Social engineering can be categorized into two common types:
- Human-Based: This is achieved by the face-to-face interaction between the attacker and the victim. An example of such type is calling the help desk of a bank to get the account details of an account holder.
- Computer-based (also known as phishing): It refers to attacks achieved using computer software that attempts to retrieve information. For example, an attacker sends an email to the victim asking him/her to change the password for security purposes. The mail would contain a link to a cloned Facebook login page. The victim would unknowingly enter his/her genuine credentials while the cloned page retrieves it and get exposed to the attacker.
To look for more information about social engineering, refer What Do You Know About Social Engineering?
Human-based Social Engineering
Not all social engineering attacks are done through technical means. There are means through which the social engineer can perform attacks by gaining information through communications, impersonation, and dumpster diving. Such attacks are known to be human-based social engineering. Some of the techniques used for human-based social engineering are:
a. Impersonating an Employee or Valid User
In this type of attacks, the hacker pretends to be the employee of the target organization or a valid user on a system. The intention of such a technique is to gain physical access to the information systems of the target organization. For example, the attacker would pretend to be a sweeper who would have the access to all the rooms or cubicles of the organization to clean.
b. Posing as an Important Person
The hacker pretends to be an important user such as an executive or high-level manager who needs immediate assistance to gain access to a computer system. This technique takes advantage of the fact that lower-level employees such as an assistant has the responsibility to help the high-level employees. In this manner, the social engineer can gain access to the targeted system.
c. Using a Third Person
In this type of approach, the social engineer pretends to have the permission from an authorized source to use the targeted system. For example, if the attacker targets a college’s library system, he/she would pretend to have the permission of the ICT officer to perform maintenance in the system. Unknowing the librarians would give them the access to the system.
d. Calling Technical Support
Calling for support from the help desks are said to be a classical technique in social engineering. Yet it is effective as it takes the advantage of no visual verification that the help desks use to verify the callers. As the people working in the help desks are trained to help the users of the targeted system, makes them easily a good prey. For example, if the attacker wants to know the financial bank account number of the target individual, he/she would impersonate to be the target and call the helpdesk for assistance to remember the account number.
e. Shoulder Surfing
This technique enables the social engineer to get the targeted information by watching over the shoulder of the target when he/she log into the system. For example, the attacker wants to wants to log into a social networking site, say Facebook of a high official. In such cases, the attacker would watch the valid user login and then use the password to gain access.
f. Dumpster Diving
Paper printouts and pieces of paper that the organization’s dump can contain useful information of the organization. Dumpster diving involves looking for such printouts and paper pieces that the organizations throw to collect information. This kind of information gathering would take time but hackers can often find passwords, filenames, or other pieces of confidential information.
g. Reverse Social Engineering
In the helpdesk calling method of social engineering, the attacker asks for information. In reverse social engineering, it is the reverse of it. The attacker pretends to be someone working in the help desk. For example, the attacker would call the target account holder of a bank impersonating an official working in the help desk of the bank. The attacker would ask for the confidential credentials of the account holder stating that the bank has lost the target’s information while updating their system.
Computer-Based Social Engineering
Computer-based social engineering attacks usually include sending email attachments containing malicious code, data collection through fake websites and pop-up windows. Pop-up windows are the windows that appear suddenly (pops up) when the computer user make mouse clicks or press some function keys, often large enough that it covers the whole screen demanding the user click on some menus in it.
a. Phishing Attacks
Phishing attacks involve sending of email usually the attacker impersonating as banks, credit-card Company or other organizations. If the email sender impersonates to be a bank, the mail would ask the target to reset information such as account number or PINs.
The links that the attacker send would contain links that redirect to fake websites (but which appear to be the genuine one). In case the victim unknowing submits his/her information through these kinds of fake websites, the attacker can easily capture it.
Another example of such attacks is, the attacker claims to be from another country with a lot of money. The victim would be asked to help the attacker to get out of the country. These types of attacks target common people often preying on bank account access codes or other credentials.
b. Online Scams
Online scams lure the target with free offers, impressive coupons, and other deals to enter username and password. When the victim is lured with such impressions, there is a high probability that s/he would enter the correct credentials. With this information the attacker has captured can be used to gain access to the victim’s account of the organization associated with.
Attackers send malicious programs through emails. These programs would automatically execute to capture information from the target devices. The attacker would craft these emails such that the victims get easily get enticed to open it or click on the items in it. Email attachments can also contain viruses, worms, and Trojans which gets executed when the victim opens it or clicks on some items in it.
Viruses and worms are malicious software that executes without the notice of the target but they are not the same. Viruses use carrier programs to spread itself. Viruses host programs which are part of another executable program like macros, games, email attachments, and animations and get active when these host programs are activated. Worms, on the other hand, are those programs that do not need a carrier program because it can self-replicate and move from one host to another. But viruses require another program to spread.
All these varieties of methods to attack individuals and organizations by an attacker are termed as attack vectors.
You may also like to read: