What really is Social Engineering

Written by M.R. Qaddafi Butt 

Social Engineering is a term widely used in social sciences and in ICT as well. The term can be defined literally by describing is objectives;

Creating laws to solve the social problems and to improve social conditions of a society,

Using other methods to influence public opinion. However, the term Social Engineering has different meanings in the field of ICT. It can be defined as,” Social Engineering is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.”

Different paths and means are used to manipulate common users and ICT professionals to affect them psychologically, physiologically and technologically so that they give up their personal information which are further used to hack their accounts and to gain other illegitimate benefits. Hackers and crackers use the tactics to gain the trust of the targeted as sometimes they offer their own username and password and in return the prey trust to share his or her credentials.

The very point where the hackers win over the security of the targeted person. When the malicious use SE is discussed by the scholars and security professionals its objective is to find out all the ways which may help breach the security and reach to a point where illegitimate benefits can be gained.

The main tools used in this malicious activity are, Baiting, Phishing, Spear Phishing, Pretexting(Impersonating), Scareware, Vishing, Impersonating Quid pro quo and Tailgating.

Baiting

Usually a Social engineer uses infected device as a bait. A male ware infected USB flash drive or external hard drive is placed on public place or an office intentionally. As soon as it is plugged in to see the data, the malware installed unforeseengly. Usually such kind of devices are labelled with some luring titles such as “My private pics”.

Phishing or Tailgating

cyber criminals send emails which purport as from a well reputed and generally trusted company, bank or an institution. Usually official text formats are used along with logos very similar with the real ones. The targeted person is asked for specific personal information for the sake of some official or departmental work concerning him or her. Sometimes the email is also included with a link and the victim is asked to click that link to view the or fill in details online. As soon as one clicks that link, malware installed with no control over checking or stopping it.

Spear phishing

It is tailored for specific individual or an organization.

Pretexting or Impersonating

Social engineer or the criminal lies another company, organization or an individual by impersonating. Emails are sent to gain access to personal credential or prerogative data. The attacker pretends as an official and ask for to conformthe recipient`s identity.

Scareware

Scareware is used as trickery. It changes the victim’s Computer and one thinks to get rid from the content which he has downloaded unintentionally. The attacker then offers a solution to fix the problem by downloading a software which is a malicious software.

Vishing

The cyber criminals or attackers impersonate and call via phone and try to get credentials which may help them gaining access to victim’s personal data.

Quid pro quo

The attackers send a request for personal information and in return they offer some kind of benefits or compensation.

Social Engineering Infographics

94 Billion Email sent a day and 90% of them or either spam or virus.

Phishing captured 1st place with 77% of the total attacks and 88% of that number were imitation of banks or financial institutions.

Vishing is on second position, 14% reply the text massage,24% call the given number and the biggest number of the victims click the link.

Impersonating

the SE disguised as an official or researcher and theft the data. The number of victims were about 1.4 million. Average age of the victims was 41.7 years and an average lose was about 4187 dollars.

Protection against attacks

Regular PEN Testing is highly recommended for IT departments.

Be suspicious about unrequested material.

Any of the massage or request asking for personal data must be considered as scam and always should be unanswered and deleted.

Try to use search engine instead of clicking the link in email.

Set your spam filters high.