Attackers look to the emotional aspects of human decision making to execute their attacks. They use psychological manipulation tactics, as people tend to pay attention to personally relevant messages, especially if there is an urgent call to action.
Social Engineering is a non-technical method that
attackers use to try to get people to divulge sensitive information or
install malware onto their computer. Clearly, these types of attacks use
tools that are technical, however, successful execution of these
attacks rely heavily on human-to-human interaction and using the
emotions of the human being as the exploitable vulnerability.
Social Engineering Attack Vectors
Since social engineering involves the hacking of
human emotions, there are multitudes of ways an attacker can attempt to
extract data from their targets.
Baiting
This type of attack plays on the curiosity of the
human psyche. An attacker will leave a malware-laden device, such as a
USB stick, in an obvious area where someone will find it. The victim
will probably plug it into their computer to see what is on it, and then
malware is injected into their system.
Phishing
The oldest and still one of the most successful
tricks in the book, attackers will try to use a variety of influencing
levers in spam emails. Fear tactics tend to be one of the most
effective levers, as it depends on users making quick, impetuous
decisions based on their emotions. Another successful influencing lever
is when the request appears to be coming from an attacker posing as an
authority figure, which is a version of pretexting. People will tend to
unquestionably comply when a directive comes from a member of management
or a higher-up in the organization. Sense of urgency is also another
lever that relies on emotional decision-making. If a target is presented
with a scenario that is urgent- such as a warning that if they don’t
take action within a certain time frame, their account will be
suspended, the victim feels that they need to act urgently, which will
lead to poor impulsive decision making such as clicking on a malicious
link and unintentionally divulging their user credentials.
Email Hacking and Contact Spamming
People tend to comply with requests that come from
someone they know, especially if it is coworkers, friends or family
members. Therefore attackers will try to use various social engineering
tactics to obtain the target’s email credentials. Once the attacker
gains control of the account, they will then spam everyone in their
address book, thusly perpetuating the attack with the objective of
spreading malware or tricking victims out of sensitive information and
more user credentials.
Pretexting
Pretexting is a social engineering tactic where an
invented scenario is created to trick a target into divulging personal
and sensitive information. It involves researching a target and using
what is found out about the individual, then tailoring the attack based
on that information. Being able to perfectly mimic the head of marketing
is useless if your target is the head of marketing.
Quid Pro Quo
Something for something. The attacker promises free
promotional items, a prize or even financial compensation for the
exchange of sensitive information.
Spear Phishing
In the family of phishing, spear phishing its more
complex cousin. Usually targeted at specific individuals in a specific
company, it is more of a campaign than one-off phishing emails. The
attacker will do research on the target and then send emails that are
personally relevant to the victim, in the attempt to get the victim to
complete the call to action, which is clicking on links, downloading
malware or divulging sensitive information. Sometimes the attackers will
use pretexting in order for the con to look more authentic.
Vishing
Probably the least technical of all of the attack
vectors, vishing is when the attacker will call the target, posing as a
trusted individual, such as a member of the IT department requesting
user credentials in order to fix a technical issue. This tactic relies
heavily on pretexting.
Social Engineering attacks can be executed with a
single attack vector with the intent to collect specific information
from a specific target, or it can be used in a more complex operation,
generally used in corporate attacks. These two attack campaigns are
called Hunting and Farming.
Hunting
The objective of hunting is to extract as much data
as possible with minimal contact with the target. The most common attack
vectors used in this scenario are phishing, baiting and email hacking.
Farming
A much more complex campaign, farming requires a
little more legwork on the attackers part. Akin to a “long con,” the
attacker performs some reconnaissance on the target, seeking to form a
relationship with them. Another tactic that relies heavily on the
pretexting lever, the objective is to string them along as long as
possible in order to extract as much data as possible.
Social Engineering is everywhere on the Internet
landscape- social media, email, compromised websites, and even spills
over into real life interactions. It’s so highly effective due to the
one element that is impossible to patch or install security software on:
the human being. The best defense against social engineering is
education. It’s a good idea to have some form of internet security
compliance training within an organization in order to help your
employees not only help safeguard the company’s data, but their own as
well.
source: http://www.symantec.com/connect/blogs/what-social-engineering