Beware the Phishermen: Navigating the Waters of Web-Based Social Engineering

As our lives become increasingly intertwined with the digital realm, the prevalence of website-based social engineering attacks continues to rise. Cybercriminals adeptly exploit the trust we place in web applications, leveraging deceptive tactics to manipulate our behavior, extract sensitive information, or compromise our digital security. Understanding the nature of these attacks and how to defend against them is essential in safeguarding our online presence. Hence the need to delve into the world of website-based social engineering attacks, shedding light on their tactics and the measures we can take to protect ourselves. By examining real-world examples and dissecting the mechanisms behind these attacks, we aim to equip you with the knowledge and awareness necessary to navigate the online landscape with confidence.

As such, throughout this blog post, we will highlight the common types of website-based social engineering attacks, such as scareware, drive-by downloads and more. By understanding how these attacks work and the red flags to watch for, you can develop a stronger defense against them. We will also provide actionable tips and best practices to help you bolster your online security, ensuring that your personal information and digital assets remain protected. So, let us dive into eight common web based social engineering attacks, exploring techniques and defenses, empowering ourselves to safeguard our online experiences and stay one step ahead of cybercriminals.

Drive by Download

This is a term used to describe a method employed by attackers to deliver malware onto a victim’s computer or device without their knowledge or consent. It involves visiting a website or clicking on a seemingly harmless link that initiates an automatic download or installation of malicious software. For this attack to happen, victims are tricked into clicking a link that leads to the compromised website. Attackers accomplish this through exploiting common human vulnerabilities, such as curiosity, fear, or the desire for a reward or benefit. For instance, attackers may send emails with enticing messages, such as urgent notifications, attractive offers, or disguised as legitimate organizations. These emails contain links that redirect users to infected websites. Also, negligence can come into play, this happens when victims fail to update their browser software and the exploit on the compromised website takes advantage of vulnerabilities on older browser versions.

Scareware

Scareware is a type of malicious software (malware) that tricks users into believing their computer is infected with viruses or experiencing other security threats. Attackers achieve this through displaying alarming pop-up messages or fake security alerts that claim the user’s computer is infected with viruses, malware, or other threats. These pop-up messages use language and tactics that create a sense of urgency, such as claiming that immediate action is required to prevent data loss, system damage, or other severe consequences. They may employ countdown timers or warning messages that imply dire consequences if the user does not act quickly. Furthermore, they may impersonate well-known security companies or use logos and branding that resemble legitimate antivirus software to gain the user’s trust. This tactic aims to create a perception of authority and legitimacy, making users more likely to comply with the attacker’s demands.

Malvertising

Short for malicious advertising, refers to the practice of delivering malware through online advertisements. It involves cybercriminals leveraging legitimate ad networks or exploiting vulnerabilities in the ad-serving process to distribute malicious code. The aim is to manipulate users’ trust in legitimate websites and advertisements, enticing them to click on malicious ads or take actions that lead to malware infection. As such, attackers may create malvertisements that mimic legitimate advertisements or imitate well-known brands. This tactic aims to deceive users into believing the ad is from a trusted source, increasing the likelihood of interaction. Also, Malvertisements often employ compelling or enticing content, such as offers for free software, prizes, discounts, or adult content. The ads may make false promises or use sensational language to capture users’ attention and encourage engagement.

Typosquatting

Typosquatting, also known as URL hijacking or brandjacking, is a cyber-attack technique where malicious actors register domain names that closely resemble legitimate websites or popular brands. The objective of typosquatting is to deceive users who are negligent or those that make typographical errors when entering a website’s URL, leading them to malicious websites that may distribute malware, steal sensitive information, or engage in other malicious activities. Below are ways cybercriminals use typosquatting.

Strategy	Fake Domain	Real Domain
Misspelled Words	lindaikerjisblog.com	lindaikejisblog.com
Transposed letters	neswnow.com	newsnow.com
Omitted characters	wikpedia.org	wikipedia.org
Addes characters	bettking.com	betking.com

Click-baiting

This occurs when attackers use an enticing headline or image to make their victims click on a link. It plays on human psychology, exploiting our natural curiosity and the desire for instant gratification. Attackers create a curiosity gap by providing incomplete information or teasing intriguing content without revealing the full details. This prompts users to click on the link to satisfy their curiosity and fill the information gap. They often use sensational language, exaggerations, or provocative statements to pique curiosity and leverage emotions such as fear, shock, excitement, or empathy to capture users’ attention and encourage them to click. An example is a message on a website reading “Octogenarian marathon winner reveals secret to live long”

Spamdexing

Spamdexing, also known as search engine spamming or web spamming, is a technique used to manipulate search engine rankings by creating web pages that are designed to deceive search engines and drive traffic to specific websites. It involves the use of various unethical tactics to artificially boost a website’s visibility in search engine results pages (SERPs). These websites are laced with malware or redirect to other websites that contain malware. Attacks use this technique because users implicitly trust top results in a search engine and view them as legitimate. Another variant of this is when attackers pay for search engine ads to make their malicious websites appear beside top search results.

Pharming

This attack aims to redirect users from legitimate websites to fraudulent ones without their knowledge or consent. It involves manipulating the Domain Name System (DNS) or the hosts file on a victim’s computer or network to redirect their web traffic to malicious websites. This is done through injecting false information in the DNS cache of vulnerable server or remotely manipulating the hosts file on a victim’s computer. For example, attackers may change the DNS records for a bank’s website so that when users type in the bank’s address, they are redirected to a fake website that looks like the bank’s website, or having installed a remote access trojan on an infected computer, they edit the hosts file, so once the victim types their bank website he is directed to a look-alike website. Once the user enters their personal information on the fake website, the attackers can steal it. In all of this, attackers exploit users’ trust in well-known brands or websites, leading them to believe they are accessing legitimate online services.

Water Holing

Water holing is a cyber-attack technique that targets a specific group of individuals by infecting websites that are likely to be visited by that group. It involves compromising legitimate websites that are frequently visited by the target audience, exploiting vulnerabilities on those websites, and injecting malicious code. The attacker first conducts research on their target audience to identify the websites they are likely to visit. This research may include understanding their interests, industry affiliations, or online communities they participate in. The attacker then chooses websites that are popular among the target audience and have vulnerabilities that can be exploited. These compromised websites become the “watering hole” where the target individuals are expected to visit. By compromising trusted websites, attackers leverage the familiarity and trust users have in these sites. This makes it more likely for users to fall victim to the water holing attack because they perceive the compromised website as safe and legitimate.

Protective Measures

Below are general protective measures applicable to all the listed attacks as well as specific actions for each attack.

General Protective Measures

• Install and regularly update reputable antivirus and anti-malware software on your devices. These tools can detect and block malicious downloads or warn you about potentially dangerous websites.
• Keep all your software and operating systems up to date. Apply security patches and updates to protect against known vulnerabilities that attackers might exploit.
• Configure your web browser to block pop-ups, disable automatic downloads, block ads, and warn about potentially malicious websites. Take advantage of built-in security settings for enhanced protection or extensions that offer phishing and URL protection.
• Stay informed about the latest social engineering techniques and common phishing attacks.

Specific Protective Measures

• For Drive by Download – Be vigilant while browsing the internet and avoid clicking on suspicious links or visiting untrusted websites. Be wary of unsolicited emails, especially those with attachments or links, and verify the authenticity of messages before taking any action.

• For Scareware – Be skeptical of unexpected pop-up messages, especially those warning about virus infections or security threats. Avoid clicking on any suspicious links or downloading software from unknown sources.
• For Malvertising – Be cautious when clicking on online advertisements, especially those from unfamiliar or suspicious sources. Avoid interacting with ads that appear too good to be true or exhibit unusual behavior.
• For Typosquatting – Always verify the URL before entering sensitive information or interacting with a website. Pay close attention to the spelling, structure, and domain extension. Be cautious of URLs that deviate slightly from the expected domain or brand name.
• For Click-baiting – Read headlines critically and evaluate their credibility and accuracy. Be skeptical of sensational claims or exaggerated language. Consider the source and reputation of the website or publication before clicking.
• For Spamdexing – When scanning search engine results, be cautious of titles and descriptions that seem exaggerated, misleading, or too good to be true. Verify the credibility of the website before clicking on the link.
• For Pharming – Configure your devices to use DNS servers from reputable and trusted providers. This can help mitigate the risk of accessing fraudulent websites due to DNS cache poisoning.
• For Water Holing – Employ web filtering solutions that can block access to known malicious or compromised websites. This helps mitigate the risk of visiting water-holed sites.

Conclusion

As our lives become increasingly connected to the digital world, we must be aware of the growing prevalence of website-based social engineering attacks. Cybercriminals exploit our trust in web applications to manipulate our behavior, extract sensitive information, and compromise our digital security. It is crucial for us to understand the nature of these attacks and how to defend against them to safeguard our online presence.

Throughout this blog post, we have explored several types of website-based social engineering attacks. To defend against these attacks, we have provided actionable tips and best practices. It is important to install and regularly update reputable antivirus and anti-malware software, keep all software and operating systems up to date, and configure web browsers to block pop-ups, disable automatic downloads, and warn about potentially malicious websites. Staying informed about the latest social engineering techniques and common phishing attacks is also crucial.

By implementing these protective measures and staying informed, we can bolster our online security, ensuring that our personal information and digital assets remain protected. With the knowledge and awareness gained from understanding website-based social engineering attacks, we can confidently navigate the online landscape and stay one step ahead of cybercriminals.