Skip to main content
Version: 1.0.2

Social engineering types

Human-based social engineering

Impersonation

  • Also known as masquerading
  • 📝 Pretending to be someone else to learn needed information
  • A form of identity theft
  • E.g. as
    • target systems end user
    • technical support working with something that requires information to quickly build trust
    • maintenance personal that'll fix vending machine in canteen to install a honeypot
    • an authoritative figure such as FBI agent

Masquerading

  • 📝 Pretending to be someone who is authorized and/or requires that access.
  • Convincing personnel to grant access to sensitive information or protected systems
  • Masquerading is more passive compared to impersonating.

Eavesdropping

  • 📝 Secretly listening other peoples communication without consent.
  • E.g. by listening a conversation or reading private messages.

Shoulder surfing

  • 📝 Observing victims when they're using devices such as ATMs, computers, kiosks...
  • Can be done long distance with vision enhancing devices such as binoculars.
  • E.g. looking at the keyboard as target types its password in an Internet café.

Dumpster diving

  • 📝 Collecting information from the target's trash bins
  • 💡 Shredded papers can sometimes indicate sensitive info
  • Passive footprinting method
  • E.g. bills, financial information, sticky notes, manuals.
  • Countermeasure: A safe waste disposal policy

Reverse social engineering

  • 📝 Initiated by the victim that's tricked into contacting the attacker herself
  • Attacker poses as an authority figure usually by creating a problem then offering a solution.
  • E.g.
    • befriending an employee
    • causing problems (e.g. DoS) at work and offer help.
    • often happens with tech support

Piggybacking

  • 📝 Convincing an authorized personal to let attacker into a secured area
  • Can be physical (e.g. a building) or electronics (e.g. a database)
  • Differs from tailgating as it includes consent of the personal.
  • E.g. "it's a delivery just hold the door" or ""I forgot my ID badge, please help"

Tailgating

  • 📝 Gaining access to restricted areas by following another person
  • 💡 Can hold a fake badge when doing it.
  • Usually caused by employee's politeness like opening or holding the door
    • 💡 Using a wheelchair usually exploits this human vulnerability
  • A countermeasure is using man traps as because they only allow single person at a time.

Vishing

  • Use of the telephone to perform the attack (voice and phishing)

Computer-based social engineering

Phishing

  • 📝 Attack where the attacker sends a link to a malicious website to collect information
  • Malicious website usually fakes a legitimate one with a similar URL.
  • E.g. someone calls, asks to fill a form, and says it's a company survey and it'll help company a lot.
  • URLs are usually sent through e-mail, but can also be sent through:
    • Spimming (SPIM=Spam over Instant Messaging)
    • Spitting (SPIT=spam over Internet telephony, VoIP spam)

Whaling

  • 📝 A very targeted attack on a high value victim called "Whale" (big fish)
  • Usually targets high-level executives

Spear Phishing

  • 📝 Using specialized phishing content for a specific person or group of people
  • Generate higher response rate as it's more personalized

Pharming

  • 📝 Redirect a website's traffic to a malicious one
  • Can be done through
    • Exploiting DNS vulnerabilities such as DNS poisoning
    • Host file modification
      • Windows location: C:\Windows\System32\drivers\etc\hosts
      • Linux location: /etc/hosts
      • MacOS X location: /private/etc/hosts

Phishing countermeasures

Detecting phishing e-mails
  • Sense of urgency or a veiled threat
  • From a bank, company, or social networking site
  • Generic greeting
  • From a person listed in your email address book
  • Malicious attachment
  • Official-looking logos
  • Offers that seem to be too good to believe
  • Links to spoofed websites
  • Grammatical/spelling mistakes
Anti-phishing tools
  • Netcraft: maintains malicious site blacklists against phishing.
  • PhishTank: website containing phishing websites

Spam mail

  • Sent by attacker with malicious links and attachments
  • Can get information such as financial information, social security numbers, and network information.

Baiting

  • Installing malware through "need and greed" impulse
  • E.g. offering something free if you click a link on a website.

Pop-up window attacks

  • To usually create urge to malicious websites or download malware
  • E.g. distribute malware links with message "your machine is infected, click here to clean up"

Instant chat messenger

  • Gathering personal information by chatting with a selected online
  • Can get information such as birth dates and maiden names

Hoax letters

  • Emails that issue warnings to the user on new malware that may harm the user's system.

Chain letters

  • Emails that instructs user to forward the mail to the said number of persons
  • Usually offer free gifts such as money and software

Mobile-based social engineering

Malicious apps

  • Created and publish to infect phones and collect data.
  • E.g.
    • a replica or similar copy of a popular application
    • ZitMo (ZeuS-in-the-Mobile), a banking malware that was ported to Android

Repackaging legitimate apps

  • Repacking legitimate apps with malware and redistributing in third-party app stores.

Fake security apps

  • Promises security but provides attacker victims data.
  • E.g. apps that "victims" victims securely log on to their bank accounts

SMS phishing

  • Also called SMShishing or smishing
  • Sending malicious links through SMS messages and urge their targets to act

Insider attacks

  • Authorized person unintentionally or intentionally compromises the security of a system.
  • E.g. spying on competitor company through a job opening to extract information from its employees.
  • See also Insider attacks | Security threats and attacks.

Insider types

  • Malicious insiders
    • Privileged users to inflict harm
    • E.g. dissatisfied or former employees that wants to take revenge
  • Careless and negligent insiders
    • Make errors and disregard policies
    • E.g. uneducated employees
  • Infiltrators
    • External actors
    • E.g. hackers
  • Compromised insiders
    • Allow external threats to act with same privileges as the insider
    • E.g. Sony breach (2014-15) where attackers took over 100 TBs of data.

Social engineering countermeasures

  • Training
    • Employee education to increase awareness
  • Separation and rotation of duties
    • Employees should sign a statement acknowledging that they understand the policies.
  • Least privilege
    • Giving a user account only those privileges which are essential to perform their intended job function
    • E.g. a user whose sole job function is to creating backups does not need the ability to install software
      • User account will only have rights to run backup and backup-related applications.
  • Monitoring, logging and auditing
  • Multi-factor authentication
    • At least for high risk network services e.g. VPNs, cloud services.
  • Strong password policies
    • Strong authentication
    • Periodic change
    • Complexity requirements
    • Blocks after failed attempts
  • Physical security policies
    • Access area restrictions
    • Identification of employees by issuing ID cards, uniforms, etc.
  • Access control
    • For data through e.g. operational guidelines.
  • Proper incidence response time
    • Proper guidelines for reacting in case of a social engineering attempt.
  • Change-management process
    • Better documented
  • Anti-virus and anti-phishing defenses
  • Background check and proper termination process
    • Insiders with a criminal background and terminated employees are easy targets for procuring information.