Social engineering is an attempt to retrieve sensitive information from users through means other than hacking. That is, it doesn’t depend on the use of software vulnerabilities, or other things typically considered in information security. As a result it’s very difficult to defend against, as it relies heavily on education of the users. It’s extremely powerful because it’s often much easier to perform, and much cheaper to execute than finding vulnerabilities. It makes the most sense in light of the specific types of social engineering.
Pretexting is not a specific type of attack, it’s a more general term for targeted attacks. They’re typically part of much larger attacks. It involves finding out some specific information about your target before you try to attack them. When the attacker holds information that the target thinks only a specific set of people know, it’s easy for them to get a false sense of security about it.
Phishing is one of the most common social engineering attacks. Attacker lies to a target about who they are, hoping that they’ll divulge the information that they’re looking for. This is typically done through means of an e-mail pretending to be a bank, or some other well known website. Often the attacker will scare them, by mentioning that they may have been hacked and give them a link to log in to fix it.
There are also directed phishing attacks, known as spearphishing, but these require pretexting first. They may also receive emails from friends. This is usually due to compromised systems of people you know, that are leveraged to try to gain trust. These may contain links that also try to compromise your system in a similar way, and thus automatically spreads itself.
419 Scam, otherwise known as the Nigerian Prince Scam, is a popular phishing attack. The attacker sends an email where they are in some sort of unfortunate situation and have a large amount of money, but cannot keep it. They ask you to keep their money in your bank account for a while until it is safe for them to take it back. In exchange for your cooperation, they give you a considerable portion of the money. In this attack they typically try to get your bank account information.
In some variations, they ask for some money up front from you to help with the transition. This variation avoids illegally using your bank account information or stealing money from your bank account.
Baiting is a social engineering attack that relies on the curiosity of others. The attacker leaves something lying around that a target may perceive as valuable. Often this is a disc or usb drive that is labelled. Maybe something that suggests that it contains insider information that the victim could use to make a profit off of. Of course, it doesn’t, it contains a malicious program that will infect them. The goal is to make the victim curious enough to look at it, thus tricking them into viewing it when they really shouldn’t.
A quid pro quo is an exchange of sorts. The attacker “offers” something to the victim, in exchange for something else. Typically the offer is not actually as it is offered, and as such this is very similar to phishing. the 419 scam is a typical example of this. Another example would be calling someone claiming to be IT calling back about their “tech problem”. They would be very inclined to believe the call is legitimate if they had called about any IT problem at all.
This attack involves gaining access to a restricted area, simply by following someone in. This seems difficult, but it preys on the common courtesy of people. Nobody wants to be the person to close the door on the person behind them, even if they know they should. This kind of attack is actually preventable by having a system that force locks. That is, it only moves enough to allow a single person through. This is common in apartment buildings as people usually hold the door for others entering, regardless of whether that person is a resident or not.
This is an attack that preys on victims that do important things in public areas. It’s as the name suggests, just looking over someone’s shoulder while they are using their computer. The goal is to try to get information about the victim. Ideally you would get private/confidential email, such as a password as they type it in or some information from emails. Any information can help you later attack the victim.
Social Engineering is typically not illegal. Most of the things people do are just probing for information. Even if the intent for the information is malicious, you can’t really be charged for asking someone for information. However, if you actually do use the information you receive in a malicious way, that is illegal. Pretexting for phone numbers or bank accounts is illegal though. In the US, you can face federal felony charges of up to $250,00 and 10 years in prison.
In this hack, the attacker called Rogers support requesting information. By the end of the call, they not only got an employee’s ID, but also the answers to their security questions. This allowed the attackers to reach the company’s internal network. They then proceeded to ransom Rogers for 70 bitcoins or else they would dump the private data they collected online. When Rogers declined the ransom, their information was made publicly available.
Naoki Hiroshima owned the Twitter account @N. Being a single character account name, it was very desirable, and the attacker wanted it. The attacker first called PayPal, and posed as an employee who needed information from Hiroshima’s account. They managed to get the employee to give them the last 4 digits of his credit card. The attacker then called GoDaddy stating that they had a credit card on file that was lost and couldn’t remember the number or the account details, though he had the last 4 digits of the credit card. The GoDaddy employee agreed to give him access to the account if he could correctly guess the first 2 digits of the credit card. Since the first few digits of credit card numbers are automatically generated, the attacker was able to guess them on the first try. Once the attacker had access to his GoDaddy account, he used that to ransom the Twitter account. Hiroshima was forced to give up his Twitter account because he didn’t want to lose website.
Chase Bank decided to send emails to their customers to tell them how to avoid being hacked or social engineered. However, the emails themselves gave bad advice. They told customers to call the number on their credit card for more information, or to click a link provided in the email for more details. It was a bad idea to tell them to click a link in the email, because that is typically what you want to avoid doing. If these emails had been from an attacker, they would have been successful. Additionally, these emails were sent unsolicited, something that attackers often do, and you should generally avoid opening unsolicited emails.
The primary form of prevention for social engineering attacks is education. Educate yourself about what’s out there, what kind of social engineering attacks exist and how to recognize them. As a company or organization, it’s about making sure that your employees are educated properly. Proper training, and testing their training is crucial. Companies may send fake attacks to their employees to test; this is a good way of testing because if there is a problem you can address it before it happens. Some of the key things to look for:
As a victim, the first thing to do is to change all of your passwords that may have been compromised. Watch for signs of anything that else that could have been taken, and be mindful of the kinds of things an attacker may have retrieved about you. Report the incident to any relevant companies or authorities. If you think your bank records have been compromised, report it to your bank. Even if you don’t think your information was compromised, reporting it to the company is still key so they can address their issue. Watch for signs of identity theft. When attackers get personal information, identity theft is a possibility. If you suspect identity theft, reporting it to the police can help.