Social engineering is the practice of using psychological manipulation, through a variety of strategies, to get people to perform actions or divulge confidential information, that they might not otherwise have done.
Principles of Social Engineering
Below are a number of key principles that are used to successfully social engineer an individual.
- Authority - This relies on the fact that most people will obey someone who appears to be in charge or knowledgeable, regardless of whether or not they actually are. It may entail a social engineer posing as a manager, government official, or other person with authority in a particular situation. The target can be made to feel that they must perform an action or face adverse consequences.
- Intimidation - This involves the use of scaring or bullying tactics to get an individual to carry out the desired action. The targeted individual feels threatened and responds by doing what the social engineer wants them to do.
- Consensus - Consensus, or social proof, as it is sometimes referred to, relies on the fact that people tend to want to do what others are doing to persuade them to take an action.
- Scarcity - This is used in scenarios to make something look more desirable because it is in short supply.
- Familiarity - Attacks that use this rely on the fact that an individual likes the social engineer, or organisation that they claim to represent.
- Trust - With this, a social engineer must build a connection with the target, so that the individual trusts them enough to carry out the desired action.
- Urgency - This relies on creating a feeling that an action must be taken quickly due to a particular reason or reasons.
Types of Social Engineering Attack
Below are some of the different types of social engineering attack. There are both technical and non-technical attacks that utilise the principles discussed above.
- Phishing - Here, an attacker attempts to obtain sensitive information, such as usernames and passwords, from users by posing as a trusted entity in an e-mail or instant message, which is sent to a large group of often random users.
- Smishing - This is a version of phishing that is carried out via SMS message to mobile phones. Again, the message is sent to a large group of often random people.
- Vishing - Vishing is another variation of phishing, that uses voice communication technology to obtain information.
- Spam - This involves the sending of bulk unsolicited e-mails. Although these can be from companies advertising genuine products, they can also be malicious, either containing harmful attachments, or linking to malicious websites.
- Spam over instant messaging (SPIM) - SPIM is a variation on spam, that is carried out via instant messaging services.
- Spear phishing - This is another variation on phishing that targets a specific person or group of individuals. As this is targeted, they often seem more plausible than an ordinary phishing attack that is sent to random people.
- Dumpster diving - This gets its name from a brand of rubbish bin in the United States of America and involves going through someone's trash in the hope of obtaining sensitive information that has been thrown away.
- Shoulder surfing - As the name might suggest, shoulder surfing is the practice of obtaining sensitive information by observing it being entered somewhere.
- Pharming - This involves misdirecting users to fake websites made to look official. The target is misdirected by, for example, modifying the local host file on the victim's machine, or, DNS poisoning, where an attacker somehow changes the URL to point to the fake website.
- Tailgating - This is a physical entry attack into a room or building and involves following someone who is authorised to access the area concerned.
- Eliciting information - A social engineer can either pose as an employee calling a help desk, or someone from the help desk calling an employee. This can be used to obtain information about systems, gain other sensitive information, or even get an employee's password reset in order to obtain access.
- Whaling - High value targets within an organisation, such as a CEO or CFO, are often referred to as whales. A whaling attack is a targeted attack aimed at these people. The attack is often via e-mail but could be by other means.
- Prepending - This is the act of supplying information that another will act upon, frequently before they ask for it, in an attempt to legitimise the actual request, which comes later. Using the psychological constructs of authority, an attacker can use prepending by stating that they were sent by the target's boss, or another authority figure, as a means to justify why the target should perform a specific action, that would not be normal, in the absence of the prepending.
- Identity fraud - This is the use of fake credentials to achieve an end, such as gain access to a secure area or building.
- Invoice scams - Here, fake invoices are used to try to get an organisation to pay for things that were never ordered.
- Credential harvesting - This involves the collection of credential information, such as usernames and passwords, for the purpose of gaining access to systems. Phishing e-mails are often used here, that direct a user to a fake website, where credentials are entered and collected by the attacker.
- Reconnaissance - Here, an attacker will examine systems they intend to attack, using a wide range of methods. Some of these methods don't require direct contact with the target, such as Google searches for information, whilst obtaining information about specific systems used may require direct access, possibly with the attacker posing as someone they are not.
- Hoax - These are intentional falsehoods that can be anything from virus hoaxes to fake news. They can be damaging where they cause users to take some sort of action that weakens security.
- Impersonation - Here, the attacker assumes a role that is recognised by the target. In assuming the role, the attacker uses the potential victim's biases against their better judgement to follow procedure. Impersonation can either be in person, over the phone or online.
- Watering hole attack - Rather than directly attacking an organisation's network, an attacker plants malware on an external website that users frequent. The malware can be tailored to only target certain users to the site in question.
- Typosquatting - This type of attack relies on the fact that some users will make typographical errors when visiting a website. An attacker registers the erroneous domain, which can be used to harvest credentials and other sensitive information, for example. URL hijacking, fake URL and brand jacking are other terms used to describe this type of attack.
- Pretexting - Here, an attacker uses a narrative, or pretext, to influence the victim into giving up some item of information. The pretext need not be true but must be believable for the attack to be successful.
- Influence campaigns - This involves the use of collected information and selective publication of material to key individuals in an attempt to alter perceptions and change people's minds on a topic. These campaigns utilise social media, e-mail and other online mediums.