Sometimes, a technical attack such as brute forcing passwords, introducing malware into the systems or exploiting software/hardware based vulnerabilities remotely is not the easiest way to gain access to an IT infrastructure or to a person’s accounts. Rather, it is manipulating the weakest link in the cyber security chain, i.e., humans (wetware), via a number of social interaction means.
Definition: What Is Social Engineering?
Social engineering is a type of cyber security threat that takes advantage of the weakest link in the cyber security chain, i.e., humans, either by deceiving them to reveal secrets that they would not normally reveal or by causing them to make security mistakes in order to gain unauthorized access on the personal accounts or on the corporate information systems.
“The act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust.”
Ref: NIST SP 800-63-3 Digital Identity Guidelines
To surprise most of our readers, more experienced hackers avoid any technical attack means altogether and use social engineering as an attack method. As a result of social engineering attacks, people are either tricked into hand over their credentials to the criminals or conduct an insecure action that allows the attackers to bypass the implemented security controls.
Amateurs hack systems, professionals hack people.Bruce Schneier
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
In one of its simplest form, hackers can pose themselves as technical support representatives or a similar authority and ask for users’ passwords to solve a technical issue that needs immediate attention. This type of social engineering uses social conventions of a workplace to fool users. In another common social engineering technique, attackers can send phishing emails that prompt users to log into a fake site upon clicking a link on the email. Once users type in their credentials on the fake sites, attackers simply capture the usernames and the passwords and log into to the actual sites or accounts themselves.
Read more educational and inspirational cyber quotes at our page Social Engineering Quotes & Sayings.
The most common social engineering techniques, including the ones briefed here will be discussed in more detail in the following sections.
Social engineering generally occurs in three stages outlined below:
- Research: Initially, attackers conduct reconnaissance on the targets to collect information (Such as names, roles, products being used, security mechanisms implemented, social or business rules/conducts in an environment etc.) that can aid in planning the attacks. Such information can be collected passively via searching social media profiles, company websites etc. or actively by making in-person visits or phone calls.
- Planning: Upon collecting enough information on the targets, attackers choose the most appropriate attack technique, the attack strategy and the attack channel (email, voice, in-person) according to the reconnaissance information at hand.
- Execution: At the final stage, hackers execute the planned attacks over the selected attack channel.
Social Engineering Techniques
In this section, we describe the most frequently used social engineering techniques that are conducted via email, SMS, on social media, over the phone or in person.
Phishing is probably the most well-known attack technique that attempts to obtain sensitive information from users either by clicking a link or opening an attachment on an email, SMS or social media message.
Phishing emails/messages are usually sent as spams without targeting specific individuals, in the hope that someone will fall victim upon being fooled by the cunning scenarios on the emails. The trickery in the emails involves either urging users to take some immediate action regarding a bogus problem or arousing curiosity by informing them about an award or prize they are eligible to. Note that the
From fields of such phishing emails are spoofed to look legitimate and are different from the
Reply To addresses that are controlled by the attackers.
In its simplest form, a phishing email tries to trick users to respond to the email by revealing sensitive information, such as user credentials or credit card information. More sophisticated attacks involve directing users to bogus websites that look legitimate. Upon entering user names and passwords on the bogus website, users’ credentials are captured by attackers and users are either redirected to the original websites as if nothing happened or displayed with an error message that asks users to come back later to log in again. As a third type of phishing attack technique, a type of malware is installed on users’ machines either by opening malicious attachments on emails or by clicking links that directs users to infected or malicious websites (Drive-by-Download).
A Drive-by-Download is an attack type that takes advantage of security flaws on an application, web browser or operating system to install malware on users’ machines upon visiting a malicious website, without the user’s knowledge or interaction.
Spear phishing is a form of phishing attack that targets specific individuals rather than targeting general public with phishing spams. Spear phishing requires significant amount of research and planning before executing an attack that can potentially fool the targeted individuals.
Victims of such attacks are usually tricked by sending emails that appear to originate from a colleague or a friend and involve contents that are relevant and expected by the targets. More sophisticated attacks could even involve directing users to spoofed websites that have been prepared according to the victims’ needs and interests.
Whaling is a form of spear phishing attack that specifically target high-profile individuals such as senior employees, high level executives or individuals with privileged access to systems, such as system/network administrators.
Vishing is a term that combines “voice” and “phishing” to describe a social engineering technique that involves using phone calls or voice messages to steal or capture sensitive information from the victims. In vishing attacks, attackers usually impersonate other individuals such as superiors, help desk personnel etc. or spoof institutions such as banks or financial institutions.
Watering hole is a social engineering technique in which a legitimate and commonly visited website is infected by attackers in order to install malware on the visitors’ machines automatically or trick the targeted users into downloading and launching the malicious code from the compromised website. Watering hole attacks are usually performed by skilled attackers as it requires finding vulnerabilities (that are often zero-day vulnerabilities) on the legitimates websites and exploiting them successfully.
Pretexting is another social engineering technique that involves creating a fake identity and a story, i.e., pretext, to manipulate the victims into providing sensitive information or to make security mistakes. The key part of pretexting is inventing a scenario that is convincing enough to lead the victims to divulge the information needed by the attackers. Pretexting is usually conducted over the phone and takes advantage of the weaknesses in identification and authentication techniques in voice communications.
Baiting is a social engineering technique that lures unsuspecting individuals with attractive offers to give away highly confidential or personal information to the attackers. In baiting attacks, it is critical to provide victims with something they might believe to be useful. A classical example could be deliberately leaving an infected USB token on a public place with a label indicating it contains valuable information or looks like an expensive model.
Tailgaiting is a social engineering technique that allows attackers to gain access to facilities that requires access permissions by either following individuals with access authorizations or tricking authorized personnel into helping the attackers to get into the facilities.
Sometimes a social engineering attack is as simple as looking over the shoulder of an individual to read sensitive information from the computer’s screen or watch the keyboard as a user types to capture the user’s access credentials.
How to Prevent
In order to mitigate threats originating from social engineering attacks, the following administrative and technical controls can be employed.
Security Awareness and Training
Educating employees continually on common social engineering techniques can reduce social engineering attack occurrences and potential effects.
- Always request proof of identity and verify identities before providing access to the systems or facilities.
- Be suspicious of unexpected emails/messages and do not click links or open attachments on such emails/messages.
- Never share sensitive information via email, on messages or over phone calls.
- Never give out user credentials to anyone, including system administrators or superiors.
- Require callback authorizations on suspicious calls or calls that request sensitive informations.
- Never use found USB drives on personal or corporate devices.
Technical Control Measures
- Use firewalls with threat intelligence capabilities that can block access to malicious websites (black listed web sites).
- Use spam filtering at the gateways and endpoint devices.
- Use antivirus and endpoint security tools to detect malware installed and prevent them from spreading to the other resources.
- Implement password masking and use screen filters to mitigate shoulder surfing threats.
There are numerous creative ways attackers can use in social engineering attacks. Penetrating testing is very crucial in identifying such attack methods, strategies and potential weaknesses in the implemented physical, administrative and technical controls.
“Social engineering has become about 75% of an average hacker’s toolkit, and for the most successful hackers, it reaches 90% or more.” as quoted by John McAfee. It is preferred by the hackers as an attack method mostly due to its ease of execution as compared to the technical attacks and due to the high success rate of the attacks.
Read more educational and inspirational cyber quotes at our page Social Engineering Quotes & Sayings.
Social engineering attacks are usually successful since technical control measures are mostly ineffective in defending against such attacks and users often fall victim of such attacks, no matter how much security training they are given.
As a related topic, you could also read our article Password Attack Methods.