Social Engineering

Social engineering a method of fraud and hacking that utilizes the humanity and nature of people to retrieve information from them voluntarily. By playing into the nature of the person, hacking through technological means is sometimes not necessary. If one can fool a person into giving away information voluntarily, then creating a program or hack to retrieve that information involuntarily is no required. Furthermore, it can be much simpler and efficient to get information from someone through social engineering than it would ever be to steal that information via a computer program or password cracker.

This form of forcing users to disclose information must be done through some human means. The point of social engineering is to utilize the fallacies of human logic and biases to trick the target into revealing confidential information through various methods and tactics.

The precautions necessary against social engineering are required to be very proactive. For example, you can put an anti virus program that will passively scan your computer for viruses automatically. However, the human must be actively on the defense for social engineering tricks and tactics that may be used against them. Over the years, general guidelines for companies and employees have been developed to give the knowledge necessary to be vigilant and alert for social engineering fraud attempts.

Tactics and Methods

There are various means of utilizing social engineering to obtain confidential and secret information such as passwords and private data. All of these methods work through some medium in which the attacker has to actually converse with the victim in some way, whether directly or indirectly. In all methods, feedback from the victim is required. This feedback is usually the necessary information the attacker was looking for.

Although social engineering tactics are heavily performed through electronic and computer mediums. There are many methods in which social engineering can be done through the physical realm. As long as there can be some form of communication between the attacker and the victim any medium may be used. Social engineering is so successful because it takes advantage of the fallacies of the human being. Whether by means of flattery, impersonation, and greed; social engineering is considered to some an art form of psychology.

Social Engineering can be extremely simple to perform, but have dire effects and consequences. There are even guides and tips on how hackers have used social engineering in extremely simple ways. Social engineering is considered so dangerous that Kevin Mitnick, a renouned hacker and early user of social enginering, was considered the most dangerous hacker. By using social engineering, the FBI though that Mitnick could start a nuclear war by simply utilizing social engineering.

Phishing

The main way of retrieving electronic information from victim voluntarily is through phishing. Phishing, like social engineering, can be performed over various electronic and physical mediums. In a general term, phishing is pretending to be something legitimate, when you are not. When you fool the victim into thinking you are the legitimate source that is being faked, they will reveal all the information that would normally be required to use that source. This may include account numbers, usernames, passwords, or even Social Security Numbers.

A major medium of phishing is through e-mail. The example of a bank and customer is extremely common. The attacker will send the victim an e-mail notifying them of some required account information to be updated. This e-mail will look exactly like the standard e-mail the victim may have received from the bank before. The victim will be required to login and update their information as soon as possible. However, the link will not be sent to the bank website, but to a separate server that was setup by the attacker to retrieve the information. This website, like the e-mail, will look exactly like the actual bank website. Once the person types their login information, the attacker then has all the information they needed from the victim.

Although uncommon, phishing may also be performed over the phone by pretending to be a representative of some company that is requesting some kind of account information. The attacker may even know some basic information about the victim to prove that they are legitimate. Usually, a victim will not question the call and will provide the necessary information. The attacker can then use this information to take advantage of the victim by means of identity or property theft.

Pretexting

Pretexting is a form of using information about the victim to obtain even more information or to use it against the victim. Through pretexting the attacker uses the limited information gained to obtain more information. Once enough information is gained. The attacker may use credit pretending to be the victim, to make purchases acting as the victim, or to manipulate the records of the victim.

The goal of pretexting is to prove to someone that you are legitimately the victim. This may be done from proving that you know their name, address, phone number, and Social Security Number. This could also be done by knowing the victim's username and password that was retrieved through phishing.

Trojan Horse

A Trojan Horse a technological form of social engineering. Not only does it fool the victim that it is from a legitimate source, but it also fools the computer the victim is using. A trojan horse is a program that may seem to perform a legitimate action, but in fact is collecting sensitive information or stealing data in the background. This is, of coruse, derived from the ancient tactic used by the Spartans to invade Troy by pretending to be a gift to the Trojans (which is an ancient example of social engineering).

To be specific, a gimme is a type of Trojan Horse that plays off of Social Engineering. This tactic goes in conjunction with spamming or phishing. The user will receive a pop-up ad or e-mail ad notifying the victim of some software that would benefit them. Because of their curiosity and the seeming innocence of the program, the victim will install it on their machine. The software may even perform as advertised, but in the background is obtaining account information and other confidential data.

This is where a computer program pretends to be something it is not. Instead of an actual human being performing the pretexting, it is an automated computer program.

Security, Precautions, and Defenses

There are many precautions and defenses against social engineering. However, there is a lack of education on the methods to defend against this tactic. Various methods include vigorous identity verification, minimizing the amount of people that have sensitive information, as well as reducing the trust level of those in control of information. Many companies have developed security policies and guidelines that employees should follow to minimize the risk of social engineering exploits.

Ethical and Legal Concerns

Study Guide

References

External Links

• Security Precautions (Old Project Page)

• Social Engineering (Wikipedia)

• Social Engineering Fundamentals

• Social Engineering Attacks

• Proactive Defense to Social Engineering

• Social Engineering FAQ

• Social Engineering Defense 101

• Best Defense Against Social Engineering

• Social Engineering Self-defense

• Social Engineering: Hackers show how it is done