Social Engineering Part 1: What is social engineering?
What is social engineering?
Social Engineering is a form of security fraud that relies on psychological manipulation techniques to trick people into revealing sensitive information.
This is often carried out online using a variety of social engineering techniques; one of the more commonly referred to social engineering attacks are phishing attacks (including, vishing, smishing, spear phishing and whale phishing). Unlike most forms of online fraud which exploit software vulnerabilities, social engineering has a human element making these attacks harder to identify than typical technology-based intrusions.
Relying on human error
The reliance on human error makes social engineering attacks particularly dangerous. Humans are social beings and are therefore evolutionary inclined to want to be accepted by others in their social group. For this reason, many humans have a natural tendency to want to be liked by others, want to be helpful to other members of their social group, and tend to follow the lead of those they perceive to be authoritative figures. Social engineering techniques take advantage of these natural human traits, which is why social engineering works so effectively.
The Social Engineering Lifecycle
Attackers usually follow a series of steps before an act of social engineering fraud takes place. This is usually referred to as ‘The Social Engineering Lifecycle’ – and consists of the following steps:
The first step in a social engineering attack is to gather background information on the victim or victims intended for target. Usually this includes the victim(s) place of work, the names of their colleagues, the hierarchy of management within the company and who they report to etc. They will then use this information to select a method of attack – for example, a spear phishing attack.
The following step involves deceiving the chosen victim(s) and setting the social engineering attack in place. If we continue with the above example of a spear phishing attack, this might involve spoofing the email address of the victim(s) boss, CEO, or member of the HR team asking for sensitive company information, personal credentials, or the transfer of funds with an element of urgency or immediacy. Due to the extensive research carried out in the first step, the attackers can create extremely accurate or legitimate looking emails – and can even make it look as if it has come directly from the impersonated member of staff.
Humans being social by nature comes into play during this phase of the lifecycle. Wanting to remain in the ‘good books’ of the company, the victim(s) are usually quick to respond to this request by an individual perceived to be an authoritative figure in the company. Once the victim(s) comply with the attacker’s request, the attacker will gain access to the sensitive information they were searching for.
Once the attacker has access to the required information, they usually begin to cover their tracks so they can disappear with the information they need before the company, or the victim(s) realise anything is amiss.
How does social engineering enable bot attacks?
While social engineering techniques are often thought to be more time consuming than those that exploit software vulnerabilities, the evolution of sophisticated bots is allowing attackers to carry out social engineering attacks much faster. Not only are attackers now easily able to automate phishing attacks by sending hundreds of phishing emails to multiple email addresses much quicker than a human could, but bots are now sophisticated enough to pose as human beings. In addition to this, more bots are being developed to aid with the investigation and reconnaissance phase of the Social Engineering Lifecycle; scraper bots search social media platforms – such as Facebook or LinkedIn – and obtain the personal information from profiles associated with certain organizations. As bots continue to evolve less human time and resources are required to carry out social engineering attacks – for this reason they continue to grow in scalability and popularity.
A short introduction to the more common social engineering techniques
|Social Engineering Technique||Description
|Baiting||This form of social engineering technique usually works by enticing a victim(s) interest or curiosity. For example, the victim could receive an email stating that they have won a competition or have been randomly selected to trial a new product; they are then baited to click through to a link where they are invited to fill out their details (i.e. credentials, credit card numbers, date of birth etc.) which is then harvested by the attacker. Alternatively, by simply clicking the link they may have unintentionally given the attacker access to their computer or have installed malware onto the system.
|This is a common social engineering technique which scares people into thinking their computer is infected with malicious software. The attackers invite you to click on a link to ‘fix’ your computer or ‘run an antivirus software’ which, upon clicking the link, will do the opposite.
|The example outlined above in the Social Engineering Lifecycle is an example of Pretexting. In this situation, the attacker is usually able to gain the victim’s trust by impersonating a trusted colleague, or senior member of the company. They then exploit this relationship to gather sensitive information about either the company or the individual.
|Phishing and more
|There are many forms of phishing attacks; again, referring to the example in the Social Engineering Lifecycle above – this is known as a spear phishing attack. Spear phishing is a phishing method that targets specific individuals, or departments within a company. There is also a phishing method known as whale phishing which specifically targets some of the more senior members of a company, such as the CEO or the Chief Financial Officer. Other forms of phishing include vishing – phishing through phone calls – and smishing, a form of phishing done through text messages.
Keep an eye out for the next blog in this series, where we will be delving deeper into the more sophisticated social engineering methods, that incorporate a variety of the above techniques.
web applications with Netacea's
Intent Analytics™ engine