Categories of Social Engineering Attacks [Technical and Non-technical]
In this post we will take a look at the different “Categories of Social Engineering.”
Before we dive into the post – here’s a quick mention of our cyber security courses titled: “Social Engineering Penetration Testing”. This course contains the following modules:
(The course also includes a certificate of completion which can be used to accumulate Continuing Education CEU’s/ CPD’)
Here are the modules:
Module 1 An Introduction to Social Engineering
Module 2 The Weak Link in the Business Security Chain
Module 3 The Techniques of Manipulation
Module 4 Short and Long Game Attack Strategies
Module 5 The Social Engineering Engagement
Module 6 Ensuring Value Through Effective Threat Modeling
Module 7 Creating Targeted Scenarios
Module 8 Leveraging Open-Source Intelligence
Module 9 The E-mail Attack Vector
Module 10 The Telephone Attack Vector
Module 11 The Physical Attack Vector
Module 12 Supporting an Attack with Technology
Module 13 Writing the Report
Module 14 Creating Hardened Policies and Procedures
Module 15 Staff Awareness and Training Programs
Module 16 Internal Social Engineering Assessments
Module 17 Social Engineering Assessment Cheat Sheet
We’ve previously blogged a little on Social Engineering and in this post we are going to drill down into the two main categories under which all social engineering attempts can be classified: either as computer or technology based deception, or purely human based deception.
If we take a look at the technology-based approach we note that the hacker will try to deceive the user into believing that their victim is interacting with a ‘real’ application or system and get them to provide confidential information and therefore allowing access to the organizations network.
For example, imagine the target gets a popup window, informing him that a computer application they use has a problem, and that they will need to re-authenticate in order to proceed. Once the user provides their ID and password on that pop up window, the damage will be done. The hacker who has created the popup will subsequently have access to the user’s id and password and is in a position to access the network and the computer system with credentials of that user – and therefore potentially remove classified corporate information.
Attacks based on non-technical approach on the other hand are perpetrated purely through human deception; i.e. by taking advantage of the victim’s behavior weaknesses. As ever, the human is the weakest chain in any IT/ Information Security setting.
Let’s take an example: imagine that the hacker impersonates a person having considerable authority within the organization; places a call to the help desk and says that he/ she has forgotten their password and needs to have it reset right away. The help desk employee falls for the deception and gives the new password to the person waiting at the other end of the phone. If the employee at the help desk (which will likely be staffed by a junior inexperienced member, is spoken to in an “authoritative and demanding fashion” then the likelihood will be greater that the password will be released. Once the hacker coerced the help desk employee to submitting a password renewal they will be able to perform any malicious activity with the credentials of actual user.
Common Technical Attack Vectors
Possibly the most common of all Social Engineering Scams, this term applies to an email appearing to have come from a legitimate business, a bank, individual, or credit card company requesting “verification” or “proof” of information and warning of some dire consequences if it is not done. Typically the letter contains a link to a fraudulent web page that looks completely legitimate with company logos and content and has a form that may request username, passwords, card numbers, pin details and a lot more. Hacked WordPress sites are a common nestbed for such “Phishing Kits” as they are often defined. We have a popular free phishing course titled: “Phishing User Awareness” which might be of interest (which is valid for continuing education credits).
This is the practice of leveraging Voice over Internet Protocol (VoIP) technology to impersonate private personal and financial information from the public. This Social Engineering term and concept is a combination of “voice” and “phishing” which exploits the public’s perceived trust in traditional telephone services, however, with VoIP, telephone services may now terminate in computers, which are far more susceptible to fraudulent socially engineered attacks than traditional “dumb” telephony endpoints. To read more on Vishing you can follow this link.
Emails sent via spam (increasingly through zombie networks) that offer friendships, diversion, gifts, “missing millions” and various free things and information take advantage of the anonymity of the Internet and the gullibility of users to plant malicious code. The process works by the target opening an email attachment through which Trojans, Viruses and Worms and other uninvited programs are forcibly installed onto their victims machines and subsequently networks. The victim will be motivated to open the message because it appears to offer useful info, such as security notices or verification of a purchase, delivery, or promises an entertaining diversion, such as jokes, gossip, celebrity coverups or photographs, give away something for nothing, such as music, videos or software downloads etc. The outcome of having installed malware can range in severity from nuisance to system slow-down, destruction of entire communication systems or corruption of records.
The attacker’s rogue program creates a pop up window, instructing the end-user that the application connectivity was dropped due to network problems, and now the user must re-enter their username and password to continue with the session. The unsuspecting user promptly does as requested and the attacker will therefore have gained access.
In this example the victim is persuaded to download and install a very useful program or application which might be ‘window dressed’ as a CPU performance enhancer, a great system utility or as a crack to an expensive software package. In this case a ‘Spyware’ or a ‘Malware’ (such as a key logger) is installed through a malicious program disguised as an interesting message or a legitimate program. For those interested in Malware we have a course titled: “Defeat Advanced Malware”.
Non-Technical Attack Vectors
This category of social engineering attacks typically involve creating and using an invented scenario (the pretext) to persuade a victim to release information or perform an action. Non-technical social engineering is more than a simple lie as it most often involves some prior research or organization and makes use of pieces of known information (for example personal information such as date of birth, mother’s maiden name, billing address etc) that will enable a degree of legitimacy in the mind of the target.
Possibly the ‘easiest’ and most preventable form of non technical social engineering is a technique known as “Dumpster Diving”. Even junk mail can contain personal and confidential information so it is vital that all mail is shredded including not least corporate mail.
The unsuspecting ‘trash thrower’ (later to be the ‘victim’) could give the Dumpster Diver his break. For example company phone records, organization charts and locations of employees, especially management level employees who can be impersonated to the hacker’s benefit. Unshredded procedure and policy manuals can assist the hacker to become knowledgeable about the company’s policies and procedures, and therefor be able to convince the victim about their authenticity. The hacker can use official company letterhead to initiate official looking correspondence and request information. A hacker can retrieve confidential information from the hard disk of a computer as there are numerous ways to retrieve information from disks, even if the user thinks the data has been ‘deleted’ from the disk.
Spying and Eavesdropping
A clever spy can determine the id and password by observing a user typing it in (Shoulder Surfing). All that needs to be done is for the attacker to place themselves behind their victim and then observe the pin code (for example) that is entered into the payment terminal. If company policy states that the helpdesk can communicate the password to the user via the phone, then if the hacker can eavesdrop or listen in to the conversation, the password can then be easily compromised. An infrequent computer user may even be in the habit of writing the id and password down, thereby providing the spy with one more way to get information.
Acting as a Technical Expert
This is a technique where an intruder pretends to be a support IT technician working on a network problem and requests that the user let them access the workstation and ‘fix’ the problem. The unsuspecting user, especially if not technically savvy, can often not question the IT Technicians authority.
This is more of a general technique but essentially it involves posing as a member of staff for the organization for which they want to hack. A Hacker could pose as a member of the facility support staff or dress like a member of the cleaning crew, walk into the work place and then snoop around looking for password (for example written on post it notes).
A hoax is an attempt to deceive an audience into believing something false. Unlike a fraud or con (which is usually aimed at an individual victim and are typically made for illicit gain), a hoax is often perpetrated as a practical joke, to cause embarrassment, or to provoke social change by making people aware of something. It also may lead to sudden decisions being taken due to fear of an untoward incident