Social Engineering Deep Dive

 
 

What is Social Engineering?

Social engineering is a manipulation technique that exploits human psychology, rather than technical hacking methods, to gain access to information, systems, or buildings. It relies on tricking people into breaking normal security procedures. Social engineers manipulate individuals into divulging confidential information or performing actions that may inadvertently grant the attacker access to valuable data or protected systems.

The tactics used in social engineering can vary widely and include pretexting (creating a fabricated scenario to engage a targeted victim in a way that increases the chance the victim will divulge information or perform actions), phishing (sending emails that appear to be from trusted sources but are designed to extract personal data or login credentials), spear-phishing (a more targeted version of phishing where the attacker has some information about the victim), baiting (offering something enticing to the victim in exchange for information or access), tailgating (an attacker seeking entry to restricted areas by following someone who is authorized to enter), and quid pro quo (offering a benefit in exchange for information).

Social engineering attacks aim at the weakest link in an organization's security: humans. Education and training on recognizing and responding to social engineering techniques are crucial defenses against these types of attacks.

What are some examples of Social Engineering?

Social engineering attacks come in various forms, targeting the natural human tendency to trust. Here are some common examples:

  • Phishing: This is perhaps the most well-known form of social engineering. Attackers send fraudulent emails resembling those from reputable or known sources, asking victims to reveal personal information, click on malicious links, or download attachments that contain malware.

  • Spear Phishing: A more targeted form of phishing, where the attacker customizes their approach with information specific to the recipient, such as their job position, interests, or personal activities, to increase the chance of success.

  • Pretexting: In these scenarios, an attacker creates a fabricated story or pretext to gain the victim's trust and obtain personal, financial, or security information. For example, an attacker might impersonate an IT support agent claiming they need passwords to fix a supposed issue.

  • Baiting: Similar to phishing, baiting involves offering something enticing to the victim in exchange for information. This could be as simple as a flash drive labeled "Confidential" left in a public space, hoping someone's curiosity will lead them to insert it into their computer, inadvertently installing malware.

  • Quid Pro Quo: Similar to baiting but involves a promise of a benefit in exchange for information. For instance, attackers may offer free software or services in return for login credentials.

  • Tailgating or Piggybacking: This physical security breach occurs when an unauthorized person follows an authorized individual into a restricted area without the latter's notice. The attacker might act as if they've forgotten their access card and thank the victim for letting them in.

  • Vishing (Voice Phishing): Attackers use phone calls to scam the victim into divulging sensitive information. They might pretend to be bank officials, tax authorities, or other entities that could have legitimate reasons for calling.

  • Smishing (SMS Phishing): Similar to phishing but conducted through SMS text messages. The attacker sends a text message to trick the recipient into clicking on malicious links or providing personal information.

  • Qishing (QR Code Phishing): This form of attack involves the use of QR codes to trick individuals into scanning a malicious QR code. Attackers may place these QR codes in public places or send them through email or social media. Once scanned, the QR code can redirect the victim to a phishing site asking for personal information, or it might automatically download malware onto the victim's smartphone.

  • Watering Hole Attacks: Attackers compromise a website visited by the target group to exploit vulnerabilities in their computers, often to infect them with malware.

  • Business Email Compromise (BEC): This sophisticated scam targets businesses working with foreign suppliers or businesses that regularly perform wire transfer payments. The attacker might impersonate a high-level executive or a trusted partner to authorize fraudulent transfers.

companies focused on live simulations

Social-Engineer - This is a company founded by Chris Hadnagy, who has written multiple books on social engineering. He also ran the Social Engineering Village at DEFCON for several years.

Social Proof Security - This is a company started by Rachel Tobac. She started her career competing in the Social Engineer contest held at the SE Village during DEFCON.

Bishop Fox - This company is focused offensive security and has a social engineering service.

How AI IS impacting social engineering

AI Tools such as ChatGPT are generating a mammoth increase in malicious phishing emails - CNBC - “Cybercriminals are using generative artificial intelligence tools such ChatGPT to help write sophisticated, targeted business email compromise (BEC) and other phishing messages.”

How AI is changing phishing scams - Microsoft - “Scammers who hoard breached data from hacked websites can use AI technology to read that data and organize it into a highly targeted spear phishing attack.”

Meet the Brains Behind the Malware-Friendly AI Chat Service ‘WormGPT’ - Krebs on Security - Quote from the article, “This project aims to provide an alternative to ChatGPT, one that lets you do all sorts of illegal stuff and easily sell it online in the future. Everything blackhat related that you can think of can be done with WormGPT, allowing anyone access to malicious activity without ever leaving the comfort of their home.”

Created with help from ChatGPT.