Social engineering is an attack vector that relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations, or for financial gain.
Threat actors use social engineering techniques to conceal their true identities and motives and present themselves as a trusted individual or information source. The objective is to influence, manipulate or trick users into giving up privileged information or access within an organization. Many social engineering exploits simply rely on people's willingness to be helpful. For example, the attacker might pretend to be a co-worker who has some kind of urgent problem that requires access to additional network resources.
Social engineering is a popular tactic among hackers because it is often easier to exploit users' weaknesses than it is to find a network or software vulnerability. Hackers will often use social engineering tactics as a first step in a larger campaign to infiltrate a system or network and steal sensitive data or disperse malware.
How social engineering works
Social engineers use a wide variety of tactics to perform attacks.
The first step in most social engineering attacks is for the attacker to perform research and reconnaissance on the target. If the target is an enterprise, for instance, the hacker may gather intelligence on the employee structure, internal operations, common lingo used within the industry and possible business partners, among other information. One common tactic of social engineers is to focus on the behaviors and patterns of employees with low level but initial access, such as a security guard or receptionist; hackers can scan the person's social media profiles for information and study their behavior online and in person.
From there, the hacker can design an attack based on the information collected and exploit the weakness uncovered during the reconnaissance phase.
If the attack is successful, hackers have access to sensitive data -- such as credit card or banking information -- have made money off the targets or have gained access to protected systems or networks.
Types of social engineering attacks
Popular types of social engineering attacks include:
- Baiting: Baiting is when an attacker leaves a malware-infected physical device, such as a USB flash drive, in a place it is sure to be found. The finder then picks up the device and loads it onto his or her computer, unintentionally installing the malware.
- Phishing: Phishing is when a malicious party sends a fraudulent email disguised as a legitimate email, often purporting to be from a trusted source. The message is meant to trick the recipient into sharing personal or financial information or clicking on a link that installs malware.
- Spear phishing: Spear phishing is like phishing but tailored for a specific individual or organization.
- Vishing: Vishing is also known as voice phishing, and it's the use of social engineering over the phone to gather personal and financial information from the target.
- Pretexting: Pretexting is when one party lies to another to gain access to privileged data. For example, a pretexting scam could involve an attacker who pretends to need personal or financial data in order to confirm the identity of the recipient.
- Scareware: Scareware involves tricking the victim into thinking his computer is infected with malware or has inadvertently downloaded illegal content. The attacker then offers the victim a solution that will fix the bogus problem; in reality, the victim is simply tricked into downloading and installing the attacker's malware.
- Water-holing: A watering hole attack is when the attacker attempts to compromise a specific group of people by infecting websites they are known to visit and trust in order to gain network access.
- Diversion theft: In this type of attack, the social engineers trick a delivery or courier company into going to the wrong pickup or drop-off location, thus intercepting the transaction.
- Quid pro quo: A quid pro quo attack is one in which the social engineer pretends to provide something in exchange for the target's information or assistance. For instance, a hacker calls a selection of random numbers within an organization and pretends to be calling back from tech support. Eventually, the hacker will find someone with a legitimate tech issue who they will then pretend to help. Through this, the hacker can have the target type in the commands to launch malware or can collect password information.
- Honey trap: An attack in which the social engineer pretends to be an attractive person to interact with a person online, fake an online relationship and gather sensitive information through that relationship.
- Tailgating: Tailgating, sometimes called piggybacking, is when a hacker walks into a secured building by following someone with an authorized access card. This attack presumes the person with legitimate access to the building is courteous enough to hold the door open for the person behind them, assuming they are allowed to be there.
- Rogue: Rogue security software is a type of malware that tricks targets into paying for the fake removal of malware.
Examples of social engineering attacks
Perhaps the most famous social engineering attack comes from the mythological Trojan War in which the Greeks were able to get in to the city of Troy and win the war by hiding in a giant wooden horse that was presented to the Trojan army as a gift of peace.
Frank Abagnale is considered one of the foremost experts in social engineering techniques. In the 1960s, he used various tactics to impersonate at least eight people, including an airline pilot, a doctor and a lawyer. Abagnale was also a check forger during this time. After his incarceration, he became a security consultant for the FBI and started his own financial fraud consultancy. His experiences as a young confidence man were made famous in his best-selling book Catch Me If You Can and the movie adaptation from Oscar-winning director Steven Spielberg.
A more recent example of a successful social engineering attack was the 2011 data breach of security company RSA. An attacker sent two different phishing emails over two days to small groups of RSA employees. The emails had the subject line "2011 Recruitment Plan" and contained an Excel document attachment. The spreadsheet contained malicious code that installed a backdoor through an Adobe Flash vulnerability. While it was never made clear exactly what information was stolen, if any, RSA's SecurID two-factor authentication (2FA) system was compromised, and the company spent approximately $66 million recovering from the attack.
In 2013, the Syrian Electronic Army was able to access the Associated Press' Twitter account by including a malicious link in a phishing email. The email was sent to AP employees under the guise of being from a fellow employee. The hackers then tweeted a fake news story from AP's account that said two explosions had gone off in the White House and then-President Barack Obama had been injured. This garnered such a significant reaction that the stock market dropped 150 points in under five minutes.
Also in 2013, a phishing scam led to the massive data breach of Target. A phishing email was sent to an HVAC (heating, ventilation and air conditioning) subcontractor that was a business partner of Target's. The email contained the Citadel Trojan, which enabled attackers to penetrate Target's point-of-sale systems and steal the information for 40 million customer credit and debit cards. That same year, the U.S. Department of Labor was targeted by a watering hole attack, and its websites were infected with malware through a vulnerability in Internet Explorer that installed a remote access Trojan called Poison Ivy.
In 2015, hackers gained access to the personal AOL email account of John Brennan, then the director of the CIA. One of the hackers explained to media outlets how he used social engineering techniques to pose as a Verizon technician and request information about Brennan's account with the telecom giant. Once the hackers obtained Brennan's Verizon account details, they contacted AOL and used the information to correctly answer security questions for Brennan's email account.
Preventing social engineering
Security experts recommend that IT departments regularly carry out penetration testing that uses social engineering techniques. This will help administrators learn which types of users pose the most risk for specific types of attacks, while also identifying which employees require additional training.
Security awareness training can also go a long way toward preventing social engineering attacks. If people know what forms social engineering attacks are likely to take, they will be less likely to become victims.
On a smaller scale, organizations should have secure email and web gateways that scan emails for malicious links and filter them out, thus reducing the likelihood that a staff member will click on one. Staying up to date with software and firmware patches on endpoints is also important, as is keeping track of staff members who handle sensitive information and enabling advanced authentication measures for them.