Social engineering is a method used by attackers to gather valuable information form susceptible individuals. Personnel such as system administrators and desk officers are usually targeted.
Attackers are able to gain information by -
Social engineering attacks are majorly successful for a varying number of reasons -
There are numerous ways attackers could gather information, and while communicating with the human target seems to be the most preferred, other methods such as: Mobile social engineering which is the use of mobile applications to gain information And computer social engineering which follows the use of computers, exist.
This uses human interaction to gain information. The attackers impersonate someone with authority and legitimacy, after which they reach out to the target individual using communicative methods like phones and mails.
There are numerous ways to which the impersonation could work:
Here the attacker could call places such as a help desk personnel and gain information from them. This works because the help desk personnel is required to help.
Another way claiming to be an authorised personnel helps, is through third party methods. Here the attacker gains information on an authorised personnel for instance a name, calls the organisation to request for information on the impersonated person, on the grounds that the person authorised that this information be released.
The attacker impersonates the target company's software vendor and calls the organisation to request for the employees User ID and Password.
The attacker could pretend to be a communicative technician, gain entry into company grounds and place a snooping device on these communicative devices. This is where the next type of human based social engineering comes to play.
Here interactions between employees in the target companies are intercepted and monitored through phones, mails or instant messaging.
As the name implies, attackers watch employees while they work, in the hopes of gaining information on subjects such as PIN, passwords account numbers and so on.
Attackers gather information by using pop-up windows that request for login information, Hoax letters that tell users on a site to download an anti-virus for a dangerous virus in their systems, chain letters that require the receiver to forward the message to a certain number of people for a reward and through spam mail (the attackers send unwanted and unsolicited mail for the purpose of acquiring financial and other information).
An illegitimate mail impersonates a legitimate organisation to gain information from the target. This could be anything from an email from a bank claiming the target's account has been hacked and requesting change of password, to a message from the target's social media account issuing a lockdown on the account, requesting account details to reopen.
Attackers use this messages or pop-ups to redirect the user to a fake website to gain information. Computer Based Social Engineering Through Spear Phishing
This is a concentrated phishing attempt, aimed at one individual or a small group of individuals as opposed to phishing which sends hundreds of generic mails in the hope of a response. This attempt has a higher success rate.
Attackers create apps with similar features as popular apps and place them on app stores. These apps when downloaded become a tool for gathering information.
The attackers download an app from an app store, installs a malware in it, uploads it on a third party app store. The user downloads the app, and the attacker is able to gain information. Mobile Based Social Engineering Through SMS
The attack sends a message pretending to be an authorised personnel. for instance, a financial institution. The attacker puts a number in the message, requesting the target does so. When the target calls, the attacker extracts information.
Attackers can easily gain access through a target company through social media like Facebook, Twitter and LinkedIn. On Facebook, the attacker could create a group for the employees in the target organisation, add a select few and begin interactions with them. It is important to put security policies in place, to prevent employees from sharing company information on social media.
This is the process of stealing a persons identity i.e Name, credit cards, IDs and others for the sole purpose of being malicious and without the knowledge of the target.
Social engineering can be done through identity theft by gaining acess to their company ID. This enables the attacker to gain physical acess to the target company.
The first step to Identify theft is locating the target, then carrying outtechniques like dumpster diving and stealing emails to gain this like electricity bills. The next step is creating a Valid drivers license through the information gained in the afore mentioned step.
Once the attacker gets the drivers license, other things such as credit cards can also be gotten. In a large company, where security is lax, the attacker can also get a new company ID.
A successful social engineering attack could cause a lot of damage to the target organisation, from economic losses to lawsuits, susceptibility to terrorism, loss of trust on the client's end and most importantly the closure of the company. The severity of successful social engineering attacks need to be countered by preventive measures, and the methods to this madness include:
Published with the express permission of the author.