Actions

Social Engineering

Revision as of 18:47, 22 May 2020 by User (talk | contribs) (Created page with "'''Social Engineering''' is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when in...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Social Engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer. Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak).[1]


Types of Social Engineering Attacks[2]

  • Baiting: This type of social engineering depends upon a victim taking the bait, not unlike a fish reacting to a worm on a hook. The person dangling the bait wants to entice the target into taking action.
    • Example: A cybercriminal might leave a USB stick, loaded with malware, in a place where the target will see it. In addition, the criminal might label the device in a compelling way — “Confidential” or “Bonuses.” A target who takes the bait will pick up the device and plug it into a computer to see what’s on it. The malware will then automatically inject itself into the computer.
  • Phishing: Phishing is a well-known way to grab information from an unwitting victim. Despite its notoriety, it remains quite successful. The perpetrator typically sends an email or text to the target, seeking information that might help with a more significant crime.
    • Example: A fraudster might send emails that appear to come from a source trusted by the would-be victims. That source might be a bank, for instance, asking email recipients to click on a link to log in to their accounts. Those who click on the link, though, are taken to a fake website that, like the email, appears to be legitimate. If they log in at that fake site, they’re essentially handing over their login credentials and giving the crook access to their bank accounts. In another form of phishing, known as spear phishing, the fraudster tries to target — or “spear” — a specific person. The criminal might track down the name and email of, say, a human resources person within a particular company. The criminal then sends that person an email that appears to come from a high-level company executive. Some recent cases involved an email request for employee W-2 data, which includes names, mailing addresses, and Social Security numbers. If the fraudster is successful, the victim will unwittingly hand over information that could be used to steal the identities of dozens or even thousands of people.
  • Email hacking and contact spamming: It’s in our nature to pay attention to messages from people we know. Some criminals try to take advantage of this by commandeering email accounts and spamming account contact lists.
    • Example: If your friend sent you an email with the subject, “Check out this site I found, it’s totally cool,” you might not think twice before opening it. By taking over someone’s email account, a fraudster can make those on the contact list believe they’re receiving email from someone they know. The primary objectives include spreading malware and tricking people out of their data.
  • Pretexting: Pretexting is the use of an interesting pretext — or ploy — to capture someone’s attention. Once the story hooks the person, the fraudster tries to trick the would-be victim into providing something of value.
    • Example: Let’s say you received an email, naming you as the beneficiary of a will. The email requests your personal information to prove you’re the actual beneficiary and to speed the transfer of your inheritance. Instead, you’re at risk of giving a con artist the ability not to add to your bank account, but to access and withdraw your funds.
  • Quid pro quo: This scam involves an exchange — I give you this, and you give me that. Fraudsters make the victim believe it’s a fair exchange, but that’s far from the case, as the cheat always comes out on top.
    • Example: A scammer may call a target, pretending to be an IT support technician. The victim might hand over the login credentials to their computer, thinking they’re receiving technical support in return. Instead, the scammer can now take control of the victim’s computer, loading it with malware or, perhaps, stealing personal information from the computer to commit identity theft.
  • Vishing: Vishing is the voice version of phishing. “V” stands for voice, but otherwise, the scam attempt is the same. The criminal uses the phone to trick a victim into handing over valuable information.
    • Example: A criminal might call an employee, posing as a co-worker. The criminal might prevail upon the victim to provide login credentials or other information that could be used to target the company or its employees. Something else to keep in mind about social engineering attacks is that cyber criminals can take one of two approaches to their crimes. They often are satisfied by a one-off attack, known as hunting. But they can also think long-term, a method known as farming. As the short form of attacks, hunting is when cyber criminals use phishing, baiting and other types of social engineering to extract as much data as possible from the victim with as little interaction as possible. Farming is when a cybercriminal seeks to form a relationship with their target. The attacker’s goal, then, is to string along the victim for as long as possible in order to extract as much data as possible.


Principles of Social Engineering[3]
Social engineering relies heavily on the 6 principles of influence established by Robert Cialdini. Cialdini's theory of influence is based on six key principles: reciprocity, commitment and consistency, social proof, authority, liking, scarcity.

  • Reciprocity – People tend to return a favor, thus the pervasiveness of free samples in marketing. In his conferences, he often uses the example of Ethiopia providing thousands of dollars in humanitarian aid to Mexico just after the 1985 earthquake, despite Ethiopia suffering from a crippling famine and civil war at the time. Ethiopia had been reciprocating the diplomatic support Mexico provided when Italy invaded Ethiopia in 1935. The good cop/bad cop strategy is also based on this principle.
  • Commitment and consistency – If people commit, orally or in writing, to an idea or goal, they are more likely to honor that commitment because they have stated that that idea or goal fits their self-image. Even if the original incentive or motivation is removed after they have already agreed, they will continue to honor the agreement. Cialdini notes Chinese brainwashing of American prisoners of war to rewrite their self-image and gain automatic unenforced compliance. Another example is marketers who make the user close popups by saying “I’ll sign up later” or "No thanks, I prefer not making money”.
  • Social proof – People will do things that they see other people are doing. For example, in one experiment, one or more confederates would look up into the sky; bystanders would then look up into the sky to see what they were missing. At one point this experiment was aborted, as so many people were looking up that they stopped traffic. See conformity, and the Asch conformity experiments.
  • Authority – People will tend to obey authority figures, even if they are asked to perform objectionable acts. Cialdini cites incidents such as the Milgram experiments in the early 1960s and the My Lai massacre.
  • Liking – People are easily persuaded by other people whom they like. Cialdini cites the marketing of Tupperware in what might now be called viral marketing. People were more likely to buy if they liked the person selling it to them. Some of the many biases favoring more attractive people are discussed. See physical attractiveness stereotype.
  • Scarcity – Perceived scarcity will generate demand. For example, saying offers are available for a "limited time only" encourages sales.
  1. Definition - What Does Social Engineering Mean? Webroot
  2. 6 Types of Social Engineering Attacks Norton
  3. Six Key Principles of Social Engineering Wikipedia
Retrieved from "https://cio-wiki.org//index.php?title=Social_Engineering&oldid=5926"