Social engineering (security)

Social engineering is a type of confidence trick to influence people with the goal to illegally obtain sensitive data (i.e. passwords, credit card information). Social engineers observe the personal environment of their victims and use fake identities to gain secret information or free services. In most cases, social engineering is used to infiltrate third party computer systems to spy on sensitive data.

Development

The beginning

An early way of social engineering first occurred in the 1980s and was named phreaking. Phreakers called phone companies and claimed to be system administrators and asked for passwords which they used to connect illegally and free of charge to the Internet.

Nowadays

A more modern form of social engineering is called phishing (derived from “fishing”), which is an attempt to get access to Internet user's data via faked WWW-addresses. The most common way of phishing is fraud mailing (also known as scam mailing), where the victim is being sent a fake e-mail i.e. of a bank. In most scam mails, the letter includes a link that is redirecting to a fake website which is logging the login ID and the appropriate password of the victim. The hackers are often using DNS-spoofing to fake the sender's e-mail address.

Main model

How it works

The main model of social engineering shows up with faked phone calls: the social engineer calls employees of a company and impersonates a technician who needs sensitive data to complete important technical operations. In advance the attacker has gathered information about work routines of the target company from public sources or former raid attempts, that gives him advantage in further social engineering trials. The invader tries to confuse his victims and to seem trustful, using trade language and involving the victims in small talk. Further the assaulter pretends authority to frighten his victims. Under circumstances the employee actually requested technical support and is expecting such a phone call.

Protection

The prevention of social engineering is difficult. By influencing the victim subconsciously, the invader abuses typical human behavior like helpfulness in emergency situations or to respond with help to the seemingly helpful attacker. General mistrust would disturb the efficient and trustful team work of an organization. The most effective way to avoid social engineering is to assure the identity of the caller. This can already be done by asking for the caller's name and phone number and to politely ask for patience, even if the caller's issue seems to be very urgent. Even if one could verify the caller's identity, one should only hand out the absolutely necessary information.

Famous social engineers

Social engineering became generally known through people such as Kevin Mitnick, who became one of the most wanted persons in the United States because of successfully invading government systems such as the Pentagon and the NSA. Further well known social engineers are the check scammer Frank Abagnale.

Social Engineering (security) Media

References