8.2 Social Engineering Techniques
Types of Social Engineering
- Human-based Social Engineering: Gathers sensitive information by interaction.
- Computer-based Social Engineering: Social engineering is carried out with the help of computers.
- Mobile-based Social Engineering: It is carried out with the help of mobile applications.
Human-based Social Engineering: Impersonation
- It is most common human-based social engineering technique where attacker pretends to be someone legitimate or authorized person.
- Attackers may impersonate a legitimate or authorized person either personally or using a communication medium such as phone, email, etc.
- Impersonation helps attackers in tricking a target to reveal sensitive information.
- Posing as a legitimate end user: Give identity and ask for the sensitive information.
- Posing as an important user: Posing as a VIP of a target company, valuable customer, etc.
- Posing as technical support: Call as technical support staff and request IDs and passwords to retrieve data.
Impersonation Scenario: Over-Helpfulness of Help Desk
- Help desks are mostly vulnerable to social engineering as they are in place explicitly to help.
- Attacker calls a company's help desk, pretends to be someone in a position of authority or relevance and tries to extract sensitive information out of the help desk.
Impersonation Scenario: Third-party Authorization
- Attacker obtains the name of the authorized employee of target organization who has access to the information he/she wants.
- Attacker then call to the target organization where information is stored and claims that particular employee has requested that information be provided.
Impersonation Scenario: Tech Support
- Attacker pretends to be technical support staff of target organization's software vendors or contractors.
- He/she may then claims user ID and password for troubleshooting problem in the organization.
Impersonation Scenario: Internal Employee/Client/Vendor
- Attacker dressed in business attire or appropriate uniform enters into target building claiming to be an contractor, client, or service personnel.
- He/she may then look for passwords stuck on terminals, search information or documents on desks or eavesdrop confidential conversations.
Impersonation Scenario: Repairman
- Attacker may pretend to be telephone repairman or computer technician and enters into target organization.
- He/she may then plant a snooping device or gain hidden passwords during activities associated with their duties.
Impersonation Scenario: Trusted Authority Figure
Human-based Social Engineering: Eavesdropping and Shoulder Surfing (重要)
- Eavesdropping or unauthorized listening of conversations or reading of messages.
- Interception of audio, video, or written communication.
- It can be done using communication channels such as telephone lines, email, instant messaging, etc.
- Shoulder Surfing:
- Shoulder surfing uses direct observation techniques such as looking over someone's shoulder to get information such as passwords, PINs, account numbers, etc.
- Shoulder surfing can also be done from a longer distance with the aid of vision enhancing devices such as binoculars to obtain sensitive information.
Human-based Social Engineering: Dumpster Diving
- Dumpster Diving: Dumpster diving is looking for treasure in someone else's trash.
Human-based Social Engineering: Reverse Social Engineering, Piggybacking, and Tailgating
- Reverse Social Engineering:
- A situation in which an attacker presents himself as an authority and the target seeks his advice offering the information that he needs.
- Reverse social engineering attack involves sabotage, marketing, and tech support.
- "I forgot my ID badge at home. Please help me."
- An authorized person allows (intentionally or unintentionally) an unauthorized person to pass through a secure door.
- An unauthorized person, wearing a fake ID badge, enters a secured area by closely following an authorized person through a door requiring key access.
Computer-based Social Engineering
- Pop-up Windows: Windows that suddenly pop up while surfing the Internet and ask for users' information to login or sign-in.
- Hoax Letters: Hoax letters are emails that issue warnings to the user on new viruses, Trojans, or worms that may harm the user's system.
- Chain Letters: Chain letters are emails that offer free gifts such as money and software on the condition that the user has to forward the mail to the said number of persons.
- Instant Chat Messenger: Gathering personal information by chatting with a selected online user to get information such as birth dates and maiden names.
- Spam Email: Irrelevant, unwanted, and unsolicited email to collect the financial information, social security numbers, and network information.
Computer-based Social Engineering: Phishing
- An illegitimate email falsely claiming to be from a legitimate site attempts to acquire the user's personal or account information.
- Phishing emails or pop-ups redirect users to fake webpages of mimicking trustworthy sites that ask them to submit their personal information.
Computer-based Social Engineering: Spear Phishing
- Spear phishing is a direct, targeted phishing attack aimed at specific individuals within an organization.
- In contrast to normal phishing attack where attackers send out hundreds of generic messages to random email addresses, attackers use spear phishing to send a message with specialized, social engineering content directed at a specific person or a small group of people.
- Spear phishing generates higher response rate when compared to normal phishing attack.
Mobile-based Social Engineering: Publishing Malicious Apps
- Attackers create malicious apps with attractive features and similar names to that of popular apps, and publish them on major app stores.
- Unaware users download these apps and get infected by malware that sends credentials to attackers.
Mobile-based Social Engineering: Repackaging Legitimate Apps
Mobile-based Social Engineering: Fake Security Applications
- Attacker infects the victim's PC.
- The victim logs onto his/her bank account.
- Malware in PC pop-ups a message telling the victim to download an application onto his/her phone in order to receive security messages.
- Victim downloads the malicious application on his/her phone.
- Attacker can now access second authentication factor sent to the victim from the bank via SMS.
Mobile-based Social Engineering: Using SMS
- Tracy received an SMS text message, ostensibly from the security department at XIM Bank.
- It claimed to be urgent and that Tracy should call the phone number in the SMS immediately. Worried, she called to check on her account.
- She called thinking it was a XIM Bank customer service number, and it was a recording asking to provide her credit card or debit card number.
- Predictably, Tracy revealed the sensitive information due to the fraudulent texts.
- If a competitor wants to cause damage to your organization, steal critical secrets, or put you out of business, they just have to find a job opening, prepare someone to pass the interview, have that person hired, and they will be in the organization.
- It takes only one disgruntled person to take revenge and your company is compromised.
- Insider Attack:
- An inside attack is easy to launch.
- Prevention is difficult.
- The inside attacker can easily succeed.
- An employee may become disgruntled towards the company when he/she is disrespected, frustrated with their job, having conflicts with the management, not satisfied with employment benefits, issued an employment termination notice, transferred, demoted, etc.
- Disgruntled employees may pass company secrets and intellectual property to competitors for monetary benefits.
Preventing Insider Threats
- Separation and rotation of duties
- Least privilege
- Controlled access
- Logging and auditing
- Legal policies
- Archive critical data
Common Social Engineering Targets and Defense Strategies
|Social Engineering Targets||Attack Techniques||Defense Strategies|
|Front office and help desk||Eavesdropping, shoulder surfing, impersonation, persuasion, and intimidation||Train employees/help desk to never reveal passwords or other information by phone|
|Perimeter security||Impersonation, fake IDs, piggy backing, etc.||Implement strict badge, token or biometric authentication, employee training, and security guards|
|Office||Shoulder surfing, eavesdropping, Ingratiation, etc.||Employee training, best practices and checklists for using passwords Escort all guests|
|Phone (help desk)||Impersonation, Intimidation, and persuasion on help desk calls||Employee training, enforce policies for the help desk|
|Mail room||Theft, damage or forging of mails||Lock and monitor mail room, employee training|
|Machine room/Phone closet||Attempting to gain access, remove equipment, and/or attach a protocol analyzer to grab the confidential data||Keep phone closets, server rooms, etc. locked at all times and keep updated inventory on equipment|