Social engineering attacks as ways to steal information have been around for a long time, but some of their tactics have matured and become harder to detect.
Social engineering continues to be one of the easiest, non-technical methods for an attacker to gain a foothold into a target’s systems or network. Social engineering includes scareware, phishing, vishing, piggybacking, quid pro quo, and other methods that the attacker employs to gain and manipulate a person’s trust to divulge confidential information.
- Meaning: As its name suggests, Scareware is a scam that frightens you into buying or downloading malicious software as a security protection.
- Example: Have you ever visited a website and a red banner warns that your computer has a virus? The website offers you assurance that if you click the red banner it will remove the virus and protect your computer.
- Scareware works because the victim is scared or curious enough to click the link. However, by clicking the malicious software is installed and/or the victim is directed to a website to purchase anti-virus solutions which actually contains malicious software. The purpose of the malevolent software is to collect password credentials, financial information, or other confidential information that can lead to future identity theft crimes.
- Meaning: Phishing is a technique that uses electronic communication (email, instant messaging, or text messaging) to deceive users into providing personal information — such as login credentials or credit card information — to the attacker.
- Example: An email from a trusted entity (correct formatting, logo, and signature lines) says they’ve suffered a breach and is requesting that all customers immediately change their password by clicking on a link. The email address and web page from the link looks similar to what could be expected from the trusted entity to encourage customers to submit their existing username and password on the duplicitous web page.
- Since this is actually a malicious site and not the trusted entity at all, the attacker has collected the credentials necessary to create fraud against the individual. This can lead to unauthorized purchases, stealing of funds, or even identity theft. When phishing is used in a government, educational, or corporate environment, it can be even more devastating to the company, allowing the attacker to bypass security perimeters to gain access to the organization’s data. Organizations can sustain financial losses, declining market share, loss of customer confidence and loss of reputation after a phishing attack.
- Meaning: Vishing, or the practice of eliciting information or attempting to influence action via the telephone to gain personal information.
- Example: The attacker impersonates a technical support analyst and calls to discuss an issue. The attacker uses technical jargon and provides reasons why there’s an urgent need for the person to provide their credentials, so the “analyst” can ensure everything is now working as expected.
- These attacks are easy to perform, take no technical knowledge, and only need to succeed once for the attacker to gain unauthorized access to the protected data.
Piggybacking or Tailgating
- Meaning: Piggybacking or tailgating are physical social engineering attacks. The terms refer to an unauthorized person tagging along behind another person who is authorized to gain entry into a restricted area.
- Example: This attack is extremely simple. The attacker can start visiting with someone who is headed toward the authorized area, and then just walk into the restricted area behind the authorized person. If the attacker is questioned, they can quickly make up a feasible excuse as to why they don’t have their access key with them. Or, the attacker can look preoccupied, or have their hands full of paperwork and a laptop when they are going through the door. Usually the authorized person will assist by keeping the door open so the unauthorized person can walk through. This is one case where good manners does not work!
Quid Pro Quo
- Meaning: Quid pro quo is Latin for “something for something.”
- Example: This tactic works well on students who may be offered a free t-shirt, access to an online game, or even a free pizza by simply filling out a form which may ask for personal information and for the student’s school credentials.
- Once the attacker has the credentials, they can use those to gain unauthorized access to the school or student’s information.
Social engineering attacks usually only require one target to fall victim for the attacker to leverage that information for more malicious activities. Hopefully you have taken the proper precautions to avoid falling victim to a social engineering attack, but if you suspect you have been compromised, report it immediately to the proper channels so it can be addressed quickly to help minimize loss of information and future attacks.
This post expands on November’s article about security incident terminology.