Types of Social Engineering Attacks

 

Types of Social Engineering Attacks 

Here are some of the most common attacks used by social engineers to get the information that they want from users:

    1. Phishing 

Once a social engineer defines the type of information that he wants to get out of a user, he begins to gather as much information about a target as much as he can without raising the alarm. For example, if a social engineer wants to penetrate an organization’s security system, he will most likely need to have a list of employees working there, some phone numbers used internally, or a calendar of activities used by the company. Using all these information, he can launch an attack on the day where the least security personnel are present, do a social engineer attack against key personnel through a communication line that is least suspicious

There are plenty of ways on how a phishing attack can be done. One can use a fake email account or a phone number and pretend to be a supervisor requesting for official contact list. One can also look at social media accounts of a targeted organization and find who is likely to be responsible for organizing company schedules. If a social engineer prefers to spend less time on his research, he can simply opt to pay for a comprehensive background check on targeted individuals online. Once the needed information is received, a social engineer can launch a more comprehensive phishing attack

 One of the most effective social engineering tactics used by hackers is to reach out to a target and pretend that a victim’s account has been compromised. By creating a sense of urgency, any social engineer may pretend to be offering assistance by asking vital information such as mother’s maiden name, date of birth, account recovery protocols, and last password used. An unassuming target may provide all these data without even verifying who he is talking to, or if his account has really been breached.

   2. Dumpster diving 

While this method can be a bit messy and risky, searching through discarded company materials can be a very effective way to get highly confidential information. As the name implies, this often involves rummaging through trash bins of an organization, with the hopes of finding key documents in the trash.

This method is very effective because most people believe that the things that they throw in the trash are safe, and that includes documents that point towards their home addresses, personal phone numbers, and confidential paperwork. People simply do not think that there is a wealth of information available in the documents that they throw away after they are done with it. For this reason, one can easily find the following in the trash bin:

• Organizational charts
• List of passwords  
• Reports
• Email printouts  
• Employee handbooks 
• Internal security policies  
• Phone numbers 
• Network diagrams  
• Meeting notes 

Keep in mind that there are several dedicated social engineers that still find value in shredded documents since they recognize that shredded paperwork contain information that an organization does not want anyone to find out. Given enough time and tape, any hacker will be able to piece back together a carelessly shredded document.

    3. Voicemail digging 

This is a tactic used by social engineers to find out in-depth details and possibly private information about an individual by simply taking advantage of the dial-by-name feature embedded in most voicemails. To tap this feature, all you need is to dial 0 after calling a company’s number or right after you reached a target’s mailbox. This is usually done after office hours to make sure that no one in the organization will be available to answer the call.  

Voicemail usually contains a wealth of private information, such as times when a person is not available, which is crucial when it comes to scheduling an all-out attack. Some also use the information that they find on voicemail messages to find out some details that they can use to impersonate these people and use their personalities to launch an attack.

Social engineers can easily conceal their identity and location whenever they tap voicemails by using VoIP servers such as Asterisk to enter any phone number that they want whenever they call.

    4. Active communication with target 

One of the most effective means to gain information through social engineering is to ask the target for the needed information directly. For this tactic to work, all that a social engineer needs to do is to build enough trust between him and the target in order to achieve the information he needs without encountering any resistance

For example, a social engineer may tailgate a victim right into where the system that he wants to breach is. He may assume a different identity, such as a manager or IT personnel, and proceed to ask questions that may severely compromise a person’s personal account or reveal vital networking security protocols. You may be surprised at the wealth of information that you can get out of people by simply asking!

    5. Spoofing

Technology makes social engineering easier by simply masking one’s identity in order to pretend to be someone that targets can identify as one of their own. You can easily ask a user to send any type of confidential information by creating a professional and legitimate-looking email that requests for social security numbers, user IDs, and even passwords. Some users even volunteer this highly confidential information in exchange for a free Wi-Fi password, or a gift in return. You can even use spoofed emails to request a user to install a patch in their computers which can serve as a listening device or a virus.  

One of the most popular attacks that use this trick is the LoveBug worm that users installed right into their systems simply by opening an attachment in an email that is supposedly to reveal the identity of a secret admirer. While it might seem too obvious that opening an attachment from a person that you do not know does not make sense, people fell for this trap anyway.