social engineering

In previous part we saw that, what is social engineering and it’s types. Now in part 2 we shall be seeing some examples of social engineering. The most basic example of social engineering is phishing, vishing and smishing. 

 We all receive messages that we won a price of certain amount kindly withdraw it by providing your details and your bank credentials through the link below. This is called smishing or sms-phishing.

Sometimes we do receive calls saying congratulations you won a lottery or trip to goa and try to get some information about us and our bank credentials or our otp. This is called vishing.

Having a website that’s similar to repudiate  company but being fake and stealing your credentials is know as phishing.

Phishing can be very dangerous and is one of the oldest but working techniques of social engineering. In phishing generally the attacker creates a fake webpage or fake login page which looks exactly same as the original page. Now, once the page is made the attacker targets a user and manipulates user to login on that.

Once user logins, their credentials are recorded into the attacker’s database. Nowadays, phishing has been extended. Phishing can be done by making fake pages, by fake e-mail or fake applications which resemble to the original one. Phishing can be easily identified by checking the URL. The phishing link will contain the url which will not resemble to the original URL. Although users generally don’t pay much attention to this and easily gets victimised of it.

First the attacker creates the replica of original website and check whether there is anything which can be easily detected. After the successful creation, sometimes for the sureity attacker runs the phishing site on local host using the software like “xampp”. Once the phishing site runs with zero error on the local host, then the attacker register for a fake domain and fake hosting provided fake information

Attacker tries to keep the domain look similar to the original one. For ex: original domain – xoxox.ZXV .Now attacker tries to keep fake domain like : x0x0x.zxv etc. which is not easily noticed by the user.
Once the phishing site is live, now attacker targets the users and send phishing link via mail or over the chats in such a way that user gets manipulated and opens the link. Once user logins to the link, their credentials  are recorded.

1. Man in the middle attack(MITM)
2. Cross site scripting(XSS)
3. URL Redirection
4. Site cloning
5. Keylogger or Malware

Example of on going phishing attacks:
Looking at the URL people won’t find it fishy or fake as a well known company lifestyle is displayed in URL. Which let people believe that its real even if it’s not. If you check the URL properly it has myshoppify which is mostly used in creating fake websites and is modified to look more real.
The website PBlifestyle and lifestyle mostly have a same interface, so if you search for the company location or office using Google it would show some results that have pb and lifestyle but the attacker here is smart enough to mix the name of two Companies PB that is PLAYBOY and LIFESTYLE Google would show the location and office of PLAYBOY company or LIFESTYLE and it will also show some sites with the same url as it is a fake registered url so be aware and alert with it and verify the location properly

All the companies provide an option of COD(Cash on delivery) for shopping and delivery at any place if it’s not there then it might be a phishing attack.

 If you go ahead and pay then the next step that you should do to secure yourself and the capital in your account is by blocking your card and apply for a new one and register a police complaint and in your bank too. There are high chances that your capital you lost in the attack would be recovered.

Smishing, vishing and phishing all have a role of links in the process. Here are some tips that can be used for staying safe from this attacks.

1. Check the URL link.
2. Beware with links you opening and where you are being redirected.
3. While doing any transactions always record the process till the transactions are successful.

As this would be a solid prove for you to file a complaint or if there’s any court case it would help you to prove your transactions as true and will serve as a solid prove in your part.
4. Always remember nothing is free and no one would give huge discounts if they do there might be something fishy.
5. If you have been a victim of phishing attack report it in you bank and block your credit card and apply for a new one.