Two common categories of social engineering:
- Human-Based: The face-to-face interaction between the attacker and the victim achieves it. An example of such type is calling the help desk of a bank to get the account details of an account holder.
- Computer-based (also known as phishing): It refers to attacks achieved using computer software that attempts to retrieve information. For example, an attacker sends an email to the victim asking him/her to change the password for security purposes. The mail would contain a link to a cloned Facebook login page. The victim unknowingly enters his/her genuine credentials while the cloned page retrieves it and exposes to the attacker.
To look for more information about social engineering, refer to What Do You Know About Social Engineering?
Human-based Social Engineering
Not all social engineering attacks are done through technical means. There are means through which the social engineer can perform attacks by gaining information through communications, impersonation, and dumpster diving. Such attacks are known to be human-based social engineering.
Some of the techniques used for human-based social engineering are:
a. Impersonating an Employee or Valid User
In this type of attack, the hacker pretends to be the employee of the target organization. Or a valid user on a system. The intention of such a technique is to gain physical access to the information systems of the target organization.
For example, the attacker would pretend to be a sweeper. The sweeper would have the access to all the rooms or cubicles of the organization to clean.
b. Posing as an Important Person
The hacker pretends to be an important user such as an executive or high-level manager who needs immediate assistance to gain access to a computer system.
This technique takes advantage of the fact that lower-level employees such as an assistant have the responsibility to help the high-level employees. In this manner, the social engineer can gain access to the targeted system.
c. Using a Third Person
Here, the social engineer pretends to have permission from an authorized source to use the targeted system.
For example, if the attacker targets a college’s library system, he/she would pretend to have the permission of the ICT officer to perform maintenance in the system. Unknowing the librarians would give them access to the system.
d. Calling Technical Support
Calling for support from the help desks is a classical technique in social engineering. Yet it is effective as it takes the advantage of no visual verification that the help desks use to verify the callers.
As the people working in the help desks are trained to help the users of the targeted system, makes them easily good prey. For example, if the attacker wants to know the financial bank account number of the target individual. He/she would impersonate to be the target and call the helpdesk for assistance to remember the account number.
e. Shoulder Surfing
The social engineer gets the targeted information by watching over the shoulder of the target.
For example, the attacker wants to wants to log into a social networking site. In such cases, the attacker would watch the valid user login and then use the password to gain access.
f. Dumpster Diving
Paper printouts and pieces of paper that the organization’s dumps can contain useful information about the organization. Dumpster diving involves looking for printouts and paper pieces that the organizations throw to collect information.
This kind of information gathering would take time but hackers can often find passwords, filenames, or other pieces of confidential information.
g. Reverse Social Engineering
In the helpdesk calling method of social engineering, the attacker asks for information. In reverse social engineering, it is the reverse of it. The attacker pretends to be someone working at the help desk.
For example, the attacker would call the target account holder of a bank impersonating an official working at the help desk of the bank.
The attacker would ask for the confidential credentials of the account holder stating that the bank has lost the target’s information while updating their system.
Computer-Based Social Engineering
Computer-based social engineering attacks usually include sending email attachments containing malicious code, data collection through fake websites and pop-up windows.
Pop-up windows are the windows that appear suddenly (pops up) when the computer user makes mouse clicks or press some function keys, often large enough that it covers the whole screen demanding the user click on some menus in it.
a. Phishing Attacks
Phishing attacks involve sending emails usually the attacker impersonating banks, credit-card companies, or other organizations. If the email sender impersonates to be a bank, the mail would ask the target to reset information such as account numbers or PINs.
The links that the attacker send would contain links that redirect to fake websites (but which appear to be genuine one). In case the victim unknowing submits his/her information through these kinds of fake websites, the attacker can easily capture it.
Another example of such attacks is, the attacker claims to be from another country with a lot of money. The victim would be asked to help the attacker to get out of the country. These types of attacks target common people often preying on bank account access codes or other credentials.
b. Online Scams
Online scams lure the target with free offers, impressive coupons, and other deals to enter username and password. When the victim is lured with such impressions, there is a high probability that s/he enters the correct credentials. This information the attacker has captured is used to gain access to the victim’s account of the organization associated with it.
Attackers send malicious programs through emails. These programs would automatically execute to capture information from the target devices. The attacker craft these emails such that the victims get easily get enticed to open them or click on the items in them.
Email attachments may contain viruses, worms, and Trojans which get executed when the victim opens it or clicks on some items in it.
Viruses and worms are malicious software that executes without the notice of the target but they are not the same. They use carrier programs to spread themselves. Viruses host programs which are part of another executable program like macros, games, email attachments, and animations and get active when these host programs are activated.
Worms, on the other hand, are those programs that do not need a carrier program because they can self-replicate and move from one host to another. But viruses require another program to spread.
All these varieties of methods to attack individuals and organizations by an attacker are termed attack vectors.
You may also like to read: