SY0-501 Section 3.3- Summarize social engineering attacks and the associated effectiveness with each attack.

A social engineering attack is one in which the intended victim is somehow tricked into doing the attacker’s bidding. An example would be responding to a phishing email, following the link and entering your banking credentials on a fraudulent website. The stolen credentials are then used for everything from finance fraud to outright identity theft. An old adage comes to mind here, “it pays to be suspicious”. With socially engineered attacks, the opposite is also true – if you aren’t suspicious, you likely will end up paying.

In addition to phishing, social engineering attacks can come in many forms – email that masquerades as breaking news alerts, or greeting cards, or announcements of bogus lottery winnings. Pump and dump stock scams are also a form of social engineering, playing on the recipients’ natural desire to take advantage of a good deal. It’s important to remember that if something sounds too good to be true, it’s probably a scam.

There can be a number of social engineering attacks. All you need to do is make right choices. They are depending on you to make a wrong choice and fall victim to their malicious intents.

Shoulder Surfing

Shoulder surfing does not involve direct contact with the user, but instead involves the attacker directly observing the target entering sensitive information on a form, keypad, or keyboard. The attacker may simply look over the shoulder of the user at work or the attacker can set up a camera or use binoculars to view users entering sensitive data. The attacker can attempt to obtain information such as a PIN at an automated teller machine, an access control entry code at a secure gate or door, or calling card or credit card numbers. Some locations now use a small shield to surround a keypad so that it is difficult to observe somebody entering information. More sophisticated systems can actually scramble the location of the numbers so that the top row at one time includes the numbers 1, 2, and 3 and the next time 4, 8, and 0. While this makes it a bit slower for the user to enter information, it does mean that a person attempting to observe what numbers are pressed will not be able to press the same buttons/pattern since the location of the numbers have changed.

Dumpster Diving

Dumpster diving is not a uniquely computer security–related activity. It refers to the activity of sifting through an individual’s or organization’s trash for things that the dumpster diver might find valuable. In the non-security realm, this can be anything from empty aluminum cans to articles of clothing or discarded household items. From a computer security standpoint, the diver is looking for information that can be obtained from listings or printouts, manuals, receipts, or even yellow sticky notes. The information can include credit card or bank account numbers, user IDs or passwords, details about the type of software or hardware platforms that are being used, or even company sensitive information. In most locations, trash is no longer considered private property after it has been discarded (and even where dumpster diving is illegal, little enforcement occurs). An organization should have policies about discarding materials. Sensitive information should be shredded and the organization should consider securing the trash receptacle so that individuals can’t forage through it. People should also consider shredding personal or sensitive information that they wish to discard in their own trash. A reasonable quality shredder is inexpensive and well worth the price when compared with the potential loss that could occur as a result of identity theft.

Hoaxes

At first glance, it might seem that a hoax related to security would be considered a nuisance and not a real security issue. This might be the case for some hoaxes, especially those of the urban legend type, but the reality of the situation is that a hoax can be very damaging if it causes users to take some sort of action that weakens security. One real hoax, for example, told the story of a new, highly destructive piece of malicious software. It instructed users to check for the existence of a certain file and to delete it if the file was found. In reality, the file mentioned was an important file that was used by the operating system, and deleting it caused problems the next time the system was booted. The damage caused by users modifying security settings can be serious. As with other forms of social engineering, training and awareness are the best and first line of defense for users. Users should be trained to be suspicious of unusual e-mails and stories and should know who to contact in the organization to verify the validity if they are received.

Vishing

Vishing is a variation of phishing that uses voice communication technology to obtain the information the attacker is seeking. Vishing takes advantage of the trust that most people place in the telephone network. Users are unaware that attackers can spoof calls from legitimate entities using voice over IP (VoIP) technology. Voice messaging can also be compromised and used in these attempts. Generally, the attackers are hoping to obtain credit card numbers or other information that can be used in identity theft. The user may receive an e-mail asking him to call a number that is answered by a potentially compromised voice message system. Users may also receive a recorded message that appears to come from a legitimate entity. In both cases, the user will be encouraged to respond quickly and provide the sensitive information so that access to an account is not blocked. If a user ever receives a message that claims to be from a reputable entity and is asking for sensitive information, he should not provide it but instead use theInternet or examine a legitimate account statement to find a phone number that can be used to contact the entity. The user can then verify that the message received was legitimate or report the vishing attempt.

Principles

(reasons for effectiveness) A number of principles, or elements, allow social engineering attacks to be effective. Most of these are based on our nature to be help-ful, to trust others in general, and to believe that there is a hierarchy of leadership that should be followed. For the exam, be familiar with the following reasons for its effectiveness:

Authority

If it is possible to convince the person you are attempting to trick that you are in a position of authority, they may be less likely to question your request. That position of authority could be upper management, tech support, HR, or law enforcement.

Intimidation

Although authority can be a source of intimidation, it is possible for intimidation to occur in its absence as well. This can be done with threats, with shouting, or even with guilt.

Consensus/Social Proof

Putting the person being tricked at ease by putting the focuson them—listening intently to what they are saying, validating their thoughts, charming them—is the key to this element. The name comes from a desire that we all have to be told that we are right, attractive, intelligent, and so forth, and we tend to be fond of those who confirm this for us. By being so incredibly nice, the social engineer convinces the other party that there is no way their intentions could possibly be harmful.

Discussions at home with a spouse, or casual conversations with associates where we are bragging or trying to impress others, can lead to sharing more information than we should.

Scarcity

Convincing the person who is being tricked that there is a limited supply of something can often be effective if carefully done. For example, convincing them that there are only one hundred vacation requests that will be honored for the entire year and that they need to go to a fictitious website now and fill out their information (including user- name and password, of course) if they want to take a vacation anytime during the current year, can dupe some susceptible employees.

More than one principle can be used in any given attack. It is not un-common, for example, to see both scarcity and urgency used together.

Urgency

The secret for successfully using the urgency element is for the social engineer to convince the individual they are attempting to trick that time is of the essence. If they don’t do something right away, money will be lost, a nonexistent intruder will get away, the company will suffer irreparable harm, or a plethora of other negative possibilities may occur.

Familiarity/Liking

Mental guards are often lowered, many times subconsciously, when we are dealing with other individuals that we like. The “like” part can be gained by some- one having, or pretending to have, the same interests as we do, be engaged in the same activities, or otherwise working to gain positive attention.

Trust

One of the easiest ways to gain trust is through reciprocation. When someone does something for you, there is often a feeling that you owe that person something. For example, to gain your trust someone may help you out of a troublesome situation or buy you lunch.