Spam / Email (mass sending of messages on e-mail addresses retrieved on the web through automatic search systems), Spear Phishing (attack attempt based on the victim in which the attacker knows some sensitive information ), Session Hijacking (sending emails containing an exploit using Session Hijacking vulnerabilities), Content Injection (exploiting web site vulnerabilities such as SQL Injection attacks), Smishing (SMS Phishing, where the information are collected via SMS), Vishing (Voice Phishing, where information is collected through a telephone call).

The Anti-Phishing Working Group (APWG) periodically publishes a report on phishing attacks: the last report dating back to the third quarter of last year can be downloaded here. This group is responsible for collecting and reporting computer abuses.

Another useful tool is the Google Safe Browser, used to report deceptive websites and protect browsers Chrome, Firefox, Gmail webclient and Android devices.

 

CRC CS-Aware Team