A post on social engineering for my network security students.
Social engineering is a type of attack that relies on manipulating individuals to gain access to information or systems. It does not depend on exploiting technology vulnerabilities. Instead, it targets human weaknesses to persuade victims to take actions or give up information. Social engineering can be used to gather information or to influence people.
There are two main categories of social engineering techniques: psychological approaches and physical procedures.
Psychological Approaches: These techniques manipulate a victim’s emotions or mental state. Attackers often impersonate a real person to gain trust and extract information. They may use a variety of techniques, including:
• Impersonation: Masquerading as a real or fictitious character6. For example, an attacker may impersonate a help desk technician to trick a user into revealing their username and password6. This is also called identity fraud. The goal of impersonation is sometimes to obtain private information, also called pretexting.
• Phishing: Sending an email or displaying a web announcement that appears to be from a legitimate enterprise to trick the user into giving up private information or taking some action8. For example, a user might be asked to update personal information such as passwords, credit card numbers, or Social Security numbers on a fake website9. Spear phishing is a type of phishing that targets specific users.
• Vishing (Voice Phishing): Using phone calls instead of email to trick victims into revealing information. For example, an attacker might use a recorded message pretending to be from the user’s bank to trick a user into calling a fake number where they will be asked to enter personal information.
• Redirection: Directing a user to a malicious website3.
• Spam: Sending unsolicited messages to a large number of recipients. SPIM (Spam over Internet Messaging) is spam that is sent via instant messaging.
• Hoaxes: Tricking users into believing false information.
• Watering hole attack: Targeting a smaller group of specific individuals by compromising a website they frequently visit.
• Prepending: Influencing a subject before an event occurs by including a desired outcome in a statement.
• Whaling: Phishing attacks that target wealthy individuals or senior executives.
• Invoice scams: Sending fictitious overdue invoices that demand immediate payment.
• Credential harvesting: Using the Internet and social media searches to perform reconnaissance in order to impersonate someone.
Social engineering attacks often rely on certain psychological principles to be effective:
• Authority: Impersonating an authority figure or falsely citing authority. For example, an attacker may pretend to be the CEO to reset a password.
• Intimidation: Frightening or coercing by threat/ For example, an attacker might threaten to call a supervisor if a password is not reset.
• Consensus: Influencing by what others do. For example, an attacker might claim that a colleague reset a password last week.
• Scarcity: Creating a sense of urgency or limited availability.
• Familiarity: Giving the impression that the victim is well-known and well-received. An attacker might say, “I remember reading a good evaluation on you.”
• Trust: Inspiring confidence in the victim. An attacker may say, “You know who I am.”
• Urgency: Demanding immediate action. For example, an attacker may say “My meeting with the board starts in five minutes.”
• Providing a reason: Giving a rationalization for a request.
• Projecting Confidence: Acting as if they know what they are doing.
Physical Procedures: These techniques involve physical actions to compromise security. Common methods include:
• Dumpster Diving: Digging through trash to find useful information5…. Attackers may look for seemingly useless items such as calendars, phone lists, and discarded USB drives to use in an attack.
• Tailgating: Following an authorized person into a restricted area. This can involve slipping behind an authorized person as they enter a building or conspiring with an authorized person.
• Shoulder Surfing: Watching someone enter secret information, such as a security code on a keypad. This can also involve using cameras to record keypad entries/
Social engineering attacks can be carried out through various vectors such as social media or supply chains. Social media can be used by threat actors to gather information about employees that can be used in an attack. Supply chain attacks occur when malware is injected into products during manufacturing or storage.
It is important to be aware of these techniques to protect oneself and one’s organization from social engineering attacks