A Less Known Attack on the Dark Web, Social Engineering

Cybercrime can be set by molesting somebody’s trust, depending on psychological manipulation. However, this type of digital crime is called social engineering. The success of social engineering tactics to breach networks, and data of an individual or companies is increasing the demand for data stealers on the dark web marketplaces.

Currently, everybody become very close to social engineering attacks, making them more challenging to identify. In this post, we have shared all the information about social engineering, its history, how it works, a less-known attack of social engineering on the dark web, and what types of social engineering are found on the dark web.

What is Social Engineering?

Social engineering is the term used for all techniques intended for malicious activities that target revealing specific data or specific actions for illegal determinations accomplished via human attraction. This technology uses psychological manipulation to trick a user into making security blunders or giving away sensitive data.

However, these scams are inclined to trap innocent users into spreading malware infections or giving access to constrained systems. Attacks can ensue online, in person, and other connections. The process of social engineering is built around how people think and perform. Once an attacker knows what provokes a user’s actions, then they betray and manipulate the user successfully.

Social Engineering in the Past Era

The technique to scam someone has been around for many centuries. Scammers use social engineering techniques to steal money and data from suspected victims. Furthermore, the development of technology and the blowout of the internet have transformed the scams where offenders are planning new strategies and triumphs in all corners of the world.

Here, we have shared some of the early social engineering scams.

In the 18^th century, a noble Frenchman’s valet was imprisoned just after hiding his master’s treasure. Many prisoners took benefit of this and sent letters to random receivers appealing to be the valet who had the map of the secret treasure. The prisoner assured the recipients of the map that they could be released from jail. The scam was successful, and some recipients even answered.

However, social engineering scams are constantly developing in the 20^th century and have become more cultured. One example is the Price of Nigeria scam or 419. In this scam, attackers send their targets emails and texts claiming to be affluent. But their money has been sealed in a foreign region, and they can’t access it on their own.

Moreover, the attackers even send fake documents to sustain their claims and request to get the money on their behalf, subtract a certain fraction, and send them the rest. On board, they present a difficulty requiring corrupting officials to release the assets. At that point, they request to send them money to help with the release of funds.

These kinds of scams are known as advance fee scams because they propose to convince the target to pay some fee before a bigger price. Currently, advance fee scams are very widespread because they are extremely money-making and don’t need much investment.

7 Facts that you don’t know about Social Engineering

The social engineering technique is an inexpensive and effective way of accessing sensitive data. The attack on social engineering resulted in a lot of monetary and reputation damage.

Here, we have shared some interesting facts about social engineering that you don’t know.

1. In 2020, social engineering and phishing attacks were the most common cyber incidents, and almost 75 percent of companies around the world were victims of them.
2. Almost 45 percent of phishing emails impersonate large corporations like Apple and Microsoft.
3. In 2021, Google recorded over 2 million fraudulent websites.
4. Sixteen percent of phishing targets decrease victims, and after a successful attack, 60 percent of companies report data loss.
5. Both Social engineering and phishing attacks cause more than 70 percent of data breach attacks.
6. A single data breach prices an average of almost $150.
7. Social engineering is responsible for 95 percent of cyber-attacks on the dark web.

How a Social Engineering Attack Works

Most social engineering attacks count on communication between attackers and victims. The attacker is inclined to motivate the victim to negotiate themselves rather than using physical force methods to expose the data. The attack cycle gives the criminals a reliable procedure for deceiving the victim.

Following are the steps of a social engineering attack cycle.

1. Preparation: The attacker collects the data of the victim’s background, including public domain, workplace, everyday routine, family, and others.
2. Intrusion: After gathering the data attacker makes the first contact with the victim and interacts to build trust.
3. Exploit the Victim: When trust is built between the victim and attacker, then the attacker tricks the victim into revealing sensitive data or weaknesses that are used to advance the attack.
4. Disconnection: Once the attacker accomplishes their purpose, then evacuates and stops engaging the target.

However, the procedure mentioned above can take place in a single mail or over months in a series of social media chats, or it could even be a direct interaction. But it ultimately concludes with an action a victim takes, like sharing the data or exposing themselves to malware. So, it is very important to be aware of social engineering as a means of confusion.

A Less-Known Attack of Social Engineering on the Dark Web

The dark web is an upbringing milled for social engineering attacks. The anonymous nature and illegal marketplaces and services of the dark web attract cybercriminals looking to exploit innocent individuals, companies, and even celebrities. Accessing the dark web world, hackers can access tutorials or sell hacking tools and personal data and even hire a professional special engineer to perform an attack on to target.

One attack of social engineering attack on the dark web is the sale of Fullz or full information packages. Fullz is basically a set of personal data of individuals that can be used for identity theft and sold by cybercriminals on the dark web. The information package includes a person’s name, address, date of birth, contact numbers, email addresses, and credit card data. However, this information is often obtained via data breaches or other illegal means and packaged and sold to interested buyers.

10 Common Types of Social Engineering Attacks on Dark Web

1.      Scareware Attacks

Scareware attacks use social engineering malware to trick the user into taking action. For instance, a scareware attack may warn that your account is compromised or your system has a virus, and you should click a certain tab to clear it. This technique can deceive a victim into revealing sensitive data like login credentials and credit card information.

2.      System Attacks

The system attack, also known as the watering hole attack, is one of the popular social engineering attacks on the dark web. It exploits the vulnerabilities in the busiest sites and infects them with malware. The purpose is to infect many users at once before the bug is fixed. The attack may take time to plan because the attackers must analyze the sites to discover the weaknesses to exploit. That is why many sites stick with one stable version for a long time, and an upgrade is only sanctioned if proven robust.

3.      Pretexting Attacks

Attackers are posturing as legal vendors to start communications with the victim to build trust. The attacker must convince the victims that they are legal to execute the attack successfully. Once the trust is built, the attacker can get the sensitive data or launch attacks without suspicion.

4.      Physical Breach Attacks

A physical breach attack is pretty analogous to a pretexting attack. The attackers impersonate authorized vendors to get access to constrained ranges. The attack is high risk and requires deep research and preparation. This type of attack is common in the enterprise environment and can involve an insider worker or recently fired worker.

5.      Baiting Attacks

The baiting attack is taken via a series of steps that eventually infect the victim’s system with malware. The baiting methods include;

1. Offers fake software and email attachments for free.
2. USB drives are left in public, like parking lots and libraries.

6.      Quid Pro Quo or Favor for a Favor Attacks

Quid Pro Quo is a Latin word that means a favor for a favor in which the attacker promises a reward in exchange for the personal data of the victim. This kind of social engineering is common in research studies and marketing campaigns. Victims are tricked and end up with nothing, even after offering their personal data.

7.      Honey Trap Attacks

A honey trap attack is a social engineering technique that targets an individual seeking love on online dating sites or social media. The attackers make friends with the victim by making an imaginary persona and setting up a fake online profile. Over time, the attacker takes benefits of the relationship and tricks the victim into giving them money, taking out personal data, or installing malware.

8.      Cache Poisoning and DNS Spoofing Attacks

Both of the attacks can transmit legal URLs to malicious and fraudulent sites. Cache poisoning plants routing commands in the system, which roots redirection. However, DNS spoofing exploits browser weakness and constantly sends legal URLS to dangerous sites till the routing data is cleared from the system.

9.      Piggybacking Attacks

The piggybacking attack is also known as the access tailgating attack. In This social engineering attack, an attacker gains access to a restricted area by secretly trailing an authorized staff member. An attacker may make-believe to be holding the door for the victim just to prove that they are also approved to enter.

10.  Phishing Attacks

Phishing attack is a social engineering technique that is very popular in dark web marketplaces. In a phishing attack, an attacker disguises the victim, which can be an individual or institution, to deceive into revealing sensitive data. A phishing attack has two types.

1. Spam Phishing Attacks: These phishing attacks target many users on the dark web. However, they are not personalized, and they aim to deceive any unsuspecting user.
2. Spear Phishing Attacks: This attack uses personalized data to target a victim. Whaling, an extension of spear phishing, targets influential people like top government officials, higher management companies, and popular celebrities.

8 Main Networks of Phishing Attacks

A phishing attacker uses various channels to reach their target. Irrespective, the attack’s purpose is to access sensitive data and contaminate the system with malware.

Here, we have mentioned the eight main networks of phishing attackers. 

1. URL Phishing: It traps users via extravagant malicious links delivered via online ads, social media texts, and email. The links are attractive and misleadingly created using URL-shortening tools.
2. Search Engine Phishing: These channels show fake site links at the top of the search results. The links are optimized to manipulate search engine ranks or appear as legal paid ads.
3. Angler Phishing: It is the most common attack on social media. The attacker pretends to be the customer support team of a trusted company. They trick suspecting users into revealing sensitive data via DMs, and they launch a bigger attack.
4. Email Phishing: It is the oldest technique of phishing attacks. The attacker sends emails that contain malware attachments, contact numbers, and web links and desires the victim to reply and follow up in an attempt to establish trust.
5. Messages Phishing: The attackers send DMs that contain a web link, a follow-up contact number, or a fraudulent email address.
6. Voice Phishing: The attacker sends persuasive live, recorded, or automated speech seeking to build trust or trick the victim into revealing sensitive data.
7. Fax-Based Phishing: The attacker targeted with a fake email to confirm the access code. However, instead of replying via email, the victim was instructed to print the form in the email, fill it out, and fax it to the attacker’s contact number.
8. In-session Phishing: It looks like an ordinary pause when browsing. A pop-up window that covers a legal login form is a basic example.