Security is Everyone's Job

Social Engineering

Social engineering is a technique that uses psychological manipulation to trick people into revealing sensitive information, performing actions that compromise their security, or falling for scams.

Social engineering exploits human weaknesses, such as curiosity, greed, fear, or trust, rather than technical vulnerabilities.

Social engineering is sometimes called “human hacking” because it targets the human element of security systems

Here are some common types of social engineering attacks

Phishing: Sending fraudulent emails that appear to be from legitimate sources, such as banks, government agencies, or online services, and asking the recipients to click on a link, open an attachment, or provide personal information. The link may lead to a malicious website that steals the user’s credentials or infects their device with malware. The attachment may contain malware that executes when opened. The personal information may be used for identity theft or other frauds.

Vishing: Making phone calls that impersonate legitimate entities, such as tech support, law enforcement, or financial institutions, and asking the targets to verify their identity, provide account details, or make payments. The caller may use spoofing techniques to make the phone number appear authentic. The caller may also use social pressure, threats, or urgency to persuade the target to comply.

Baiting: Offering something enticing, such as free software, music, games, or money, in exchange for information or access. The bait may be delivered through physical media, such as USB drives, CDs, or DVDs, that contain malware or spyware. The bait may also be delivered through online platforms, such as social media, chat rooms, or forums, that lure the target to a malicious website or download.

Pretexting: Creating a false scenario or identity to gain the target’s trust and cooperation. The attacker may pretend to be someone the target knows or respects, such as a coworker, friend, family member, or authority figure. The attacker may also fabricate a situation that requires the target’s help or involvement, such as an emergency, a survey, a contest, or a donation. The attacker may use this pretext to ask for information or access that they normally would not have.

Quizzing: Asking seemingly harmless questions that reveal useful information about the target or their organization. The questions may be related to personal details, hobbies, interests, preferences, opinions, or experiences. The attacker may use this information to build rapport with the target, guess their passwords or security questions, or launch more sophisticated attacks.

Some of the consequences of social engineering attacks are

Data breach: The attacker may access confidential or sensitive data belonging to the target or their organization. This data may include personal information, financial records, intellectual property, trade secrets, customer data, employee data, etc. The attacker may use this data for malicious purposes, such as identity theft, fraud, blackmail, extortion, espionage, sabotage, etc.

Malware infection: The attacker may install malware on the target’s device or network. This malware may perform various malicious actions, such as stealing data, deleting files, encrypting data for ransomware demands (see ransomware definition), spying on activities (see spyware definition), logging keystrokes (see keylogger definition), hijacking resources (see cryptojacking definition), etc.

System compromise: The attacker may gain unauthorized access to the target’s device or network. This access may allow the attacker to control the device or network remotely (see remote access trojan definition), modify settings (see rootkit definition), create backdoors (see backdoor definition) for future attacks (see advanced persistent threat definition), disrupt operations (see denial-of-service attack definition), etc.

Financial loss: The attacker may steal money from the target or their organization. This money may be obtained through direct theft (such as transferring funds from bank accounts), indirect theft (such as using stolen credit cards), extortion (such as demanding ransom for data decryption), fraud (such as making purchases with stolen credentials), etc.

Reputation damage: The attacker may harm the reputation of the target or their organization. This harm may result from exposing sensitive data (such as personal scandals), spreading false information (such as fake news), impersonating identities (such as sending spam emails), defacing websites (such as changing content), etc.

Social engineering services and tools

SET: The Social-Engineer Toolkit (SET) is an open-source framework for performing social engineering attacks. It includes various modules that can create and send phishing emails, clone websites, generate payloads, harvest credentials, and more. It is designed to be used by penetration testers and security researchers to test the security awareness of their targets

Gophish: Gophish is an easy-to-use platform that can run on Linux, macOS, and Windows desktops. With Gophish, you can create and monitor phishing campaigns, landing pages, sending profiles, and more. You can also train your employees on how to spot and avoid phishing emails by sending them simulated attacks and providing feedback. Gophish is free and open-source software

SpoofCard: SpoofCard is a service that allows you to spoof your caller ID and voice when making phone calls. You can choose any number to display on the recipient’s phone, change your voice to sound like a man or a woman, add background noises to make it seem like you are in a different location, and record your calls for later review. SpoofCard can be used for prank calls, security testing, or personal privacy

King Phisher: King Phisher is another platform for creating and managing phishing campaigns. It supports both email and web-based attacks, as well as SMS and voice phishing. It also provides advanced features such as geo-targeting, campaign scheduling, template variables, and data analysis. King Phisher is free and open-source software that can run on Linux or Windows servers.

PhishTank: PhishTank is a collaborative project that collects and verifies phishing URLs submitted by users. You can join the fight against phishing by submitting suspected phishes, tracking the status of your submissions, verifying other users’ submissions, or developing software with their free API. PhishTank also provides statistics and trends on phishing activity around the world is a website that provides resources and information on social engineering. It hosts various podcasts, blogs, articles, books, videos, tools, events, and training courses related to social engineering. It also organizes the annual Social Engineering Capture the Flag (SECTF) contest at DEF CON, where contestants try to elicit information from unsuspecting targets using social engineering skills

What can you do