Social Engineering is the act of manipulating people and getting confidential information which is not accessible in normal circumstances. It is technique used as part of Active Footprinting where an attacker tries to gather information about a target initially before further moving in other phases of Cyber Kill Chain of an attack. Social Engineering relies on human interaction which can be direct face to face or over voice call or email with the target person. The attacker initially understands the environment around the target user. The attacker tries to gather information about the organization online like domain name, location, employees before the performing the social engineering.
An attack exploits the human vulnerabilities which are as following:
Authority – Attacker gets the information with authority. Example is by impersonating as Senior Leader, HR, or Customer and deceive the victim to reveal information.
Intimidation – Attackers gets the information by intimidating the target person. Example is by impersonating as police, government official, advocate and deceive the victim to reveal information.
Consensus – People follow what others do, this is known as Consensus. Attacker convinces the victim to perform an activity that would reveal information by informing that another person also did it. For example, attacker will ask for a document and inform that their colleagues also provided the document.
Scarcity – Attacker makes the victim to feel there is a scarcity, so that the victim does the intended activity. For example, attacker will inform that a certain product is going of out stock and will make the click a link to buy the product. The link will capture information given by the victim.
Urgency – Attacker simulates an urgent situation and makes the victim to share the information.
Familiarity – Attackers will build relationships with target. People tend to do things for others, when they like them. Attackers use this weakness and make the victim to share information.
Trust – Attackers will build relationships with target and get their trust. Using the trust, attackers get the information from the victim.
Greed – Attackers use the greedy nature of some people to get data. Attacker will try to give gifts, money etc to get information from the target.
Phases of Social Engineering
- Reseach of the Target Organization.
- Select a Target Person (Victim).
- Develop a Relationship.
- Exploit the Relationship.
Types of Social Engineering
Human Social Engineering is done through direct human interaction. The attacker selects a target victim and gets the sensitive data by the following techniques:
Impersonation – Attacker pretends to be legitimate or authorized person and gathers information. This is done direction in person with the victim.
Vishing – Attacker pretends to be legitimate or authorized person and gather information. This is done through Voice over IP calls.
Eavesdropping – Attacker listens to other’s conversation
Shoulder Surfing – Attacker overlooks other’s shoulder when they are typing and gather information.
Dumpster Diving – Attacker search trash bins and gathers information.
Reverse Social Engineering – Attacker understands the process, model, framework, operations, architecture of the environment around the target and creates situation around the victim after which the attack gets into contact with the victim trying to support or help and then get the information.
Piggybacking – Attacker gets access into a secure location through an authorized person.
Tail Gating – Attacker gets access into secure location by following an authorized person without their knowledge.
Diversion Theft – Attacker makes the victim to deliver a package to an intend location.
Honey Trap – Attacker attacks victim by their looks or talks and get their informaiton.
Baiting – Attacker allure victims by offering something that they can’t resist like money, gifts and get the information.
Quid Pro Quo – Attacker gets exchange of information offering something. Quid Pro Quo means “something for something”.
Elicitation – Attacker gets the information by through a normal conversation with victim and they provide it unknowingly.
Bait and Switching – Attacker uses bait to get information from the victim like providing some offer or prizes and make them do things to extract information.
Computer Bases Social Engineering is done using Computers and Internet. The attacker selects a victim and does social engineering through computer using Internet as the communication method and gets the sensitive data using the following techniques:
Phishing – Attacker impersonates as a legitimate person or entity and sends emails, texts, SMS which would have links which when clicked redirects to malicious sites which looks genuine that captures sensitive information from the victim.
Hoax Letters – Attacker send fake emails regarding malware, trojan, virus and worms to spread fear or disturbance in a community.
Chain Letters – Attacker sends fake emails and makes them to forward the email by asking for donation for genuine reasons or make awareness of a situation.
Instant chat messenger – Attacker chats with victim online on chats and get information.
Spam email – Attacker sends spam emails to a community or group of people either to spread a situation or get sensitivie information from their response.
Mobile Social Engineering are done through mobile apps using the following techniques:
Publishing Malicious Apps – Attacker publishes malicious apps in mobile store which victims download and install in their mobile. The apps capture and send information.
Repackaging Legitimate Apps – Attacker obtains legitimate applications and repackage them with malicious scripts and then uploads to mobile store. Victims download and install repackaged apps in their mobile. These apps capture and send information.
QRLJacking – Attacker publishes malicious QR codes. Victims scan these QR codes which collects information.