For technical people, it can be easy to forget that one of the most important components of information systems is the people using those systems. If you want to protect systems and data, you need to be able to recognize this kind of attack when it happens.
Social Engineering Attacks
Deﬁnition: A social engineering attack is a type of attack that uses deception and trickery to convince unsuspecting users to provide sensitive data or to violate security guidelines. Social engineering is often a precursor to another type of attack. Because these attacks depend on human factors rather than on technology, their symptoms can be vague and hard to identify. Social engineering attacks can come in a variety of methods: in per- son, through email, or over the phone.
Figure: A social engineering attacks.
Social Engineering Types
There are various types of attacks targeted against the human factors in a system.
Pretexting : In a pretexting attack, an attacker pretends to be someone they are not. A common scenario is when the attacker calls an employee and pretends to be calling from the help desk. The attacker tells the employee he is reprogramming the order-entry database, and he needs the employee’s user name and password to make sure it gets entered into the new system.
Shoulder surﬁng: Shoulder surﬁng is an attack where the goal is to look over the shoulder of an individual as he or she enters password information or a PIN. This is much easier to do today with camera-equipped cell phones.
Dumpster diving: Dumpster diving is an attack where the goal is to reclaim important information by inspecting the contents of trash containers. This is especially effective in the ﬁrst few weeks of the year as users discard old calendars with passwords written in them.
Theft: Theft is an attack where the goal is to blatantly steal information and resources. This usually requires unauthorized access or collusion with a disgruntled employee.
Trojan horse: A Trojan, or Trojan horse, is malicious code that masquerades as a harmless ﬁle. When a user executes it, thinking it is a harmless application, it can per- form any of a wide variety of actions, including key-logging, opening the computer to further attack, or destroying and corrupting data. Trojan horse applications are often disguised as electronic greeting cards, amusing videos, or other seemingly innocent content.
Spooﬁng: Spooﬁng is a human-based or software-based attack where the goal is to pretend to be someone else for the purpose of identity concealment. Spooﬁng can occur in IP addresses, MAC addresses, and email. If employed in email, various email message headers are changed to conceal the originator’s identity.
Phishing: Phishing is a common type of email-based social engineering attack. In a phishing attack, the attacker sends an email that seems to come from a respected bank or other ﬁnancial institution. The email claims that the recipient needs to provide an account number, social security number, or other private information to the sender in order to “verify an account.“ Ironically, the phishing attack often claims that the “account veriﬁcation” is necessary for security reasons. Individuals should never provide personal ﬁnancial information to someone who requests it, whether through email or over the phone; legitimate ﬁnancial institutions never solicit this information from their clients.