Social Engineering Methods
4 Ways Criminals Exploit Human Behaviour
In 2016, a member of a Google research team conducted a social engineering experiment. Scattering 300 USB drives across a university campus, they found that over 45% of drives were plugged in and had files examined.
Typically motivated by an altruism to find the owner, as well as curiosity, the unsuspecting users demonstrated that social engineering can be simple. Having questioned these helpful stooges, the researchers found that 68% had taken no precautions when connecting a USB drive.
Though in this instance it was merely a harmless experiment, the devices could have just as easily contained malware or exfiltration software. Leaving devices in the right place, malicious actors could potentially exploit this curiosity with very little effort, bypassing network defences and causing untold damage.
There are many methods to socially engineer an attack, not all of them are particularly complicated or even that unfamiliar.
The common factor being, they are all designed to exploit a human weakness in aiding a malicious actor in gaining control or access. Today, social engineering is recognised as one of the greatest security threats that organisations face and is typically a mix of both insider and outsider threat.
When thinking about social engineering attacks, there are four main areas to consider:
This method of social engineering is essentially the creation of a story which is then used to compel a victim into a situation where they find it increasingly difficult to deny requests.
It may be a crying child at someone’s side, or in the background of a phone call, eliciting sympathy, it could also be a fabricated tale of needing an ‘insignificant bank detail’ to avoid an unwanted consequence.
Though both sympathy and empathy are a sure sign of decency, these characteristics can undoubtedly be exploited too. Whereas other methods of social engineering may rely on urgency or fear, pretexting relies on creating a false sense of trust.
Exemplified by the above research into USB drops, baiting appeals to people’s curiosity, their vanity and their greed.
Offering something that is a little ‘too good to be true’ and waiting to see who comes biting. This method may take the form of devices, emails or even downloads, all designed to prompt users to hand over login credentials, access or sensitive information.
A simple, yet very effective method of gaining entrance into a secure location, tailgating (or piggybacking) can involve the impersonation of a delivery person, a security guard or a hapless employee who has misplaced their ID.
Though it may again seem easily avoidable, social engineers have used this method to gain access to some of the most secure corporate environments imaginable and even place bugs in CEO’s offices. The next time you hold that door open to a stranger, you may want to think twice.
- Quid Pro Quo
Roughly translated as this-for-that, quid pro quo is an attack that relies on exchange. From offerings of cash, to a simple gift of a pen, it is surprising how easily an office worker can be gently persuaded to hand over their network passwords.
Though it is not always this obvious and quid pro quo can encompass, for example, the impersonation of IT service people who offer help in exchange for actions such as the disabling of anti-virus software.
Information security is a wide topic, and social engineering attacks represent just a portion of the methods which can be used by nefarious actors to further their goals, and steal and exploit your information.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
What Year Was the Data Protection Act Introduced? Blog by Information Security Awareness Training provider Hut Six Security.
GitLab Phishing, Red Cross Cybersecurity, and easyJet Lawsuit - Infosec Round Up, May 29th 2020
How Does the Data Protection Act Protect your Rights? Blog by information security awareness training provider Hut Six Security.
Knowing how a ransomware attack works is the key to avoiding them and the damage they can pose to your organisation. Blog by Hut Six Security.
Luke talks about his favourite Information Security tutorial, Handling Sensitive Information. Information Security video by Hut Six Security.
Cryptomining hijack, EasyJet Hack and NHS Failing audits - InfoSec Round-Up, May 22nd 2020
Ways of recognising phishing attacks to ensure your organisation stays secure. Blog by information security awareness training provider Hut Six Security.
What are the Eight Principles of the Data Protection Act? Why has this changed to seven in the DPA 2018? Blog by Hut Six Security.
Kayleigh talks about her favourite Information Security tutorial, Encouraging a Secure Culture, which explains the importance of building a secure culture.
Norfund Breach, Celebrity Data hack, and Ransomware Research - InfoSec Round Up, May 15th 2020