Who is a social engineer?
Well, you do not need a four-year uni course to become this. The only skill you need to be a social engineer is impersonation. A social engineer pretends to be someone they are not to elicit information from their target. (Movie Flashback: Catch Me If You Can)
Some social engineering techniques
- Tailgating: As the name suggests, it's following an authorised individual to a building. This works because the attacker makes use of our desire to be polite. I know, you want those good karma points, I do too, but maybe if you don't know the person, this might not be a good place to cash in on those karma points!
- Dumpster Diving: Yup, it exactly means what you think it does. It is diving into dumpsters to find valuable information. This works because we are lazy and don't bother shredding documents securely. You might think that's lame who's gonna do that, oh well attackers have struck gold (not literally) looking at a pile of trash.
- Should Surfing: As simple as it sounds. It is stealthily looking over someone's shoulder to obtain information. The best way to prevent yourself from this is to be aware of your surroundings and make use of privacy screens!
-
Phishing: I did a post on this a while back, so check that out here. There are a few other phishing types that you might not come across too often.
- Whaling: It's going for the big fishes aka the whales in an organisation. This is a form of targeted phishing that involves high-profile targets like the executive level.
- Pharming: This is a slightly different and a more sophisticated way of phishing because it doesn't involve a person clicking but rather redirects a legitimate link to a bogus website. This requires DNS cache poisoning by the attacker.
- Watering Hole Attack: Taking inspiration from how a lion waits near water holes to prey on deer, this is pretty much the same. The attacker studies the victim and the sites they visit and then looks for opportunities to compromise those sites. E.g. Taking advantage of an XSS vulnerability that may exist in the site but unknown to the security vendors.
- Typo Squatting: Also called URL hijacking and relies on user error of mistyping a common URL and getting redirected to a malicious website. E.g. typing www.gooogle.com instead of www.google.com. In this case, Google has registered both domains and redirects the user to the legit website. This becomes more of an issue for smaller businesses that can't keep buying all similar domains.
What are the principles that make social engineering attacks effective?
These are the principles that a social engineer plays on and even though reading about it, they might seem too simple and hard to believe. They work well because they exploit human psychology.
- Authority: If someone dresses, carries them, talks like a person of authority, people will end up believing and divulging information they probably shouldn't. E.g. A social engineer acting as an IT security administrator calling you for your password to troubleshoot an issue.
- Intimidation: A social engineer would use the power of intimidation and play on our fear of getting in trouble. E.g. Someone from the Tax office calling and saying that you have unpaid taxes and will be arrested if you don't comply with their requirements. (Not gonna lie, I got scared the first time I got this call but I did reach out to the legit tax authority to verify the legitimacy.)
- Consensus: This is taking advantage of the herd. We are more likely to believe something if we have other people trusting it. E.g. If an attacker can pretend to show several people complying with their request, it will most likely convince you to do the same.
- Scarcity and urgency: The most common use of this has been in marketing, you might have seen ads where you're hurried into buying something because the sale price lasts for a short time or the product is limited. E.g. An attacker pretending to be an IT support admin could convince you to divulge your password urgently and if you didn't do so, you would get locked from your account.
- Familiarity: A social engineer would try and create familiarity and liking for themselves by using humor, sharing common interests, and then leverage that relationship later to extract information from you. E.g. A social engineer befriends you at your local cafe, you meet them every day and talk about your life, eventually, you form a liking towards that person and this is what they take advantage of slowly to extract information from you.
- Trust: This forms the basis of all these principles, we as people trust people with authority, trust in consensus, and trust the people we like.
Even though it feels so simple, social engineering is the soft side of cybersecurity that is exploiting human psychology. Here are a few examples of famous social engineering attacks.
Most of the time a social engineering attack is a start to a more sophisticated attack. The only way against this is User Awareness and Education and this is what makes combating these so hard!
Top comments (0)