Vince Reynolds - Social Engineering: The Art of Psychological Warfare, Human Hacking, Persuasion, and Deception

Nowadays, a huge number of people have become too acquainted with hackers who exploit sensitive data and protected computer systems of various organizations, including banks, businesses, and even government agencies. More often than not, you will hear about hackers and become motivated to forestall their ploys. Most organizations counter the exploits of hackers through investments in new and up-to-date technologies to strengthen their defenses.

On the other hand, there is a new breed of attackers who use their expertise to go past the solutions and tools of organizations. This new breed of attackers is referred to as social engineers, who are likewise known as hackers; however, their primary objective is to tap into one's weakness, that is, human psychology. Social engineers make use of media such as phone calls as well as social media to trick people so that they can gain access to important and sensitive information.

Social engineering involves a wide range of malicious activities, which are executed in various ways such as pretexting, phishing, quid pro quo, baiting, and tailgating among others.

Pretexting is a form of social engineering in which attackers create a fabricated situation or good pretext, which they use to steal one's personal information. More often than not, attackers who use pretexting are mistaken as scammers who usually pretend that they need personal information for confirming their target's identity.

Attackers who have advanced skills in social engineering using pretexting try to persuade their targets to do certain actions in order to gain access to an organization and exploit its structural flaws. For instance, an attacker may take the form of an external IT services auditor to try and manipulate the physical security staff of an organization so that he/she can gain access to the building.

Social engineering attacks via pretexting depend on the creation of a delusive sense of trust with the target. The attacker is required to create a credible story, leaving little or no room for doubt on his/her target; thus, the attacker can gain information that is both sensitive and non-sensitive. There was a case wherein a group of attackers took the form of modeling agency representatives and invented fabricated stories as well as interview questions. The attackers targeted women whom they manipulated to sending nude photos of themselves.

Phishing is considered as the most common type of social engineering, which attackers use today. Phishing scams have distinct characteristics such as obtaining personal information, including names, social security numbers, and addresses of targets; incorporating fear, a sense of urgency, and threats to manipulate targets to act fast; and using embed links or link shorteners to redirect targets to suspicious websites through URLs that may appear authorized or legit.

Although some phishing emails are crafted poorly, that is, the messages include grammatical errors and misspelled words, they can still direct targets to fake websites. Phishing emails are intended to steal the login credentials and other personal information of targets.

More often than not, attackers who use phishing emails pair malware with their phishing ploys in order to obtain users' information. For instance, a reported scam involved attackers who sent phishing emails to targets. The targets were prompted to install cracked APK files from Google Play Books. However, the files were already pre-loaded with malware.

Quid pro quo is another form of social engineering. It involves a promise from the attackers that the target will receive a benefit in exchange for a particular piece of information. The benefit that attackers promise their targets is in the form of services instead of goods.

More often than not, attackers who use quid pro quo ploys pose as fraudsters who act as people for IT services. The attackers usually make as many spam calls as possible to direct numbers from an organization and offer their targets IT assistance. They will then promise a quick fix of a certain IT issue while prompting their targets to disable their AV program. Once the targets agree, the fraudsters install malware that take the form of software updates on the computers of their targets.

There are also cases wherein attackers use less sophisticated ploys of quid pro quo. For instance, attackers know that many people, specifically office workers, would be willing to share their passwords in exchange for a bar of chocolate or even a cheap pen.

Another form of social engineering is baiting, which is similar to phishing and quid pro quo in many ways. Attackers who use baiting employ online schemes that entice their targets to surrender their login credentials to a suspicious website in exchange for a good or an item. More often than not, attackers offer their targets with free movie or music downloads.

However, baiting is not limited to online schemes. Attackers who use this type of social engineering can also exploit the human curiosity through physical media. There was a case in which a founder of an organization along with his team infected and dispersed a number of USBs with a Trojan virus around the parking lot of his organization. Most of the employees picked up and plugged the USBs into their gadgets such as computers, laptops, and tablets out of curiosity. Once they plugged the USBs, a keylogger was activated and the founder was able to access the login credentials of his employees.

Tailgating, also known as piggybacking, is a social engineering form that involves attackers who have no proper authentication in an organization. The attackers follow employees to obtain access in a restricted area.

A tailgating attack often involves attackers who pose as delivery drivers waiting at an organization's parking lot. When the attackers see an employee gaining the security's approval, the attackers who usually carry goods for delivery ask the employee to hold the door. Thus, they gain access from someone who is authorized to get into the building.