Methods of social engineering, or attacks on the human factor
Even a system with a high level of security can be hacked simply because it is managed by a human.
Social engineering is used for:
- Gathering information about the target
- Obtaining confidential information
- Gaining direct access to the system
- Acquiring data that would otherwise be inaccessible
In the field of information security, the term 'social engineering' is used to describe the science and art of psychological manipulation. According to statistics, 55% of losses related to information security breaches are caused by employees who have been influenced by social engineers.
Features of Attacks on the Human Factor
- Do not require significant costs
- Do not require specialized knowledge
- Can last for an extended period
- Are difficult to trace
Humans are often much more vulnerable than systems. This is why social engineering aims to obtain information through people, especially in cases where access to the system is not possible (e.g., a computer with important data is disconnected from the network).
General Approach to the Attack
- Gathering information about the victim (often through social media)
- Establishing a trusting relationship
- Exploitation
- Covering up traces of presence
The common principle of all attacks is to mislead the victim. Various tactics targeting emotions, weaknesses, or other personality traits can be employed:
Popular Social Engineering Techniques
Phishing attacks are the most common type of fraud in social engineering. The goal of phishing is to unlawfully obtain users' confidential data (such as login credentials). Hackers target users by using email, having previously gathered a list of company employees and their email addresses from publicly available sources. After collecting the addresses, the attackers prepare a payload-laden email.
The payload can generally be of two types:
- A fake page of a corporate resource, used to steal passwords from users of the corporate network.
- A malicious Office document.
To create a fake page, hackers copy the HTML and JavaScript code of the original corporate resource and make modifications that allow them to capture the username and password entered by users.
Malicious code is usually embedded in Office files, which executes upon opening. This is typically done using a standard Microsoft Office function—macros. The launched document downloads an executable file that infects the user's workstation and provides the attackers with remote access to steal information.
Social Engineering: Protection Recommendations
If you don’t want to become another victim of social engineers, I recommend following these protection rules:
- Do not use the same password for accessing external and corporate resources.
- Do not open emails from untrustworthy sources.
- Lock your computer when you are not at your workstation.
- Discuss only necessary information over the phone or in person.
- Make sure to delete all confidential documents from portable devices.
If you still think that social engineering doesn’t deserve proper attention, read about some well-known social engineers, such as Victor Lustig (the man who sold the Eiffel Tower twice) or Robin Sage (a fake Facebook account that allowed Thomas Ryan to gain access to sensitive information from U.S. intelligence agencies).