Social Engineering

Dr.S.Palanikumar
Department of IT , NICHE, Kumaracoil
Date:10-05-2021
In the context of information security, social
engineering is the psychological manipulation
of people into performing actions or divulging
confidential information. This differs from
social engineering within the social sciences,
which does not concern the divulging of
confidential information. A type of
confidence trick for the purpose of information
gathering, fraud, or system access, it differs
from a traditional "con" in that it is often one
of many steps in a more complex fraud scheme
An example of social engineering is
the use of the "forgot password"
function on most websites which
require login. An improperly-secured
password-recovery system can be
used to grant a malicious attacker full
access to a user's account, while the
original user will lose access to the
account.
 Vishing

Vishing, otherwise known as "

voice phishing", is the criminal practice of
using social engineering over a
telephone system to gain access to private
personal and financial information from
the public for the purpose of financial
reward. It is also employed by attackers
for reconnaissance purposes to gather
more detailed intelligence on a target
organization.
 Phishing
Phishing is a technique of fraudulently obtaining private information.
Typically, the phisher sends an e-mail that appears to come from a legitimate
business—a bank, or credit card company—requesting "verification" of
information and warning of some dire consequence if it is not provided. The
e-mail usually contains a link to a fraudulent web page that seems legitimate
—with company logos and content—and has a form requesting everything
from a home address to an ATM card's PIN or a credit card number. For
example, in 2003, there was a phishing scam in which users received emails
supposedly from eBay claiming that the user's account was about to be
suspended unless a link provided was clicked to update a credit card
(information that the genuine eBay already had). [9] By mimicking a
legitimate organization's HTML code and logos, it is relatively simple to
make a fake Website look authentic. The scam tricked some people into
thinking that eBay was requiring them to update their account information
by clicking on the link provided. By indiscriminately spamming extremely
large groups of people, the "phisher" counted on gaining sensitive financial
information from the small percentage (yet large number) of recipients who
already have eBay accounts and also fall prey to the scam.
 Smishing

The act of using SMS text messaging

to lure victims into a specific course of
action. Like phishing it can be clicking
on a malicious link or divulging
information. Examples are text
messages that claim to be from a
common carrier (like FedEx) stating a
package is in transit, with a link
provided.
 Impersonation

Pretending or pretexting to be another

person with the goal of gaining access
physically to a system or building.
Impersonation is used in the "
SIM swap scam" fraud.
 Pretexting

Pretexting (adj. pretextual) is the act of creating and

using an invented scenario (the pretext) to engage a
targeted victim in a manner that increases the chance the
victim will divulge information or perform actions that
would be unlikely in ordinary circumstances.[10] An
elaborate lie, it most often involves some prior research or
setup and the use of this information for impersonation
(e.g., date of birth, Social Security number, last bill
amount) to establish legitimacy in the mind of the target. [11]
As a background, pretexting can be interpreted as the first
evolution of social engineering, and continued to develop as
social engineering incorporated current-day technologies.
Current and past examples of pretexting demonstrate this
development.
This technique can be used to fool a business
into disclosing customer information as well
as by private investigators to obtain
telephone records, utility records, banking
records and other information directly from
company service representatives.[12] The
information can then be used to establish
even greater legitimacy under tougher
questioning with a manager, e.g., to make
account changes, get specific balances, etc.
 Spear phishing

• Although similar to "phishing", spear phishing is a technique

that fraudulently obtains private information by sending highly
customized emails to few end users. It is the main difference
between phishing attacks because phishing campaigns focus
on sending out high volumes of generalized emails with the
expectation that only a few people will respond. On the other
hand, spear-phishing emails require the attacker to perform
additional research on their targets in order to "trick" end
users into performing requested activities. The success rate of
spear-phishing attacks is considerably higher than phishing
attacks with people opening roughly 3% of phishing emails
when compared to roughly 70% of potential attempts. When
users actually open the emails phishing emails have a
relatively modest 5% success rate to have the link or
attachment clicked when compared to a spear-phishing
attack's 50% success rate.[13]
 Water holing

Water holing is a targeted social engineering

strategy that capitalizes on the trust users have in
websites they regularly visit. The victim feels safe
to do things they would not do in a different
situation. A wary person might, for example,
purposefully avoid clicking a link in an unsolicited
email, but the same person would not hesitate to
follow a link on a website they often visit. So, the
attacker prepares a trap for the unwary prey at a
favored watering hole. This strategy has been
successfully used to gain access to some
(supposedly) very secure systems
 Baiting

• Baiting is like the real-world Trojan horse that uses physical media
and relies on the curiosity or greed of the victim. [15] In this attack,
attackers leave malware-infected floppy disks, CD-ROMs, or
USB flash drives in locations people will find them (bathrooms,
elevators, sidewalks, parking lots, etc.), give them legitimate and
curiosity-piquing labels, and wait for victims.
• For example, an attacker may create a disk featuring a corporate
logo, available from the target's website, and label it "Executive
Salary Summary Q2 2012". The attacker then leaves the disk on
the floor of an elevator or somewhere in the lobby of the target
company. An unknowing employee may find it and insert the disk
into a computer to satisfy their curiosity, or a good Samaritan may
find it and return it to the company. In any case, just inserting the
disk into a computer installs malware, giving attackers access to
the victim's PC and, perhaps, the target company's internal
computer network.
 Quid pro quo

• Quid pro quo means something for something:

• An attacker calls random numbers at a company, claiming
to be calling back from technical support. Eventually this
person will hit someone with a legitimate problem, grateful
that someone is calling back to help them. The attacker will
"help" solve the problem and, in the process, have the user
type commands that give the attacker access or launch
malware.
• In a 2003 information security survey, 91% of office
workers gave researchers what they claimed was
their password in answer to a survey question in exchange
for a cheap pen.[19] Similar surveys in later years obtained
similar results using chocolates and other cheap lures,
although they made no attempt to validate the passwords.[
 Tailgating

An attacker, seeking entry to a restricted area

secured by unattended, electronic access control,
e.g. by RFID card, simply walks in behind a person
who has legitimate access. Following common
courtesy, the legitimate person will usually hold the
door open for the attacker or the attackers
themselves may ask the employee to hold it open for
them. The legitimate person may fail to ask for
identification for any of several reasons, or may
accept an assertion that the attacker has forgotten or
lost the appropriate identity token. The attacker may
also fake the action of presenting an identity token.