Social Engineering is the act of manipulating
people into performing actions or divulging confidential information,
rather than by breaking in or using technical cracking techniques. While similar to a confidence trick or simple fraud,
the term typically applies to trickery or deception for the purpose of
information gathering, fraud, or computer system access; in most cases
the attacker never comes face-to-face with the victim.
All Social Engineering techniques are based on specific attributes of human decision-making known as cognitive biases.These biases, sometimes called "bugs in the human hardware," are
exploited in various combinations to create attack techniques, some of
which are listed here:
Diversion theft, also known as the "Corner Game"or "Round the Corner Game" In summary, diversion theft is a "con" exercised by professional
thieves, normally against a transport or courier company. The objective
is to persuade the persons responsible for a legitimate delivery that
the consignment is requested elsewhere — hence, "round the corner". The Social Engineering
skills of these thieves are well rehearsed, and are extremely
effective. Most companies do not prepare their staff for this type of
is a technique of fraudulently obtaining private information. Typically,
the phisher sends an e-mail that appears to come from a legitimate
business — a bank, or credit card company — requesting "verification" of
information and warning of some dire consequence
if it is not provided. The e-mail usually contains a link to a
fraudulent web page that seems legitimate — with company logos and
content — and has a form requesting everything from a home address to an ATM card's PIN.
this technique uses a rogue interactive voice response
(IVR) system to recreate a legitimate-sounding copy of a bank or other
institution's IVR system. The victim is prompted (typically via a
phishing e-mail) to call in to the "bank" via a (ideally toll free)
number provided in order to "verify" information. A typical system will
reject log-ins continually, ensuring the victim enters PINs or passwords
multiple times, often disclosing several different passwords. More
advanced systems transfer the victim to the attacker posing as a
customer service agent for further questioning.
One could even record the typical commands ("Press one to change your
password, press two to speak to customer service" ...) and play back
the direction manually in real time, giving the appearance of being an
IVR without the expense.
Phone phishing is also called vishing.Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim.
In this attack, the attacker leaves a malware infected floppy disk, CD ROM, or USB flash drive
in a location sure to be found (bathroom, elevator, sidewalk, parking
lot), gives it a legitimate looking and curiosity-piquing label, and
simply waits for the victim to use the device.
For example, an attacker might create a disk featuring a corporate logo,
readily available from the target's web site, and write "Executive
Salary Summary Q2 2010" on the front. The attacker would then leave the
disk on the floor of an elevator or somewhere in the lobby of the
targeted company. An unknowing employee might find it and subsequently
insert the disk into a computer to satisfy their curiosity, or a good samaritan might find it and turn it in to the company.
In either case as a consequence of merely inserting the disk into a
computer to see the contents, the user would unknowingly install malware on it, likely giving an attacker unfettered access to the victim's PC and perhaps, the targeted company's internal computer network.
Unless computer controls block the infection, PCs set to "auto-run"
inserted media may be compromised as soon as a rogue disk is inserted.
Quid pro quo means something for something:
In a 2003 information security survey, 90% of office workers gave researchers what they claimed was their password in answer to a survey question in exchange for a cheap pen Similar surveys in later years obtained similar results using
chocolates and other cheap lures, although they made no attempt to
validate the passwords
- An attacker calls random numbers at a company claiming to be calling
back from technical support. Eventually they will hit someone with a
legitimate problem, grateful that someone is calling back to help them.
The attacker will "help" solve the problem and in the process have the
user type commands that give the attacker access or launch malware.