Social engineering is the term used to describe manipulating others in to providing or doing things on your behalf. In popular culture, it is most commonly associated with cyber criminals but in reality many of the techniques used are similar to those used by confidence artists (“con artists”) for decades.
Given then the widespread use of technology both in terms of devices (laptops, phones, tablets) and services (the Internet, the World Wide Web, etc.), social engineering often makes use of these technologies, is used to target these technologies or both.
There are myriad means of social engineer but some of the most common are:
While it has several sub-definitions (such as spearphishing, whaling, etc.), phishing broadly means the sending of messages to recipients that purport to be from someone else, with a view to tricking the recipient in to clicking or donwloading a malicious link or file.
Often phishing emails sent to users will contain a sense of urgency, often warning about unauthorised access to accounts or similar – this is designed to encourge the victims to act quickly and with less caution.
When their targets are too savvy to fall for phishing email scams, criminals breach other systems that their targets already trust such as websites they frequent, this can be more effective as trust has already been established. There have been examples of criminals actually purchasing the rights to mobile phone apps so they can introduce malware to the app to target users.
A suspected example of a espionage using a water holing technique was with the compromise of the servers of ‘ASUS’ early in 2019. ASUS discovered that the servers that provide software updates to the computers they manufacture had been hacked but oddly, no ransom, demands or malcious behavior was discovered. Oddly, upon investigation it was found that a payload was being distributed but not to all ASUS laptops, there was a specific list of machine IDs being targetted, presumably to keep the hack below radar for as long as possible. Many suspect this was a state-sponsored watering hole attack against a specific list of targets.
Originally an American term used to describe a car driving close to the rear (or ‘tailgate’) of another car, it means the act of an unauthorised user gaining access to a secure area by walking in with an authorised user, generally without their knowledge. Typically this technique is used when staff have to swip an access card to walk through a secured door, unauthorised users quickly walk-through before the door is closed, relying on people’s trusting nature to not question whether they are authorised to do so.
A simple way of getting malicious hardware or software on to a network is having legitimate users do it for you. Baiting is a means of tricking users in to deploying malicious hardware or software, generally by disguising as something desirable (a USB drive purporting to contain free software or confidential information).
Voice-phishing or vishing is the use of fraudent automated phone systems that sound similar to those of a legitimate organisation such as a bank. Users are asked to login, enter pin numbers and other sensitive information to verify the identity, this giving criminals all the information they need to access the real account of the target.