The social engineering attacks, over time, have evolved their method, form, and platform, but always with the same objective of exploiting human traits, such as curiosity or confidence. They effectively manipulate people into falling victim to scams or sophisticated attacks, often without them realizing they have been targeted.
Within this type of attacks, the following stands out with great preponderance: the bait (or “Baiting”)which was first identified in the 1990s through the use of CDs. It basically consisted of leaving a “harmless” CD containing a computer virus within reach of the victim (randomly or not). When the victim inserted it into their PC, the computer became infected.
In the late ’90s, 1998, the virus became popular “Melissa” which was spread through email: one of the first “Phishing” via email that reached approximately 25 thousand computers around the world. Years later, using the same technique, the most famous worm in history would appear: “I love you” with an estimated 50 million devices affected and economic losses exceeding 10 million dollars.
With the turn of the decade and the millennium, CDs were pushed aside to make way for removable USB drives or pendrives. In this case, attackers also adapted to technological progress, giving rise to USB flash drives. Baiting“Exactly the same method of attack and infection as what happened with CDs.
Over the years, phishing techniques evolve and take on new forms, such as the incorporation of redirect links, obfuscated files, among others.
The “Baitings” They also had modifications, particularly on the platform used to attract the victim’s attention: CD; DVD; Pendrive; QR; Wifi; among others.
Yes ok Email is the most commonly used medium by those trying to exploit deception, currently social networks have become another “niche” of great interest for “retail” attackers. They do not target companies, but rather ordinary users, stealing their identity on Instagram, Facebook, WhatsApp, to pose as the owner of the account and ask for money from family and friends in their name, and even in virtual wallets such as MercadoPago, emptying accounts and applying for loans.
Along these lines, a tactic as “parabolic” as it is effective is being used today. And it is nothing more than a “Baiting from 2024”. It consists of leaving keys on the street with a keychain containing a telephone number “in case of loss”.
The person who finds this key, with the good intention of returning it to its owner, contacts the number on the keychain. On the other end, using social engineering tricks, they manage to have the call channeled via video through WhatsApp. Once there, they guide the person to select a button that shares the screen of their cell phone with the attacker.
That is the moment of phase 2 of the attack: the attackers knowing the victim’s line given the call, they start the WhatsApp configuration with that number on another mobile device. This platform, for security, will send a message with a PIN code that only reaches the owner of the line, but since the attackers see all the messages that appear on the screen of the victim’s device, they obtain that PIN, including the code of the multi factor if it is associated with the same device (be it SMS, token, or email) which causes them to achieve identity theft of that person.
While there are multiple corporate solutions to mitigate these risks, such as anti-malware tools; anti-phishing; configurations in USB ports or readers (almost obsolete); vulnerable system updates; implementation of multi-factor authentication; robust and periodically rotating password policies; firewalls; among a few others, The human factor has always been, is and will be the main objective for attackers.
It is essential that people are aware of these situations, understand that they occur on a daily basis and that anyone can be a victim of a scam through multiple means. When faced with a suspicious situation, it is important to stop for a moment to analyze it, consult with someone who knows about the subject, and be able to prevent a cyber attack.
Cyberdefense Team at BTR Consulting
Source: Ambito
David William is a talented author who has made a name for himself in the world of writing. He is a professional author who writes on a wide range of topics, from general interest to opinion news. David is currently working as a writer at 24 hours worlds where he brings his unique perspective and in-depth research to his articles, making them both informative and engaging.
