8.2 Social Engineering Techniques

Types of Social Engineering

• Human-based Social Engineering: Gathers sensitive information by interaction.
• Computer-based Social Engineering: Social engineering is carried out with the help of computers.
• Mobile-based Social Engineering: It is carried out with the help of mobile applications.

Human-based Social Engineering: Impersonation

• It is most common human-based social engineering technique where attacker pretends to be someone legitimate or authorized person.
• Attackers may impersonate a legitimate or authorized person either personally or using a communication medium such as phone, email, etc.
• Impersonation helps attackers in tricking a target to reveal sensitive information.
• Posing as a legitimate end user: Give identity and ask for the sensitive information.
• Posing as an important user: Posing as a VIP of a target company, valuable customer, etc.
• Posing as technical support: Call as technical support staff and request IDs and passwords to retrieve data.

Impersonation Scenario: Over-Helpfulness of Help Desk

• Help desks are mostly vulnerable to social engineering as they are in place explicitly to help.
• Attacker calls a company's help desk, pretends to be someone in a position of authority or relevance and tries to extract sensitive information out of the help desk.

Impersonation Scenario: Third-party Authorization

• Attacker obtains the name of the authorized employee of target organization who has access to the information he/she wants.
• Attacker then call to the target organization where information is stored and claims that particular employee has requested that information be provided.

Impersonation Scenario: Tech Support

• Attacker pretends to be technical support staff of target organization's software vendors or contractors.
• He/she may then claims user ID and password for troubleshooting problem in the organization.

Impersonation Scenario: Internal Employee/Client/Vendor

• Attacker dressed in business attire or appropriate uniform enters into target building claiming to be an contractor, client, or service personnel.
• He/she may then look for passwords stuck on terminals, search information or documents on desks or eavesdrop confidential conversations.

Impersonation Scenario: Repairman

• Attacker may pretend to be telephone repairman or computer technician and enters into target organization.
• He/she may then plant a snooping device or gain hidden passwords during activities associated with their duties.

Impersonation Scenario: Trusted Authority Figure

Human-based Social Engineering: Eavesdropping and Shoulder Surfing (重要)

• Eavesdropping:
  • Eavesdropping or unauthorized listening of conversations or reading of messages.
  • Interception of audio, video, or written communication.
  • It can be done using communication channels such as telephone lines, email, instant messaging, etc.
• Shoulder Surfing:
  • Shoulder surfing uses direct observation techniques such as looking over someone's shoulder to get information such as passwords, PINs, account numbers, etc.
  • Shoulder surfing can also be done from a longer distance with the aid of vision enhancing devices such as binoculars to obtain sensitive information.

Human-based Social Engineering: Dumpster Diving

• Dumpster Diving: Dumpster diving is looking for treasure in someone else's trash.

Human-based Social Engineering: Reverse Social Engineering, Piggybacking, and Tailgating

• Reverse Social Engineering:
  • A situation in which an attacker presents himself as an authority and the target seeks his advice offering the information that he needs.
  • Reverse social engineering attack involves sabotage, marketing, and tech support.
• Piggybacking:
  • "I forgot my ID badge at home. Please help me."
  • An authorized person allows (intentionally or unintentionally) an unauthorized person to pass through a secure door.
• Tailgating:
  • An unauthorized person, wearing a fake ID badge, enters a secured area by closely following an authorized person through a door requiring key access.

Computer-based Social Engineering

• Pop-up Windows: Windows that suddenly pop up while surfing the Internet and ask for users' information to login or sign-in.
• Hoax Letters: Hoax letters are emails that issue warnings to the user on new viruses, Trojans, or worms that may harm the user's system.
• Chain Letters: Chain letters are emails that offer free gifts such as money and software on the condition that the user has to forward the mail to the said number of persons.
• Instant Chat Messenger: Gathering personal information by chatting with a selected online user to get information such as birth dates and maiden names.
• Spam Email: Irrelevant, unwanted, and unsolicited email to collect the financial information, social security numbers, and network information.

Computer-based Social Engineering: Phishing

• An illegitimate email falsely claiming to be from a legitimate site attempts to acquire the user's personal or account information.
• Phishing emails or pop-ups redirect users to fake webpages of mimicking trustworthy sites that ask them to submit their personal information.

Computer-based Social Engineering: Spear Phishing

• Spear phishing is a direct, targeted phishing attack aimed at specific individuals within an organization.
• In contrast to normal phishing attack where attackers send out hundreds of generic messages to random email addresses, attackers use spear phishing to send a message with specialized, social engineering content directed at a specific person or a small group of people.
• Spear phishing generates higher response rate when compared to normal phishing attack.

Mobile-based Social Engineering: Publishing Malicious Apps

• Attackers create malicious apps with attractive features and similar names to that of popular apps, and publish them on major app stores.
• Unaware users download these apps and get infected by malware that sends credentials to attackers.

Mobile-based Social Engineering: Repackaging Legitimate Apps

Mobile-based Social Engineering: Fake Security Applications

1. Attacker infects the victim's PC.
2. The victim logs onto his/her bank account.
3. Malware in PC pop-ups a message telling the victim to download an application onto his/her phone in order to receive security messages.
4. Victim downloads the malicious application on his/her phone.
5. Attacker can now access second authentication factor sent to the victim from the bank via SMS.

Mobile-based Social Engineering: Using SMS

1. Tracy received an SMS text message, ostensibly from the security department at XIM Bank.
2. It claimed to be urgent and that Tracy should call the phone number in the SMS immediately. Worried, she called to check on her account.
3. She called thinking it was a XIM Bank customer service number, and it was a recording asking to provide her credit card or debit card number.
4. Predictably, Tracy revealed the sensitive information due to the fraudulent texts.

Insider Attack

• Spying:
  • If a competitor wants to cause damage to your organization, steal critical secrets, or put you out of business, they just have to find a job opening, prepare someone to pass the interview, have that person hired, and they will be in the organization.
• Revenge:
  • It takes only one disgruntled person to take revenge and your company is compromised.
• Insider Attack:
  • An inside attack is easy to launch.
  • Prevention is difficult.
  • The inside attacker can easily succeed.

Disgruntled Employee

• An employee may become disgruntled towards the company when he/she is disrespected, frustrated with their job, having conflicts with the management, not satisfied with employment benefits, issued an employment termination notice, transferred, demoted, etc.
• Disgruntled employees may pass company secrets and intellectual property to competitors for monetary benefits.

Preventing Insider Threats

• Separation and rotation of duties
• Least privilege
• Controlled access
• Logging and auditing
• Legal policies
• Archive critical data

Common Social Engineering Targets and Defense Strategies