Social Engineering

Social Engineering [Video]

Social Engineering

Social Engineering

Attacking the Weakest Link in the Security Chain

By Solange Deschatres

It’s happened to major corporations, and even the U.S. Department of Defense–falling victim to data breaches that resulted from attackers exploiting employees or company vendors. Unfortunately, along with exposing millions of identities these attacks also reveal what is often the weakest link in enterprise data security – the human element.

Over the past decade, an increasing number of users have been targeted with spear-phishing attacks and the social engineering has grown more sophisticated over time. The risks of data breaches that can result from these attacks are incredibly high – there were over 552 million identities exposed in data breaches during 2013. It’s obvious that protecting your organization and customer information is crucial, and protection in this case starts with knowing your enemy. It’s important that your organization and employees understand what these attacks look like and how to defend against them. 

Incognito Emails

Today’s phishing attacks are no longer as simple and obvious as those you may remember. Hackers have developed sophisticated spear-phishing methods that rely heavily on refined and well-researched social engineering to improve their chances of success. Their emails are specifically tailored to spark the interest of the individual being targeted to increase the likelihood that they will open them.

Attackers may make emails appear to come from someone that the target knows, a source they would trust, or contain information that would be relevant to the target’s professional role. For instance, an attacker may send someone working in human resources a spear-phishing email that includes a resume attachment laden with malware, or send an employee an important notice that appears to be from his or her banking institution. In fact, according to Symantec’s latest Internet Security Threat Report (ISTR), 71 percent of last year’s phishing attacks were related to spoofed financial organizations, compared with 67 percent in 2012. The attackers can be very well disguised and as a result, they may be almost impossible to identify without the right controls in place to safeguard against it.

While spear-phishing attacks have traditionally only targeted email, we saw last year that a growing number of attackers are also using more aggressive offline tactics. In addition to sending emails attackers are using assertive follow up phone calls directly to the target to pressure him or her to open the email. In the “Francophoned” attack from April 2013, an attacker impersonated a high-ranking employee and requested that the target open the attachment immediately.

…read more

Source: Symantec Feeds

5 Social Engineering Attacks to Watch Out For

We have become all too familiar with the type of attacker who leverages their technical expertise to infiltrate protected computer systems and compromise sensitive data. We hear about this breed of hacker in the news all the time, and we are motivated to counter their exploits by investing in new technologies that will bolster our network defenses.However, there is another type of attacker who can use their tactics to skirt our tools and solutions. They are the social engineers, hackers who exploit the one weakness that is found in each and every organization: human psychology. Using a variety of media, including phone calls and social media, these attackers trick people into offering them access to sensitive information.Social engineering is a term that encompasses a broad spectrum of malicious activity. For the purposes of this article, however, we will focus on the five most common attack types that social engineers use to target their victims: phishing, pretexting, baiting, quid pro quo and tailgating.

1. Phishing

Phishing scams might be the most common types of social engineering attacks used today. Most phishing scams demonstrate the following characteristics:

  • Seek to obtain personal information, such as names, addresses and social security numbers.
  • Use link shorteners or embed links that redirect users to suspicious websites in URLs that appear legitimate.
  • Incorporates threats, fear and a sense of urgency in an attempt to manipulate the user into acting promptly.

Some phishing emails are more poorly crafted than others to the extent that their messages oftentimes exhibit spelling and grammar errors but these emails are no less focused on directing victims to a fake website or form where they can steal user login credentials and other personal information.

A recent scam sent phishing emails to users after they installed cracked APK files from Google Play Books that were pre-loaded with malware. This specific phishing campaign demonstrates how attackers commonly pair malware with phishing attacks in an effort to steal users’ information.

2. Pretexting

Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information. These types of attacks commonly take the form of a scammer who pretends that they need certain bits of information from their target in order to confirm their identity.

More advanced attacks will also try to manipulate their targets into performing an action that enables them to exploit the structural weaknesses of an organization or company. A good example of this would be an attacker who impersonates an external IT services auditor and manipulates a company’s physical security staff into letting them into the building.

Unlike phishing emails, which use fear and urgency to their advantage, pretexting attacks rely on building a false sense of trust with the victim. This requires the attacker to build a credible story that leaves little room for doubt on the part of their target.

Pretexting attacks are commonly used to gain both sensitive and non-sensitive information. Back in October, for instance, a group of scammers posed as representatives from modeling agencies and escort services, invented fake background stories and interview questions in order to have women, including teenage girls, send them nude pictures of themselves.

3. Baiting

Baiting is in many ways similar to phishing attacks. However, what distinguishes them from other types of social engineering is the promise of an item or good that hackers use to entice victims. Baiters may offer users free music or movie downloads, if they surrender their login credentials to a certain site.

Baiting attacks are not restricted to online schemes, either. Attackers can also focus on exploiting human curiosity via the use of physical media.

One such attack was documented by Steve Stasiukonis, VP and founder of Secure Network Technologies, Inc., back in 2006. To assess the security of a financial client, Steve and his team infected dozens of USBs with a Trojan virus and dispersed them around the organization’s parking lot. Curious, many of the client’s employees picked up the USBs and plugged them into their computers, which activated a keylogger and gave Steve access to a number of employees’ login credentials.

4. Quid Pro Quo

Similarly, quid pro quo attacks promise a benefit in exchange for information. This benefit usually assumes the form of a service, whereas baiting frequently takes the form of a good.

One of the most common types of quid pro quo attacks involve fraudsters who impersonate IT service people and who spam call as many direct numbers that belong to a company as they can find. These attackers offer IT assistance to each and every one of their victims. The fraudsters will  promise a quick fix in exchange for the employee disabling their AV program and for installing malware on their computers that assumes the guise of software updates.

It is important to note, however, that attackers can use much less sophisticated quid pro quo offers than IT fixes. As real world examples have shown, office workers are more than willing to give away their passwords for a cheap pen or even a bar of chocolate.

5. Tailgating

Another social engineering attack type is known as tailgating or “piggybacking.” These types of attacks involve someone who lacks the proper authentication following an employee into a restricted area.

In a common type of tailgating attack, a person impersonates a delivery driver and waits outside a building. When an employee gains security’s approval and opens their door, the attacker asks that the employee hold the door, thereby gaining access off of someone who is authorized to enter the company.

Tailgating does not work in all corporate settings, such as in larger companies where all persons entering a building are required to swipe a card. However, in mid-size enterprises, attackers can strike up conversations with employees and use this show of familiarity to successfully get past the front desk.

In fact, Colin Greenless, a security consultant at Siemens Enterprise Communications, used these same tactics to gain access to several different floors, as well as the data room at an FTSE-listed financial firm. He was even able to base himself in a third floor meeting room, out of which he worked for several days.


Hackers who engage in social engineering attacks prey off of human psychology and curiosity in order to compromise their targets’ information. With this human-centric focus in mind, it is up to users and employees to counter these types of attacks.

Here are a few tips on how users can avoid social engineering schemes:

  • Do not open any emails from untrusted sources. Be sure to contact a friend or family member in person or via phone if you ever receive an email message that seems unlike them in any way.
  • Do not give offers from strangers the benefit of the doubt. If they seem too good to be true, they probably are.
  • Lock your laptop whenever you are away from your workstation.
  • Purchase anti-virus software. No AV solution can defend against every threat that seeks to jeopardize users’ information, but they can help protect against some.
  • Read your company’s privacy policy to understand under what circumstances you can or should let a stranger into the building.
Source: TripWire

Thanks Symantec, Trip Wire and for reading Social Engineering

Help Support Our Work

Like and Share on our Facebook page

Print Friendly, PDF & Email
Dr Don
Founder/Admin The Internet Crime Fighters Org, Admin DrDony's Reviews,, Author The Internet Users Handbook, See more
Dr Don
Dr Don
Dr Don

Latest posts by Dr Don (see all)

Tags: , , ,
Previous Post
Business Home Scams Fraud

Work At Home Scams [Video]

Next Post
Business Crime Security Home

DarkNet Tor [Video]


  1. Reply


    U.S. Employees Are Weakest Link In America’s Cybersecurity – Part One

    U.S. Employees Are Weakest Link In America’s Cybersecurity – Part Two

    Social Engineering: Attacking the Weakest Link in the Security Chain

    23 Social Engineering Attacks You Need To Shut Down

    Hacking the Human Operating System The role of social engineering within cybersecurity

    Social Engineering Attacks: Common Techniques & How to Prevent an Attack

    Social engineering: Employees could be your weakest link

    Social Engineering: The Basics

    Why Social Engineering Should Be Your Biggest Security Concern

    Social Engineering Fundamentals, Part I: Hacker Tactics

    5 Social Engineering Attacks to Watch Out For

    The 7 Best Social Engineering Attacks Ever Seven reminders of why technology alone isn’t enough to keep you secure.

    What is Social Engineering?

    What is Social Engineering?

    Social engineering

    10 Common Social Engineering Tactics Used by Attackers Learn What Social Engineering Is and How to Protect Your Business From Predators

    How well does social engineering work? A conversation with a white hat hacker

    Blake Dowling: The latest in social engineering and digital fraud — hacking a person

    Armies of zombie computers threaten us all Billions spent on cyber security tech while human error ignored, writes Misha Glenny

Leave a Reply

Your email address will not be published. Required fields are marked *