Social engineering is the manipulation of people into performing actions or divulging confidential information. It is a type of "con" which is short for "confidence". The hacker is trying to gain a person's confidence in order to manipulate them. It subverts the user's trust.
The importance of social engineering as a hacking technique cannot be overstated. It is used in conjunction with many other types of attacks. Often it is the foundational first step.
Pretexting is creating an invented scenario (or pretext) to engage a target in a way that increases the chance they will do what the hacker wants. It relies on building a false sense of trust. The hacker is an actor playing a role. Pretexting often includes some foundational information, such as something only a trusted employee would know, to put the target at ease and make a lie seem legitimate. Referencing internal information, name dropping, or using insider lingo to indicate insider status are common techniques when pretexting.
For example, suppose that an important company server crashed last week. This is a well-know fact throughout the IT department but not widely known outside the company. If a hacker also discovers this information, the hacker might call someone in IT and use it as a pretext.
"Hey, this is Steve over in the Los Angeles office. When the server crashed last week, I lost my access to the main server. Now I have a deadline and I am locked out. Can I give you my IP address and have you set it up again?"
The target might give the hacker the benefit of the doubt since they possess information that only an authorized person should know.
Baiting is tricking a target into taking an action using "bait" to take advantage of their greed or curiosity.
The classic story of the Trojan Horse is an example of baiting. The Greeks were fighting to get inside the city of Troy. The Greek army left a huge wooden horse outside Troy's gates and sailed away. The Trojans brought it inside their walls as a victory trophy. At night, Greek soldiers hiding inside the horse snuck out and opened the gates so the Greek army could destroy Troy.
Leaving a USB flash drive in a parking lot with an eye-catching label (e.g. "Confidential" or "Salary Spreadsheet") could tempt a user into putting it in their computer. Users regularly accept free CDs and USB flash drives from vendors at conferences and expos without a thought as to the security concern they present to themselves and to their organization. (In 2015, 30% of malware infections came from USB and SD cards.) An email or letter with "You are our lucky winner!" could get a target to visit a URL or call a phone number.
Baiting has become a very popular technique for online ads to employ, so much that it has its own name, "click-baiting". Often these promise users money or secret information.
Here are a few examples of click-bait titles designed to arouse a user's curiosity or greed.
Phishing is type of baiting which is usually accomplished by email (or text message). It is listed separately from baiting due to its unique characteristics and popularity.
A phishing email can be a broadly targeted to millions of email addresses, or it can be narrowly targeted to addresses at a single organization or even a single individual. Attacks on a small group are called "spear phishing" because it is more targeted. Attacks on a single high-profile individual, such as a senior executive, are called "whaling" (because they are after "big fish"). In targeted phishing, hackers may use pretexting techniques such as including personal or organizational information to increase the target's confidence and the hacker's chances for success.
Most phishing emails include common file attachments such as PDFs, Word documents, Excel documents, or zipped files. Opening these files installs malware on the target's computer. Other phishing emails include a link to a hacker controlled site, a site posing as another legitimate site, or a site which asks the user to run or install other software. That other software could be malware or it could be a vulnerable plug-in, such as an out of date version of Adobe Flash Player.
In 2012, it was estimated that 91% of attacks involved spear phishing.
Quid pro quo means "something for something". The attacker provides a gift or a service to the user in exchange for information or action. It can be performed in person or in email, but more often it takes place over the phone.
The most common example of the quid pro quo technique is a hacker who calls many employees at a company pretending to be the IT helpdesk returning their call. When they finally find someone who was in fact waiting for IT to call back, they have their mark. The hacker provides tech support while gathering information or getting the user to issue commands for them. These commands could be to disable security features, grant access privileges, or to download malware.
Another variation of this example is a hacker who calls random phone numbers offering to help users check for the presence of a recent computer virus. While the hacker "helps" out, the user will be asked to disable security settings, to turn on a web cam, or to download some malware.
A hacker might ask users to share their password to win a prize for the strongest password in the company. In one research study, workers took a survey where they revealed network passwords in return for writing pens or chocolate.
Tailgating is walking into a restricted area behind someone who has legitimate access. It is also known as "piggybacking". It is a useful to gain physical access and for reconnaissance. A successful tailgater could potentially have access to server rooms, logged-in employee computers, file cabinets, desk drawers, and trash cans.
The attack capitalizes on individuals' laziness or their reluctance to confront others. The person with legitimate access may feel awkward about insisting on access credentials. They may feel it is not their problem, or not their place. The person will often even hold open the door as a courtesy.
Tailgating is often done using pretexting techniques. Tailgaters might dress like an employee, pretend they left their ID at home, flash a fake ID casually, or have a story about being the friend of an employee. They might try to illicit sympathy by having hands full of boxes or hot coffees, or make themselves more difficult to confront by pretending to be on a phone call. They could disguise themselves as a regular office presence such as a package or flower deliverer, a phone/cable company technician, or a member of a cleaning service.
In 2009, a Siemens security researcher tailgated his way into a financial services company. He stayed for three days and accessed storage rooms, file cabinets, desks, and confidential information. He called staff from an internal company phone and got 17 out of 20 to give him their username and password.
The best defenses against social engineering are security education across an entire organization and having policies and procedures in place for authorization, access, and data handling. Users should be educated on the common social engineering techniques and should have clear procedures to follow if they believe they may have been the victim or attempted victim of a social engineering hack. The organization should have a threat response plan in place when an incident is reported.
Users should not open emails or email attachments from untrusted or suspicious sources. Users should not give strangers the benefit of the doubt. Users should make it a habit to lock their computer whenever they step away from their desk. Doors, desk drawers, and file cabinets should be kept locked by default. (Principle of Least Privilege)
Another easy-to-overlook but key defense against social engineering is proper information disposal. It should be a routine practice to erase hard drives and other media when taken out of service, not stored in a closet. Data backups should be secure, whether onsite, offsite, or in transit.
Dumpsters should be secure. They should have locks to which only the waste management company and cleaning personnel have keys. They should be in secure, highly-visible areas or be monitored. Shred documents and contract with a secure disposal services company.
Perform regular security audits. Internal or external security teams can periodically try to con employees as a form of penetration testing. For example, many companies have implemented programs or use third-party services to deliberately send phishing emails to their employees. It is done as a way educate employees and train them to be vigilant.
"Several employees of a Burger King fast-food outlet in Minnesota were persuaded by a prank caller posing as a fire official to smash the restaurant's windows, convinced that rising gas pressure was threatening to cause an explosion."