Really how dangerous is social engineering?

“Many of the most damaging security penetrations are, will continue to be, due to Social Engineering, not electronic hacking or cracking. Social Engineering is the single greatest security risk in the decade ahead” – Gartner, 2010

Social Engineering:

Alright, so who are these people? It could be a hacker in another country who is out to do damage or disrupt. It could be a member of a North African cybercrime mafia that is trying to penetrate your network and steal cash from your online account bank account. Or, it could be a Chinese hacker that trying to get on your organization’s network for corporate spying.

Social Engineering Techniques

Understanding the different attack vectors for this type of crime is key when it comes to prevention. This is how the bad guys do it:

  1. Pretexting:
    • A form of social engineering in which an individual lies to obtain privileged data. A pretext is a false motive.
    • It often involves a scam where the liar pretends to need the information to confirm the identity of the person he is talking to.
    • An invented scenario is used to engage a potential victim to try and increase the chance that the victim will bite. It’s false motive usually involves some real knowledge of the victim (e.g. DOB, Id Number, etc.) to get even more information.
  2. Phishing:
    • The process of attempting to acquire sensitive information such as usernames, passwords, credit card details by camouflaging as a trustworthy entity using bulk email which tries to dodge spam filters.
    • Emails claiming to be from popular social web sites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public.
    • It’s a form of criminally fraudulent social engineering. Also, see Spear Phishing
  3. Spear Phishing:
    1. A small, focused, targeted attack via email on a specific person or organization with the goal to penetrate their defenses.
    2. The spear phishing is done after research on the target and has a specific personalized component designed to make the target do something against their own interest.
  4. Diversion Theft:
    • A ‘con’ exercised by professional thieves, usually targeted at a transport or courier company.
    • The objective is to trick the company into making the delivery somewhere other than the intended location.
  5. Baiting:
    • Baiting means dangling something in front of a victim so that they act.
    • It can be through a peer-to-peer or social networking site in the form of a (porn) movie download or it can be a USB drive labeled “Q3_Employee_Appraisal_Plan” left out in a public place for the victim to find.
    • Once the device is used or malicious file is downloaded, the victim’s computer is infected allowing the criminal to take over the network.
  6. Quid Pro Quo
    • Latin for ‘something for something’, in this it’s a benefit to the victim in exchange for information. A good example is hackers pretending to be IT support.
    • They will call everyone they can find at a company to say they have a quick fix and “you just need to disable your AntiVirus”.
    • Anyone that falls for it gets malware like ransomware installed on their machine.
  7. Water-Holing:
    • This technique takes advantage of websites people regularly visit and trust.
    • The attacker will gather information about the targeted group of individuals to find out what those websites are, then test those websites for vulnerabilities.
    • Over time, one or more members of the targeted group will get infected and the attacker can gain access to the secure system
  8. Tailgating:
    1. A method used by social engineers to gain access to a building or other protected area.
    2. A tailgater waits for an authorized user to open and pass through a secure entry and then follows right behind.
  9. Honeytrap:
    1. A trick that makes men interact with a fictitious attractive female online. From old spy tactics where a real female was used.
  10. Rogue:
    1. Also, rogue Scanner, rogue anti-spyware, rogue anti-malware, rogue security software is a form of computer malware that deceives users into paying for the fake or simulated removal of malware.
    2. Rogue security software, in recent years, has become a growling and serious security threat in desktop computing.
    3. It is very popular and there are literally dozens of these programs.

About LanDynamix