Social Engineering Defined
Social engineering refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme. Social engineering is often associated with phishing, social website scraping and watering hole attacks.
Step1: Reconnaissance: Harvest information for targeted attacks
- In the case of harvested information, social engineering is frequently the first step of sophisticated multi-step attacks. Complex social engineering attacks like advanced persistent threat attacks (APTs), CEO fraud, crypto currency attacks, and any targeted cyber-attack will use social engineering as a first step.
- Frequent reconnaissance methods include:
- Harvesting information from social websites: Facebook, Twitter, LinkedIn, Public posts online by your company, partner companies, vendors, news organizations, member associations etc.
- Communicating with employees by email, text messaging, or phone to gather targeted information
- Stealing personal information from your PC, smart phone or company servers
- Once this information is in hand, a targeted attack on individuals can be initiated that causes the victim to perform the desired behavior.
Step 2: Cause individuals to initiate a particular behavior leveraging what you know from harvested information.
This behavior will result in an infection that becomes the next step in the cyber-attack process. Frequent attack methods leveraging harvested information include spear phishing, CEO fraud, and water hole attacks. Actions elicited from individuals that drive infections include:
- Clicking in an email link that leads to an infected website
- Opening an email attachment that leverage computer software flaws that cause your computer to become infected
- Visiting a particular infected website and frequently a request to enter login credentials or private information
- Unauthorized, but familiar requests to send money or send confidential information to a 3rd party or bank (CEO Fraud) leveraging what you know about normal ordinary internal transactions.