Definition:
The process by which intruders gain access to facilities, network, systems,
data and even employees by exploiting the generally trusting nature of
people.
The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
Reference: Chris Hadnagy, The Art of Human Hacking (Wiley, 2010)
Social Engineering Attack Types
- Online
- Phishing; Vishing; Whaling; Spear Phishing
- Spoofing
- Offline / Physical
- Tailgating
- Impersonation
- Dumpster diving
- Shoulder surfing
- Either
Communications Spoofing / Fraud – Online
Phishing: sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information.
Spear Phishing: sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.
Whaling: a phishing attack that is specifically aimed at wealthy, powerful, or prominent individuals.
Vishing: making phone calls or leaving voice messages purporting to be from reputable companies.
Pharming: traffic redirect to a spoofed web site
Variants – SMiShing
Hoax: Malicious actors issuing false warnings to alarm users
Swatting: Fraudulent calls to the police
Watering Hole Attack: A security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit.
Physical Social Engineering Attacks
Tailgating: Gaining entry to electronically locked systems is to follow someone through the door they just unlocked
Dumpster Diving: The practice of foraging in garbage that has been put out on the street in dumpsters, garbage cans, etc., for discarded items that may still be valuable, useful, or used to commit fraud.
Shoulder Surfing: watching someone “over their shoulder” when they enter sensitive data such as a password or credit card information.
Social Engineering – Principals
Reasons for effectiveness
- Authority
- Familiarity / Liking – ‘You like people who likes you’
- Intimidation – ‘Uniformed officer’
- Trust
- Consensus / Social Proof
- Urgency – ‘Quick train is leaving’
- Scarcity – ‘Only two tickets available’
- Reciprocity – ‘If I give you something you have to give me something’
Reference: Cialdini, Influence, Science and Practice, 5’“ ed, 2009
Social Engineering – Prevention
Continuous Education – Advisories always invents new methods of social engineering people mus educated regularly to avoid those.
“Trust, But Verify” – When you see something verify it. It may sounds like true but always verify.
“If you see something, say something” – When you suspects an email from bank, just call and confirm.