Current category:General

What is Social Engineering? – Please close the door!

Most people are familiar with computer hacking, a concept typically paired with a sense of invasion from a distant and unknown source. Social engineering however introduces an element of proximity, or at least direct contact. Instead of spending time trying to crack a computer system from afar the attacker will instead try to manipulate the victim into divulging sensitive information, such as a password to a company network, or personal credit card information. There are several methods for doing so, some old, some newer but nearly all rely on exploiting human trust and curiosity, thus we may refer to social engineering as human hacking.

Different types of methods

Social engineering is a multifaceted tool that attackers use to compromise both individuals and companies/organizations. Here is a short description of the various (most common) kinds of social engineering – or rather attacks in which social engineering partake:

PhishingPhishing

Phishing is probably the most well-known type of social engineering around. E-mail phishing has the attacker send an e-mail that in all likeness appears to come from a legitimate business, like a bank or a company whose web shop you have used before (one that requires a profile or account). The e-mail usually contains a link to a fraudulent web page that seems legitimate—with company logos and content—and has a form requesting everything from a home address to an ATM card’s PIN. It may also launch malware to a computer.

SmiShing is the SMS version of phishing, while Vishing is the phone version; this technique uses a rogue Interactive voice response (IVR) system to recreate a legitimate-sounding copy of a bank or other institution’s IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the “bank” via a (ideally toll free) number provided in order to “verify” information.

Dumpster drivingDumpster driving

A bit different from the other methods, but no doubt one of the oldest ways of obtaining vital information about a company, dumpster driving simply means to go through the trash of a company and its employees. This may be as straightforward as raiding a container, or as cunning as presenting oneself as an employee in a company to gain access to trashcans. This method may yield surprisingly useful results for the perpetrator as people don’t tend to view their trash as potentially sensitive material. Trash in this regard may be everything from documents, to cd’s and discarded hardware.

 

PretextingPretexting

Pretexting is actually quite fundamental to most techniques in social engineering. The idea is to conjure an invented scenario (a pretext) wherein the attacker confronts the victim in a way so as to have him/her disclose sensitive information.

Often requiring prior research and setup, it may be used to impersonate co-workers, police, bank, tax authorities, insurance investigators — or any other individual who could have perceived authority or a right to demand certain information in the mind of the targeted victim. This scam works better if the attacker is prepared to answer questions that might be asked by the victim. In some cases all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one’s feet.

Diversion theftDiversion theft

This technique is a con exercised by professional thieves, normally against a transport or courier company. The objective is to persuade the persons responsible for a legitimate delivery that the consignment is requested elsewhere – near to, or away from, the consignee’s address, in the pretense that it is “going straight out” or “urgently required somewhere else”.

The diversion technique is not limited to theft in this manner however; it may be used in a myriad of ways, and the victim will rarely find out before it’s too late.

 

BaitingBaiting

Baiting revolves around tapping into the curiosity of the victim. This is typically done by leaving a malware infected cd/usb-key in company building, some place that would make it seem as though the item has been dropped by accident. This item might even be labeled with some kind of interesting title so as to encourage the finder to use it on his/her computer to satisfy the curiosity, only to have malware infecting the computer and give the attacker access to sensitive information and/or the company’s internal network.

 

 

Quid pro quoQuid pro quo

Something for something, that is what this Latin saying means. Concerning social engineering it involves making victims divulge sensitive information by offering something in return, without them knowing that they are putting themselves or their company at risk. This is done by operating in a seemingly harmless situation, as can be seen when an attacker calls random numbers at a given company, claiming to be calling back from technical support. For the most part, this won’t result in anything as the method completely relies on chance, but eventually the attacker may find someone with a legitimate problem, and wanting to get rid of said problem, the victim may hand over his/her password which the attacker “needs” to help fix the problem. Thus, access to the network is obtained and the attacker can launch malware.  

 

What to do against threats

All types of hacking rely on locating a weakness in the system the attacker is trying to compromise. In social engineering, attackers try to circumvent the trouble of cracking a secured system by persuading their victims to let them in freely. Normally we don’t expect people to deceive us, and that is what attackers exploit.

A rule of thumb is to never divulge sensitive information to a source that cannot be verified. The following is a short list of pointers to help a company avoid attacks.

Companies must

  • Identify sensitive information and inform employees of their responsibilities.
  • Establish awareness amongst employees of where and when to be on guard.
  • Ensure that employees are able to politely refuse a request from a source that can’t be verified.
  • Stress-test employees by secretly simulating attacks to locate weaknesses and correct them.
GD Star Rating
loading...
What is Social Engineering? - Please close the door!, 5.0 out of 5 based on 1 rating

About Patrick T. Rasmussen

doing Online Marketing for SPAMfighter. Follow me on Google+ (+Patrick Teglstrup Rasmussen), Twitter (Patrick Teglstrup Rasmussen on Twitter)
This entry was posted in General and tagged , , , , , , , . Bookmark the permalink.

4 Comments

  1. Jeff says:

    Very interesting. I learned a lot from your post! Thanks!

  2. Sandra says:

    I have had a few calls recently from a company attempting the “Quid pro quo” method but being computer literate, I knew I didn’t need a technician to fix my computer problem lol.

  3. Angela says:

    I got a phone call supposedly from my credit card company, they even knew the name of the credit card company. Did they go thru my trash? And the message was to call a toll free number and verify info. But when I called my credit card company, they verified they had left no such message. So now I pay most of my bills online and shred all my other personal paper-based trash. You cannot be too vigilant against this type of social engineering!

  4. Chris says:

    @angela
    Its always good to google the 1800 number too, you can often find who it belongs too or comments from other victims.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>