Home 0P3N Blog 9 Surprisingly Prevalent Social Engineering Techniques
Ready to Start Your Career?
Create Free Account
TRANSLTR s profile image
By: TRANSLTR
June 26, 2015

9 Surprisingly Prevalent Social Engineering Techniques

By: TRANSLTR
June 26, 2015
TRANSLTR s profile image
By: TRANSLTR
June 26, 2015
This article will illustrate 9 surprisingly prevalent techniques used by attackers to carry out social engineering offenses. Human-Based and Computer-Based Social Engineering 1. Impersonation: “An impersonation attack is an attack in which an adversary successfully assumes the identity of one of the legitimate parties in a system or in a communications protocol” (Encyclopaedia of Cryptography and Security). 2. Dumpster Diving: Divers go through trash (either commercial or residential) that might contain items a target has discarded. The items look very valuable to a dumpster diver (social engineering.org, 2009). He/she sifts through the trash seeking information that might help leverage the attack: medical records, resumes, personal photos and emails, bank statements, account details or information about software, tech support logs. The target's trash could hold valuable secrets of the target. 3. Tailgating: An attacker gains access to a restricted area with no authorization by following a legitimate or authorized person upon entry. By doing so, the attacker can evade investigation of the guards or the restriction imposed by the access control mechanism at the gate. 4. Shoulder Surfing: This is a classic, non-tech type. The attacker peers over the shoulder of an individual, employee or a company clerk while he/she enters valuable, secret information into a computer: a username, password or any other credentials that can facilitate an attack. 5. Pop-up Window Attack: In these attacks, a pop-up window will appear on the victim’s computer indicating the network connection has been lost. The user will need to re- enter their user name and password to reconnect. The window is generated by a previously-installed malicious program; the credentials of the victim will be sent to the attacker by the malicious program. 6. IM/IRC: Victims are directed to a website that claims to give support or helpful information. The attacker has set up a site to plant Trojan horse programs in the user’s computer. These are used by attacker to gain access to that computer and the connected network. 7. E-mail Attachments: Email attachments are used a means to spread a Trojan horses or another malicious programs that give access to the attacker. Users are tricked by attractive titles and are further persuaded by the body of the email to open them. 8. Phone Calls: This is the most common type of all. Attackers call an individual or company purporting to be a legitimate person. Applying false identities, like computer technicians or a fellow employees, often does the trick. Many victims of these attacks are help desk staff - their main task is to help and provide information to callers. 9. Email Scams: Email scams are becoming more and more. They are used to get personal and sensitive information, such as credit card numbers, from victims. The victim might receive an email that claims to be from the IT management team of their  organization. It states that their account might be deleted unless the user informs they still use the service. For confirmation, the target must reply credentials like the username and password. Social engineers use these ways to gain information about their victim in a way that is less suspicious and by designing a proper and convincing email. Bonus: Reverse Social EngineeringReverse Social Engineering (RSE) is also a kind of social engineering, but it's still not being reported widely.This attack is constructed by:
  • Using baiting to simulate the target’s nosiness.
  • Getting the victim’s attention and raising his/her interest level
  • Waiting for the victim to approach the attacker and make the initial contact
A simple example of Reverse Social Engineering is when an attacker emails a phone number to group targets (through a spoofed email address). The email will instruct the victims to call a number in case they face any problems. The attacker will sit back and wait for the phone to ring. Those who call will be ready, willing and able to share information since they initiated the call. Thanks and I hope this info was useful to you.
Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry