Social Engineering: Difference between revisions

From Expertiza_Wiki
Jump to navigation Jump to search
No edit summary
Line 2: Line 2:


This form of forcing users to disclose information must be done through some human means.  The point of social engineering is to utilize the fallacies of human logic and biases to trick the target into revealing confidential information through various methods and tactics.
This form of forcing users to disclose information must be done through some human means.  The point of social engineering is to utilize the fallacies of human logic and biases to trick the target into revealing confidential information through various methods and tactics.
The precautions necessary against social engineering are required to be very proactive.  For example, you can put an anti virus program that will passively scan your computer for viruses automatically. However, the human must be actively on the defense for social engineering tricks and tactics that may be used against them.  Over the years, general guidelines for companies and employees have been developed to give the knowledge necessary to be vigilant and alert for social engineering fraud attempts.


==Tactics and Methods==
==Tactics and Methods==
Line 9: Line 11:


===Phishing===
===Phishing===
The main way of retrieving electronic information from victim voluntarily is through phishing.  Phishing, like social engineering, can be performed over various electronic and physical mediums.  In a general term, phishing is pretending to be something legitimate, when you are not.  When you fool the victim into thinking you are the legitimate source that is being faked, they will reveal all the information that would normally be required to use that source.  This may include account numbers, usernames, passwords, or even Social Security Numbers.
A major medium of phishing is through e-mail.  The example of a bank and customer is extremely common.  The attacker will send the victim an e-mail notifying them of some required account information to be updated.  This e-mail will look exactly like the standard e-mail the victim may have received from the bank before.  The victim will be required to login and update their information as soon as possible.  However, the link will not be sent to the bank website, but to a separate server that was setup by the attacker to retrieve the information.  This website, like the e-mail, will look exactly like the actual bank website.  Once the person types their login information, the attacker then has all the information they needed from the victim. 
Although uncommon, phishing may also be performed over the phone by pretending to be a representative of some company that is requesting some kind of account information.  The attacker may even know some basic information about the victim to prove that they are legitimate.  Usually, a victim will not question the call and will provide the necessary information.  The attacker can then use this information to take advantage of the victim by means of identity or property theft.


===Pretexting===
===Pretexting===


===Trojan Horse===
===Trojan Horse===

Revision as of 15:16, 23 July 2008

Social engineering a method of fraud and hacking that utilizes the humanity and nature of people to retrieve information from them voluntarily. By playing into the nature of the person, hacking through technological means is sometimes not necessary. If one can fool a person into giving away information voluntarily, then creating a program or hack to retrieve that information involuntarily is no required. Furthermore, it can be much simpler and efficient to get information from someone through social engineering than it would ever be to steal that information via a computer program or password cracker.

This form of forcing users to disclose information must be done through some human means. The point of social engineering is to utilize the fallacies of human logic and biases to trick the target into revealing confidential information through various methods and tactics.

The precautions necessary against social engineering are required to be very proactive. For example, you can put an anti virus program that will passively scan your computer for viruses automatically. However, the human must be actively on the defense for social engineering tricks and tactics that may be used against them. Over the years, general guidelines for companies and employees have been developed to give the knowledge necessary to be vigilant and alert for social engineering fraud attempts.

Tactics and Methods

There are various means of utilizing social engineering to obtain confidential and secret information such as passwords and private data. All of these methods work through some medium in which the attacker has to actually converse with the victim in some way, whether directly or indirectly. In all methods, feedback from the victim is required. This feedback is usually the necessary information the attacker was looking for.

Although social engineering tactics are heavily performed through electronic and computer mediums. There are many methods in which social engineering can be done through the physical realm. As long as there can be some form of communication between the attacker and the victim any medium may be used. Social engineering is so successful because it takes advantage of the fallacies of the human being. Whether by means of flattery, impersonation, and greed; social engineering is considered to some an art form of psychology.

Phishing

The main way of retrieving electronic information from victim voluntarily is through phishing. Phishing, like social engineering, can be performed over various electronic and physical mediums. In a general term, phishing is pretending to be something legitimate, when you are not. When you fool the victim into thinking you are the legitimate source that is being faked, they will reveal all the information that would normally be required to use that source. This may include account numbers, usernames, passwords, or even Social Security Numbers.

A major medium of phishing is through e-mail. The example of a bank and customer is extremely common. The attacker will send the victim an e-mail notifying them of some required account information to be updated. This e-mail will look exactly like the standard e-mail the victim may have received from the bank before. The victim will be required to login and update their information as soon as possible. However, the link will not be sent to the bank website, but to a separate server that was setup by the attacker to retrieve the information. This website, like the e-mail, will look exactly like the actual bank website. Once the person types their login information, the attacker then has all the information they needed from the victim.

Although uncommon, phishing may also be performed over the phone by pretending to be a representative of some company that is requesting some kind of account information. The attacker may even know some basic information about the victim to prove that they are legitimate. Usually, a victim will not question the call and will provide the necessary information. The attacker can then use this information to take advantage of the victim by means of identity or property theft.

Pretexting

Trojan Horse

Dumpster Diving

Phone Impersonation

Security, Precautions, and Defenses

Ethical and Legal Concerns

Study Guide

References

External Links