Social Engineering
by
Angela
Allan
Social Engineering
refers to psychological manipulation of people for the purpose of information gathering, fraud or system access.
Techniques
- Pretexting
- Diversion theft
- Phishing
- IVR or phone phishing
- Baiting
- Quid pro quo
- Tailgating
Pretexting
involves some prior research or setup and the use of this information for impersonation to establish legitimacy in the mind of the target.
Diversion theft
The objective of this technique is to persuade the person responsible for a legitimate delivery that the consignment is requested elsewhere.
Phishing
is a technique of fradulently obtaining private information.
IVR or phone phishing
uses a rogue IVR(Interactive Voice Response) system to recreate a legitimate-sounding copy of a bank or other institution's IVR system.
Baiting
the attacker leaves a malware infected USB in a location sure to be found, gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device.
Quid pro quo
An attacker calls random numbers at a company, claiming to be calling from technical support. Eventually this person will hit someone with a legitimate problem, grateful that someone is calling back to help them.
Tailgating
seeking entry to a restricted area secured by unattended, electronic access control.
Pop Culture
Blackhat (film)
A convicted hacker is released from prison to help the investigation where a Hong Kong nuclear plant and the Mercantile Trade Exchange in Chicago are hacked by unknown perpetrators.
Blackhat Trailer
Countermeasures
Organizations reduce their security risks by:
-
Establishing frameworks of trust
-
Identifying which information is sensitive
-
Establishing security protocols, policies, and procedures for handling sensitive information.
-
Training employees
-
Performing unannounced, periodic tests of the security framework.
-
Using a secure waste management service
Notable Hackers
JB Synder
One of the world's top experts in banking cybersecurity, developed and proved in over 50 U.S. bank locations "the most efficient social engineering attack in history."
Primarily using email, allows a social engineer to make unauthorized large cash withdrawals from bank branches with an extraordinarily high success rate (over 90%) while enjoying low probabilities of immediate detection or subsequent incarceration.
Legal Consequences
In common law, pretexting is an invasion of privacy laws.
In the US, pretexting of bank records is an illegal act punishable under federal statues. The statute states that when someone obtains any personal, non-public information from a financial institution or the consumer, their action is subject to the statute.
