Security Threats Part (2)
In today’s article, I will continue to mention the next part of Security Threats as Part 2. If you want to know about most infected threats on End-Users, you can refer Security Threats Part (1).
Today, totally 5 of 6 security threats I would like to discuss are based on web-based attacks such as Social Engineering, Drive-by-Downloads, Watering Hole Attacks and Clickjacking. The last one is about Mobile Application Threats.
➡ Social Engineering Attack
Social Engineering Attack is the technique of tricking users into giving away sensitive information to malicious person. As soon as social networks are popular, most people usually share their information on Facebook, Twitter, LinkedIn and Google+. This way helps attackers find out a start to spear phishing attack which only targets to specific people, specific organization. Here are other techniques included in Social Engineering Attacks.
Attacker starts to establish a trust with victims and then impersonating co-workers, police officers, banks and tax office and then obtain sensitive information.
▪ Baiting Technique is based on these human emotions of curiosity and greedy.
Scareware involves victims being bombarded with false alarms and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that has no real benefit. Actually, this software may be feception software or Rouge scanner software or fraudware. This nature of scareware is similar with malvertising described in Security Threats Part 1.
Drive-by-Downloads means that malware file is automatically downloaded into the user’s PC without clicking any button while users are visiting to compromised websites. Attackers often use something called exploit kit. They let these kits run on web servers to search vulnerabilities of websites. And exploit with malicious code and changes to compromised websites. There is no user action in Drive-by-Downloads attack. Just visiting to this malicious site, malware file can be automatically downloaded to the users’ PC or mobile device.
➡ Watering Hole Attacks
Its idea is just as a lion waits patiently by a watering hole visited by the prey it would like to eat, an attacker exploits possible vulnerabilities of legitimate websites which his targets likely to visit and waits patiently at these sites. If his targets accidently click any trap on this compromised site, users will be redirected to attacker’s fake website. At this time, Drive-by-Download attack can probably happen as a bad consequence.
Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. Clickjacking needs user interaction. One example,
▪ The Attacker creates an attractive page that promise users to go free trip to US.
▪ In the background the attacker checks if the user has logged into his banking site and if so, attacker will try to insert the user’s transaction parameters into the form by using malicious query.
▪ This form is running in the invisible frame called iFRAME as a background process.
▪ After inserting this form, attackers will ask confirmation from user.
▪ If user click “Book My Free Trip” button, funds are transferred to the attacker.
After discussing web based attacks, I would like to continue to Mobile Application Threats.
➡ Mobile Application Threats
Some applications that users download everyday also have security issues. Recently, WhatsApp Application has been found a vulnerability that hackers can remotely install spyware. WhatsApp has provided patch file for this vulnerability and updated to new version. As counter measure, users should regularly upgrade installed applications as soon as vendor provides the updates. And next one, users can check whether currently used or downloaded application is malicious or enabling Google Play Protect Option before they upgrade or download.
These following suggestions are aimed for web based attacks. To protect the upper web based attacks, users should upgrade their antivirus software and browsers regularly. As for organizations, they should check that current security solution can drop or download traffic of malicious file, rootkit. Organization should educate users not to click any popups on any websites they most likely to visit.
Attackers mostly trick users based on their human emotions and insufficient security awareness education. Therefore, as organizations, training their users for the awareness education also help their organizations to be safe from data breaches.
NEX4 provides Security Awareness Trainings with NEX4’s Security Consultant to be well-educated for users and admins in security awareness.
Don’t forget to share this post!