Social Engineering is the act of " manipulating a person into gaining access or sensitive data by preying on basic human psychology."This is very dangerous because the social engineer is attacking the victim's psyche. The main difference between social engineer and a hacker is the tools used, so while the latter attacks your system or computer physically via sending a malware or a virus, the former uses social techniques such as coercing and sometines even blackmailing.
Recently a huge increase in online social engineering has been witnessed and more and more victims are falling out for it.This is mainly due to our dependence on Internet and the absence of awareness from the part of most users. As educators we need to make sure we understand this phenomenon first and then make sure we teach our students about it.
Social Engineering has several tactics as we will see below but the basic rule is no physical contact with the victim and relying only on tools such as emailing, IM and telephone calls to carry out the attack. There is a wide variety of techniques that give shape to this crime most important of them all are the following :
This is one of the traditional and famous techniques of a social engineer. It is, most of the times, conducted via email. The victim would normally get an email that appears to have a legitimate request for some sensitive information such as verifying bank accounts or Paypal information to avoid suspension. The Phisher would use a domain name that resembles your bank URL and only discrepancies in the wording of the URL give them away. Always check for the veracity of URLs and make sure they are exact just one letter could make the difference. Most of the email providers such as Google, Yahoo and AOL have now integrated filtering system for anti phishing but no matter what, never divulge your financial information or any other sensitive information via email simply because no legitimate organization will ever ask for that.
2- Vishing / Telephone Techniques
Vishing ( Voice Phishing ) or Interactive Voice Response ( IVR ) is another technique that the social engineer uses to get his victim. This is mainly conducted via a phone call or a VoIP interface. Here are some examples of vishing :
- Calling the victim directly urging him to take an immediate action in which he will have to divulge his information such as bank account information etc
- Sending an email to the victim urging him to call a certain number to take a certain action such as verifying account etc
- The use of direct human interaction or automated voice prompts such as ' press 1...'or ' enter your credit card number after the beep " to get information
- Calling the victim and convincing them of a security threat on their computer and offering help by telling them to buy or install a software to fix a problem. This is a technique that is used so much here in Canada. I have personally received dozens of such calls from people speaking a broken English telling me my computer system has been crushed and all that crap, I just hang up on them.
As its name suggests, Baiting entails the use of a bait to fish your victim. The bait can be anything such as physical media like a CD or a USB stick. The phisher deliberatly leaves it in a place where it will be easily discovered by others and what he normally does is wait for the victim to hook it to its computer to get the whole machine infected.
This one here looks like blackmailing although it is not neccasrily blackmailing. The phisher creates a scenario for the victim in which he provides him with some information pertaining to him such as his birth date, his home address, or a recent bank account transaction in order to convince the victim that the scamer is an authoritative of official figure.
This is one of the rare techniques of social engineering where there is a physical involvement. This is the act of gaining access to a restricted area without being auhtorized by simply following another legitimate employee into the area.
These are in brief some of the most popular technqiues a social engineer uses to get his victims. Keep in mind that new scams and techniques are devised all the time and the best shield against such attakcs is knowledge. Inform your students and colleagues and always stay on guard.
This post is based on Tim Brookes article in MakeUseof