Social Engineering is a continuous and ongoing threat. If executed well against anybody who is unprepared, the perpetrator is able to gain access to an unlimited amount of information with minimal effort. For this reason, it is important to understand possible schemes and tricks which are often used by Social Engineers to in order to trap people. Being able to recognise an attack type can help a person to act with caution, preventing them from becoming a victim of this type of scam.
A breakdown of common tools and techniques used by Social Engineers, are listed below.
Phishing is an ultimate form of deception. With phishing, a Social Engineer tricks the target into thinking that they are communicating with a legitimate and trusted source. However, in reality the attacker is almost always in full control and can see the sensitive information being given up by the victim.
The most popular method of phishing by far is via email, in which the potential victim is lured to a specially drafted webpage which is designed to look like something perfectly innocuous – for example, it may appear like the user’s own bank login. In reality, however, this is a trick by the Social Engineer, and their webpage is in fact recording all data that the victim enters. However, the attacker may also make use of other methods of communications such as phone calls, social media, online chatting and spoofed websites promoted through malicious plugins, malware or other compromised websites, to allure the victim and make them give up their personal, financial or other sensitive information.
2- Spear Phishing
Spear phishing is an advanced type of phishing attack in which the attacker is already in possession of some information about their target. The attacker makes their move in a targeted attempt, using the relevant information, to gain their confidence.
Due to a large number of people in the developed world using social media and not utilising the full potential of privacy settings on offer, Social Engineers often harvest specific details about their targets from this medium and other online services such as 192.com.
By using this personalised method, a Social Engineer can enhance their chances of a successful attack. They can quickly gain the trust of their victims and persuade them into divulging sensitive information i.e.business or financial data, trade secrets etc.
3- Quid pro quo
As the name suggest, in this type of attack the attacker tempts the target in to giving up sensitive information in exchange for a favour or a gift. For example, a Social Engineer may ask an employee of a company to share a confidential file with them in exchange for a brand new smartphone.
This type of offer sounds dubious and should raise immediate suspicion in a person’s mind about the motives of the individual making the offer. Upon contact, it is sensible for an employee to record as many details about the attacker they can, then pass over the information to a manager in-charge, so action can be taken to deter the attackers from attempting similar attacks in the future.
4- Baiting (Road Apple)
Social Engineers conduct baiting (also known as Road Apple) by leaving malware or a virus on a USB or CD near the target’s location, in a place where they know their potential victim is likely to be. This could be right in front of their office at a time when they are expected to enter or exit the office, or they could leave it outside the target’s home.
The idea is that once the target sees the ‘bait’, they will pick it up and, out of curiosity, insert it into their computer at home or at the office and inadvertently install the malware or virus. Once installed, the malicious application will allow the attacker to gain access to the computer and perform tasks remotely.
It must be noted here that CD’s are not as frequently used, due to the decline in this technology. ‘Rubber ducky’ or ‘USB armoury’ (a discreet, flash-drive sized computer for developing and running a range of applications) are the weapon of choice for attackers due to their ability to act as an injection attack platform by tricking the computer into thinking that the device being attached is a HID (human interface device) keyboard.
Pretexting is the art of creating a false scenario and by presenting oneself as an authoritative figure, which makes the target comfortable in divulging information they normally would not. For instance, after gathering sufficient information about the potential victim online (through social media and Internet), the attacker may call the victim on their phone and tell them that they are speaking from their bank to discuss some suspicious transactions on their account. To gain the trust of the victim and appear legitimate, the attacker will reveal correct date of birth and address of the victim (obtained through Internet), and then request to victim to confirm account details so they know that they are speaking to the account holder.
Typically, once trust is established, the victim will be prepared to divulge any information about their account. Exploiting this weakness, the attacker gathers as much private information about the victim as they can, before calling the victim’s bank. In possession of up to date private information about the victim, through false impersonation, the attacker can potentially reset security on the account and maliciously carry out financial transactions on victim’s behalf, without them knowing.
Tailgating is a physical Social Engineering approach in which an unauthorized individual attempts to gain access to a secure target location by following, or ‘tailing’, an authorised worker. The objective is to gain access to a location and then to acquire valuable sensitive or confidential information. This can be achieved by introducing malware to the computers located in the target area or by impersonation and acting as someone in charge, and extracting information by physically interacting with employees on site.
Pharming attack, which is a combination of words ‘Phishing’ & ‘Farming’, tricks the victim into thinking that the website they are browsing is legitimate, when in fact they are surfing an identical but forged version of the original website. By DNS cache poisoning or unauthorised modification of ‘Hosts’ file, the attacker can deceive the system into thinking that the website being visited is genuine when it is not.
Pharming requires little or no direct contact between the victim and the attacker as most of the attack is conducted by technical manipulation of technology. However, this attack is still classified as a tool employed actively by Social Engineers because of the trickery involved in making the victims think that they are browsing the intended website. Employing this type of attack gives the attacker a high chance of success, which makes this type of attack a weapon of choice for Social Engineers.
8- Trojan Horse – Gimme
This is another method where a Social Engineer needs minimum physical interaction with the target. This technique exploits natural curiosity and greed of the victims and tempts them into clicking on an attachment of an email, which will download a malicious application.
The attacker usually sends an email to a batch of recipients on the list with an attached virus. The email offers the recipients something such as a free screensaver, antivirus, or another popular software of some value to the users. In this type of attack, negligence and naivety of the users benefits the attacker and consequently those who trust the originator and install the application from the attachment, inadvertently install malware or a Trojan horse virus on their system.
What is the motivation behind an attack? Learn more
Protect yourself from social engineering. Learn more