AbleToTrain by Willing & Able

Baiting explained

This text will discuss Baiting which is a common social engineering attack method. Others include phishing, pretexting, watering holes, quid pro quo and tailgating.

1. What is baiting?

Baiting is a cunning cousin for phishing. As the name suggests, baiting involves enticing unsuspecting victims with very attractive offers, using fear, greed, and temptation to separate them from sensitive personal data (such as login details). Through fraud and forgery, they all try to capture sensitive personal data, such as passwords or bank information, such as PINs, so that they can access their networks and business systems to install malware that runs ransomware.

2. Baiting Psychology

Like all forms of social engineering, bait relies heavily on psychological manipulation to take specific behaviors that may be harmful. This is an information security trust tactic whose malicious purpose is to allow victims to disclose highly confidential personal information. It is then used to form the basis of various cybercrime methods and gain access to the network of individuals and organizations.

3. Baiting technology

The results of technology says it is highly harmful and malicious. “Baiting” is rational. The core is to exploit human weaknesses and weaknesses of fear, anxiety, curiosity, trust and greed. After the

USB drive is infected with malware, cybercriminals will go to open public areas, such as the reception hall of the target organization/company, or (if they can enter the office) rest space, public space, for example, is used to place various A company logo or USB device similar to a reassuring trust label, such as human resources or finance. Then, they wait for curious employees to arouse their curiosity, then pick you up, take you into the building, and install it on your computer.

Baiting technology after is installed, victims will see a list of files and folders containing relevant business terms related to their business, organization, or industry. This file may be called “third quarter profit and loss forecast” or a folder called “HR Information-Confidential” or “Internal Bank Information” designs each file and folder, will generate the required response that hackers want them to take, that is, download malicious attachments (“bait”) and send malicious “Trojan horse” software to the computer, and then it will spread to the internal network , And then allow cybercriminals to enter the next stage of attacks, such as attacks involving spear phishing, watering holes, or other social engineering methods.

In the online world, the same methods of exploiting our curiosity, greed, and confidence are at the center of “bait attacks.” When playing a vital and memorable Champions League match against Liverpool, Paris Saint-Germain or Besiktas, Anthony Joshua, Gennady Golovkin or Carnelo Alvaré In the last battle of Sri Lanka, cybercriminals know the events we all want to see and do everything possible to watch and find live broadcasts of the event. Now that the hot and popular “advertising maniac” no longer appears on Netflix, enthusiastic fans will look everywhere for series and episodes that are no longer available. A malicious site with a tempting download link will be lurking somewhere in cyberspace, like a peer network, waiting for unsuspecting Don Draper fans to download and without hesitation check the network security of themselves and your company.

4. Baiting: Case Study

A study was conducted in 2016 to understand people’s reactions to “decoy attacks”. In the UrbanaChampaign section of the University of Illinois campus, the researchers placed approximately 300 USB drives. 48% of these devices were discovered, collected, and installed on computers within minutes of discovery.

For the purposes of this investigation, no malicious attachments were executed. The files on the USB contain HTML files with img tags to allow researchers to monitor and track movement and usage.

Only 16% of people chose and installed the drive, and first scanned it with an antivirus tool. Although most people said they simply picked up and installed the unit to see who owned it and returned it to them, a considerable number of people admitted that they wanted to keep it. This leads to a small but very concerning potential data breach and exposes highly vulnerable vulnerabilities on the attack surface, increasing network risks and information security risks.

This confirms the suspicion of many in the security community, who reported that unsuspecting users may be coerced for reasons such as curiosity and greed. Take unknown equipment and become a victim of social engineering methods. This makes your organization vulnerable to cyber attacks, data breaches, and ransomware activities that can cause millions of dollars in damages and cause immeasurable and irreparable damage to reputation.

5. Techniques to prevent baiting

Liars who use decoy techniques know how to take advantage of our fears and emotions. When you receive an email that promotes emotions such as fear, greed, etc., please be careful: think calmly, think slowly, and don’t act recklessly.

Vigilance and awareness will provide you with good service and prevent decoys and other social engineering attacks. Therefore, when you encounter a very attractive and enticing pop-up ad or offer, please think twice and be vigilant before clicking; think twice before entering any personal information, especially related to banking and payment Any information, such as credit card and account information keeps your anti-virus and anti-malware security settings up to date to detect potentially harmful and malicious network threats. Can that URL really be trusted? Is it safe? Do you have a valid and up-to-date security certificate? For example, when using Google Chrome, check the padlock sign in the browser search window. This will allow you to see if your connection is secure, reliable, and you have a valid certificate. Scan your computer regularly to further protect yourself from these cyber threats and help improve your cyber health and safety.

Baiting explained