Questions about this topic? Sign up to ask in the talk tab.

Category:Social Engineering

From NetSec
Jump to: navigation, search

Just like computers, people can be hacked as well. Social engineering is a term applied to the art of human manipulation as a means to have a person divulge information or perform an action of the manipulator's choosing.


Methods

Email

Until the release of StormWorm social engineering by means of email was a less commonly used method. The process involved an email being crafted with the intent to trick the recipient into downloading something, executing something or disclosing information, arbitrary or not. Emails may be forged, hijacked, rewritten and/or simply full of lies, anything to get the sender's desired reaction.

See email spoofing for more information on this topic.

Telephone

There are a variety of approaches a social engineer can use over the telephone. Impersonations of figures of authority or people closely associated with loved ones are common roles assumed. Usually excessive flattery is one of the more successful approaches used when interacting with the target as a person is more open with people they do not perceive as a threat. If niceness is not successful the manipulator will then resort to an intimidation or fear-based attacks which can involve anything from the welfare security threats on a network to harm of the target. Though the latter is much less common as a engineer often prefers to keep their intentions less obvious.

Examples

An example of using both email and telephone would be an email sent creating a weakness in a network. Then followed by informing an administrator of a security hole in which his configuration is vulnerable and providing a website or link providing a malicious piece of software that the engineer will call the "patch" to the vulnerability.

Average employees are often vulnerable to social engineering attacking. For example if the engineer has a lot of information on the employee (such as name, date of birth, the last four digits of his social security number, and so on) they may call the employee during off hours impersonating the employee's workplace, verify the last four social security digits and current password to "verify identity". This is followed by a story of a problem and that the employee's password is being reset, followed by giving the employee a new password. At the same time the attacker may have called in to the employer requesting a password reset to begin with- making both sides of the corporation believe there was an issue. The advantage of this is not only the password was reset but eventual discovery of the compromised account by the corporation has been delayed.

Other easily phoned social engineering attacks include knowing enough about a corporation to gain information from an employee. Calling employees on off-hours impersonating tech support or even a solicitor is often a successful method. If the engineer knows the employee's bank, they may pass themself off as a bank representative, informing the employee that they have won a prize and requesting a piece of personal information (social security number, date of birth, or even bank account number) for verification of identity. With this newfound information the social engineer can then call the employee's company with enough information to pose as and "prove" the employee's identity in order to gain the routing and accounting information from the employee's paycheck or direct deposition. The engineer could then call the accounting department again assuming the role of a bank employee, give the routing and account number to validate identity, and then ask for the Federal Tax ID or Employer Identification Number for the targeted individual from the accounting department. By then the social engineer has enough information on their target to be able to hijack wire transfers and perhaps even successfully commit wire fraud with target corporate assets.

The examples listed are but minor ideas of social engineering over the mediums of electronic communication. Organized crime on the other hand won't always rely on such techniques. In a targeted social engineering attack the target corporation may fall prey to other variables such as malicious employees, sales agents of other corporations and furthermore may fall victim to malicious clientele.

Pages in category "Social Engineering"

This category contains only the following page.