Despite being an integral aspect of many, if not most, major attacks, social engineering tactics always seem to go underappreciated by enterprise security teams. However, it’s often easier to trick someone into opening an email and exploiting a vulnerability that way, or convincing an unsuspecting assistant to provide a few useful bits of information, than it is to directly attack a web application or network connection.
So, when attackers employ social engineering tactics, what exactly are they doing? Think of social engineering as the act of exploiting people instead of computer systems. That exploitation can come in the forms of convincing someone to provide physical entrance to the data center (perhaps by acting like an insider or service tech) or tricking someone into offering a password and user ID over the phone.
The techniques for social engineering range widely, as does the potentially targeted information. For example, we said that social engineering could include a phishing email that tricks a user to open an attachment that includes some type of exploit or payload. But social engineering techniques include showing up dressed as delivery people, tech support, corporate attorney, salespeople, job applicants—you name it and it probably had been attempted and likely been used successfully somewhere.
Often, it’s the goal of the social engineer to push an attack just one step further by obtaining a password, or even getting a name that can be dropped in a planned, deeper social engineering attack. Or, it could be as simple as attempting to obtain information about the network and computer systems and where data are held within the organization.
Any organization that wants to protect its information systems and intellectual property needs to be aware of social engineering threats and train employees to be able to quickly identify such attacks. People throughout the organization can be approached at any time: friended online, approached at trade shows, or have criminals act as insiders as part of an attack.
Here are more details on how social engineers work, from our CSO’s Ultimate Guide to Social Engineering:
How social engineers work
There is an infinite number of social engineering exploits. A scammer may trick you into leaving a door open for him, visiting a fake Web page or downloading a document with malicious code, or he might insert a USB in your computer that provides access to your corporate network.
Typical ploys include:
Stealing passwords: In this common maneuver, the hacker uses information from a social networking profile to guess a victim’s password reminder question. This technique was used to hack Twitter and break into Sarah Palin’s e-mail.
Friending: In this scenario, a hacker gains the trust of an individual or group and then gets them to click on links or attachments that contain malware that introduces a threat, such as the ability to exploit a weakness in a corporate system. For example, says Netragard CTO Adriel Desautels, he might strike up an online conversation about fishing and then send a photo of a boat he’s thinking of buying.