The most common social engineering attacks

The human is the weakest link in the chain of security - you can have all the best technology in place to offset the risk of a malicious attack, but any organisation that doesn't train its staff or have best practices in place is at even bigger risk.

In fact, the most effective form of compromising a network is targeting people, using deception to gain access to internal systems, email accounts, or grab compromises. Attackers making the most of their guile are the most difficult to protect against, because they depend on plain dumb human error or mistakes. This is called social engineering, and it's worth taking stock of what the most common techniques are in order to protect against them.

Social engineering at its core is the art of lies and manipulation, the oldest tactics that there are. In fact, even though the threat landscape is getting more sophisticated, it's the low-hanging fruit of spray-and-pray phishing approaches that often do the most damage. There have been plenty of books written on the matter, so this is a loose guide rather than anything definitive, but read on for some of the most common attacks.

This is by no means an exhaustive list - books have been written on the matter - but read on for some of the most common types of social engineering attacks.

Phishing

Phishing

Getting private information or credentials. This could take many forms. It could be tricking a user into entering personal credentials on a legitimate-looking website that feeds the info back to the attacker. Typically a victim will receive an email that appears to be from a real business, like eBay or Paypal, warning users to sign in. Of course, when they do, their login details are pinched.

Spear phishing

Spear phishing

Similar to phishing, spear phishing aims to gain access to credentials through surreptitious means - but it differs in that as opposed to the spray-and-pray method, it's highly targeted. A spear phishing attack will tend to see the attacker building a very careful profile of their prey, often from publicly available information. High-value targets such as CFOs have notoriously fallen victim to these attacks, sometimes signing off on hundreds of thousands of dollars to dodgy bank accounts, where the money is then laundered.

Vishing

Vishing

Short for voice phishing, it's essentially a phishing attack over the phone - ringing someone up and asking them for their credentials. It could be an individual or it could be an automated dialling system that uses synthesised speech to try to convince the person on the other end of the line to provide information that they shouldn't. And advances in voice recognition could create new, more sophisticated threats in the near future.

Waterholing

Waterholing

Once an attacker has established the profile of their victim(s), a waterholing attack seeks to place an exploit on a frequently visited website of that person or organisation. This exploit will drop malware into their machines, such as a remote access trojan, whereby the attacker can then begin their work exfiltrating data. As Trend Micro points out, in late 2012 the Council on Foreign Relations website was compromised to host a zero-day exploit in Internet Explorer, leaving those who visited the site with IE exposed.

Quid pro quo

Quid pro quo

This means 'something for something' in that the attacker will offer something of genuine worth to the victim and in exchange worm their way into the target's network. An example of this attack would be the attacker posing as a technical support worker, helping to solve a problem that someone on the other end of the line is having trouble with, but then also convincing them to type in a line of code to act as a backdoor.

But as Tripwire notes, it could be something as simple as offering a chocolate bar in exchange for a password.

Baiting

Baiting

Here an attacker wants to lure their victim into executing code, usually by piquing their curiosity or otherwise convincing them to run hardware or software with hidden malware. For example, innocent looking USB sticks handed out at a conference stall could actually contain malware. A common attack is simply leaving a USB in a car park.

Pretexting

Pretexting

Pretexting is when an attacker creates a plausible scenario that they trick their victim to play along with in order to steal their information. Head over to this post for an example of how even the security-aware can be conned into a pretexting job - with an impostor on the phone claiming to be from the victim's bank tricking the target into reading aloud confirmation texts, ultimately scamming them out of $1,000.

It relies on fostering a false sense of trust with the victim, who for whatever reason gives the attacker the benefit of the doubt.

Tailgaiting

Tailgaiting

Essentially following someone with high-level authentication into restricted areas - using ruses such as disguises to lull the victims into a false sense of security. You'd be surprised the access given by simply donning a high-visibility vest and carrying a clipboard, as journalists have demonstrated.

One security engineer for Siemens Enterprise Communications could easily gain access to a FTSE-listed financial firm by... walking in.

Copyright © 2018 IDG Communications, Inc.