Social engineering can be thought of as the act of engaging with an entity socially with the intent of extracting some withheld information or executing some tasks on the attacker’s behalf. The compromised entity is not aware of the malicious intentions of the attacker, and would most of the time divulge information unknowingly. This information can be as simple as the date of birth or a favorite sports car which may be the answer to a security question or a detailed design of an information system that the compromised entity is or was a part of.
Social Engineering Techniques
Social engineering attacks are the most unique forms of hacking as they involve maximum creativity and can be carried out at almost all points of human interaction.
Let us list down some of the most common techniques used:
Phishing is perhaps the most famous of the social engineering attacks. Simply put, phishing is the act of impersonating a legitimate source for a target user and obtaining private information on the pretext of a legitimate transaction. Phishing ultimately aims for the target to perform some action such as clicking some web links that would capture the authentication/financial data of the target who enters the same under the impression of performing a legitimate action. It may also involve a user sharing information with the attacker via call or another communication medium.
Over time, phishing has been further classified primarily on the basis of the mode of communication. Some common ones include:
- Voice Phishing or “Vishing” is generally used by attackers to gain information like card information, one-time passwords, organizational intelligence, and so on. The attackers pose as representatives of institutions and ask the target user to perform some actions on the pretext of rewards, service, account verification or legal proceedings, and so on.
- Smishing is based on targets being provided malicious links via genuine-looking SMSes or similar messaging services. A text message of service expiry and a link to recharge the same can contain the link to a page that would steal the payment information.
- Web Phishing is executed by creating genuine-looking web pages for some actual services or businesses, and getting the target user to perform actions on these pages. A very crude example of this is a recent spree of attacks where the attackers managed to put out fake customer care numbers on the internet resulting in the actual users of the service calling the hackers under the impression of talking to the actual customer care. Another common example is pages that redirect target users to the login pages of social or mailing sites on the pretext of authentication and presenting the user with similar-looking pages to capture their login information.
- Spear Phishing is a more specialized and directed phishing attack. The primary difference is that spear phishing is directed towards a specific target rather than trying out some luck on a large group of users. The communications are hence customized as per the target user after thorough research. This makes it a more tedious job but may offer a higher success rate.
Scareware: This involves bombarding the target with false alarms and warnings and providing software solutions for the same. These software are most of the time malware and do more harm than good. Scareware is mainly encountered as pop-ups on websites and contains a link to either malware downloads or a related website.
Water Holing: This is another category of a targeted attack. The attacker studies the browsing habits of the target and devices malware delivery through one of the trusted sources. This technique has a higher success rate as the target lets their guard down on familiar websites and hence, making them click on links or tricking them into downloading malware is relatively easy.
Water holing involves finding vulnerabilities in the websites being visited by the target. Once the vulnerabilities are found, the attacker injects malicious code into the website ready for delivery to the target. Another variant is where the attacker sets up a fake website and brings in the target to operate on it.
Pretexting: Pretexting involves the impersonation of either a legitimate authority or some scenario to engage the target and obtain information. The extent of pretexting depends upon the scenario and the information needed. This can again be limited to the online virtual world or an impersonation in the physical world.
For example, an attacker may create a fake social account to engage with the target online. Or the attacker may pretend to be a candidate for an interview to gain physical access to an organizational facility. The core principle of building and maintaining trust is of utmost importance in pretexting since the target cannot be allowed to get suspicious at any time during the hack phase.
Baiting: Baiting involves employing the greed and curiosity quotient of the target users. Baiting attacks are usually not very targeted because they are more of a chance-based scenario where all the onus is on the target taking the bait. Thus, attackers tend to spread out the bait over a large group or area to get the maximum result. The attack can also be carried out in the virtual or the physical world.
Identity Theft: This is very similar to pretexting. The only difference is that identity theft involves impersonating a real person. This is majorly done via forged identity documents. The attacker usually starts with forging or getting hold of a basic document of the target, such as a utility bill. This is followed by a chain of document creation and update iterations till the desired document like a credit card is created. These forged documents can then be used for financial frauds or simply discredit a person or an organization.
Eavesdropping and Shoulder Surfing: Eavesdropping refers to the act of listening to a conversation one is not part of. This could be achieved by either being physically present in the audible distance of the conversation or intercepting the conversation through means such as recorders, network interceptors, keyloggers, and so on.
Shoulder surfing refers to physically looking over the inputs a person is making on the system while performing some private or confidential activity, like logging in to a service. This is achieved by the attacker being in the line of sight of the input medium, such as a keyboard. An advanced method for this could be using high-resolution cameras in a cybercafé directed towards keyboards.
Application Repackaging: This refers to the act of modifying the original source code by adding custom malicious code and distributing the repackaged application to unsuspecting end users. These applications are usually redistributed on peer-sharing websites or cracked software versions.
Social engineering is one of the most interesting and rewarding methodologies in hacking. Requiring almost zero technical and IT skills, social engineering is all about soft skills like convincing and effective communication. A staggering 97% of malware targets victims through social engineering, leaving just 3% of them exploiting an exclusively technical vulnerability. With such a huge impact and vast applications, this is perhaps the jack of all trades when it comes to hacking.
Hope this was helpful.