Social Engineering Attack & Its Types

Posted on by Aman Jaiswal

What is Social Engineering ?

Social Engineering is manipulating a user into revealing confidential information that are detrimental to that user or the security of our systems or anytime you are trying to deceive, lie, or trick the user into doing something.
In other words we can define social engineering attack is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data.
For Example, Instead of finding a vulnerability in a software, an attacker/social engineer might call an employee and act as an IT support person, trying to trick the employee into divulging his password.

What is Phishing ?

Phishing is one of the most famous social engineering. Phishing attacks use email or malicious websites to impetrate personal information by acting as a trustworthy organization. For example attacker send an email seemingly from a trustworthy financial organization or a credit card company that ask account information and suggesting to you there is some problem in your account. When user click or respond on that email, attackers can use it to gain access to the accounts.

Types of Phishing

  • Spear Phishing: An attempt to fraudulently obtain information from a user, usually by email that targets a specific users may be managers.
  • Whaling: A form of spear phishing that directly targets the high profile people CEO, CFO, CIO, CSO, or other high-value target in an organization.
  • Pharming: Phishing attempt to trick a user to access a different or fake website (usually by modifying hosts file). The main aim of pharming is harvest the large group of people.

What is Smishing ?

Smishing is a form of social engineering that exploits SMS, or text, messages. Phishing conducted over text messaging (SMS) called smishing. In smishing attacker send a text message/SMS which contain some links webpage, email address, phone number. When clicked by user it automatically open a browser or send an email or dial a number.

What is Vishing ?

Vishing is the social engineering approach that leverages voice communication. Phishing conducted over voice and phone calls known as vishing. Vishing attacks can take place completely over voice communications by exploiting Voice over Internet Protocol (VoIP) solutions and broadcasting services. VoIP easily allows caller identity (ID) to be spoofed, which can take advantage of the public’s misplaced trust in the security of phone services, especially landline services.

Some More Social Engineering Attacks

  • Diversion Theft: When a thief attempts to take responsibility for a shipment by diverting the delivery to a nearby location.
  • Hoax: Attempt at deceiving people into believing that something is false when it is true (or vice versa). For example whenever you visit a torrent website some pop up came up & showing virus found on your device. It is just a hoax.
  • Shoulder Surfing: When a person uses direct observation to obtain authentication information
  • Eavesdropping: When a person uses direct observation to “listen” in to a conversation.
  • Dumpster Diving: When a person scavenges for private information in garbage containers.
  • Baiting: When a malicious individual leaves malware-infected removable media such as a USB drive or optical disc lying around in plain view.
  • Piggybacking/Tailgating: When an unauthorized person tags along with an authorized person to gain entry to a restricted area.
  • Watering Hole Attack: When an attacker figures out where users like to go, and places malware to gain access to your organization. Example you visited Youtube.com everyday so attacker create a malicious website name Youtobe.com. If you mistakenly click on this malicious website, Attacker got access to your environment.
  • Skimming: Stealing credit card information usually during a normal transaction.

Motivation Factors

  • Authority: People are more willing to comply with a request when they think it is coming from someone in authority. Use of recognizable brand names like a bank or PayPal could be considered a form of authority.
  • Urgency: People are usually in a rush these days and urgency takes advantage of this fact.
  • Social Proof: People are more likely to click on a link through social media or based on seeing others have already clicked on it.
  • Scarcity: Technique that relies on the fear of missing out on a good deal that is only offered in limited quantities or a limited time.
  • Likeability: A technique where the social engineer attempts to find common ground and shared interests with their target.
  • Fear: The use of threats or demands to intimidate someone into helping you in the attack.

Also Read

What is cybersecurity & why it is important ?

CIA Triad & AAA in Information Security

What is malware and its different types ?

Threat Hunting: Hunting Techniques & Methodologies

Leave a Reply

Your email address will not be published. Required fields are marked *