9 Surprisingly Prevalent Social Engineering Techniques

June 26, 2015 | Views: 5419

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

This article will illustrate 9 surprisingly prevalent techniques used by attackers to carry out social engineering offenses.

 

Human-Based and Computer-Based Social Engineering

 

1. Impersonation: “An impersonation attack is an attack in which an adversary successfully assumes the identity of one of the legitimate parties in a system or in a communications protocol” (Encyclopaedia of Cryptography and Security).

 

2. Dumpster Diving: Divers go through trash (either commercial or residential) that might contain items a target has discarded. The items look very valuable to a dumpster diver (social engineering.org, 2009). He/she sifts through the trash seeking information that might help leverage the attack: medical records, resumes, personal photos and emails, bank statements, account details or information about software, tech support logs. The target’s trash could hold valuable secrets of the target.

 

3. Tailgating: An attacker gains access to a restricted area with no authorization by following a legitimate or authorized person upon entry. By doing so, the attacker can evade investigation of the guards or the restriction imposed by the access control mechanism at the gate.

 

4. Shoulder Surfing: This is a classic, non-tech type. The attacker peers over the shoulder of an individual, employee or a company clerk while he/she enters valuable, secret information into a computer: a username, password or any other credentials that can facilitate an attack.

 

5. Pop-up Window Attack: In these attacks, a pop-up window will appear on the victim’s computer indicating the network connection has been lost. The user will need to re- enter their user name and password to reconnect. The window is generated by a previously-installed malicious program; the credentials of the victim will be sent to the attacker by the malicious program.

 

6. IM/IRC: Victims are directed to a website that claims to give support or helpful information. The attacker has set up a site to plant Trojan horse programs in the user’s computer. These are used by attacker to gain access to that computer and the connected network.

 

7. E-mail Attachments: Email attachments are used a means to spread a Trojan horses or another malicious programs that give access to the attacker. Users are tricked by attractive titles and are further persuaded by the body of the email to open them.

 

8. Phone Calls: This is the most common type of all. Attackers call an individual or company purporting to be a legitimate person. Applying false identities, like computer technicians or a fellow employees, often does the trick. Many victims of these attacks are help desk staff – their main task is to help and provide information to callers.

 

9. Email Scams: Email scams are becoming more and more. They are used to get personal and sensitive information, such as credit card numbers, from victims. The victim might receive an email that claims to be from the IT management team of their  organization. It states that their account might be deleted unless the user informs they still use the service. For confirmation, the target must reply credentials like the username and password. Social engineers use these ways to gain information about their victim in a way that is less suspicious and by designing a proper and convincing email.

 

Bonus: Reverse Social Engineering

Reverse Social Engineering (RSE) is also a kind of social engineering, but it’s still not being reported widely.

This attack is constructed by:

  • Using baiting to simulate the target’s nosiness.
  • Getting the victim’s attention and raising his/her interest level
  • Waiting for the victim to approach the attacker and make the initial contact

A simple example of Reverse Social Engineering is when an attacker emails a phone number to group targets (through a spoofed email address). The email will instruct the victims to call a number in case they face any problems. The attacker will sit back and wait for the phone to ring. Those who call will be ready, willing and able to share information since they initiated the call.

 

Thanks and I hope this info was useful to you.

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
19 Comments
Page 4 of 4«1234
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel