The Classic Tricks of Social Engineering and How Not to Fall for Them
April 12, 2013
In our blog post titled, “ The Weakest Link: How Malicious Hackers Break into the Most Secure Organizations,” it was discussed that even organizations with the funds needed to implement the most secured malware protection and surveillance can still be easily hacked and they are at a shocking rate. The previous post referenced the recent attacks on Apple, Facebook, Microsoft, LinkedIn and other big names who had fallen victim to the psychological tactics of social engineering.
Only recently has social engineering become associated with computer professionals and seen as a means to gain access to secured computer networks or systems either physically or virtually. Prior to that the term was in reference to the social sciences, but the basic meaning behind it remains the same. Social engineering can be any one of a number of tactics aimed at manipulating people into divulging confidential data of either a personal or corporate nature.
Here is a few of the common ways social engineering exploits human decision-making in order to proceed with a network security attack:
Pretexting is the creation of a believable scenario to engage the target, usually in an emotional way, in order to elicit confidential information that the person would not give out under normal circumstances. Some common pretexting examples include 419 scams such as the one claiming you need to confirm your PayPal account information or the Facebook and twitter scams either claiming something has been said about you or that a friend traveling abroad had his or her wallet stolen and is in need of cash. Any of these situations appeal to the person because the messages appear legitimate and they directly influence a personal reputation or relationship.
Tailgating, also known as piggybacking, this refers to gaining access into a secured area by walking behind someone with the access key. As common courtesy, the person will hold the door and most likely not even ask for identification proving you are allowed within the building.
Phishing and Phone Phishing
Phishing and Phone Phishing, in these examples the social engineer sends either a spoofed email or conducts a fake phone call, respectively. If it appears right, people normally just assume it is right. In this case if the email looks legitimate users will click through the links and if someone calls claiming to be a part of the IT department and they detected something on their computer they will assume that is true and provide identifying and sometimes confidential information in order for the issue to be fixed.
Baiting appeals to human curiosity as it usually involves leaving a malware infected USB drive, or other device, around in a common area where a company’s employees will see it. Employees, more often than not, will pick the device up and not even think twice before plugging it into their computers, effectively spreading the malware throughout the system.
These are simply a few of the many ways a social engineer can play off of human tendencies in order to gain access into a secured building, log in page or computer. Since it is natural to follow typical human conventions and not question why someone left a USB drive on the bathroom floor or why IT randomly called, this form of security breaching works seamlessly. Social engineering appeals to humans’ behavior and the only way to combat it is to not take every action at face value and think twice about the motives.
To learn more about social engineering and other tactics used by malicious hackers, view out listing of cyber security training courses.