The Security Breach
Instead of using technical skills to break into computers, hackers often use the weakness of the human mind to gain access to corporations. Hackers befriend users and trick them into giving away sensitive information that can be used to gain access to systems. These hackers also use trickery such as pretending to be from tech support to get unsuspecting users to give up their username and password information.
Jason Meserve, "Social Engineering," 4/24/2000
Social engineering is defined by Joel Scambray, et al. in Hacking Exposed, Second Edition (McGraw-Hill, 2000) as the technique of using persuasion and/or deception to gain access to information systems. Basically, using what we would call simple psychology, the social engineer gets people to do what he or she wants. We're not talking about mind control here; nothing as sophisticated as that. Just employing persuasion or deception to use the flaws in human nature to get people to perform tasks that they normally wouldn'tthough it's far from foolproof. Such persuasion and deception is typically implemented through human conversation or other interaction: telephone calls, emails, and downright impersonation.
Though simple to understand, the outcome of social engineering can be quite profitable to a malicious person bent on acquiring sensitive information about an organization, in the form of usernames, passwords, operating systems, hardware configurations, and just about any kind of information they can obtain. These "cyber-cons" (see Christopher Paradowski's article) can and do lead to network intrusion, industrial espionage, and identity theft.
The simplest kind of social engineering consists of a simple telephone call. For example, if you have a large organization, or one with multiple offices, someone may call an employee and say they're from your company's help desk. They say they're upgrading the current configuration and verifying all usernames and passwords, and ask your employee for his or her username and password. The user surrenders his or her information to the caller, and now the cyber-criminal has user access to your network.
Even snail mail can be used as a social engineering tactic. Something disguised as a survey request can be very useful in obtaining information from an organization, and it's untraceable when used with an easily changed P.O. box as a return address. People are more likely to respond to a survey they receive in the mail, especially if it includes a self-addressed stamped envelope and a promise of cash or other prizes for completing and returning the survey.
A more recent social engineering tactic is conducted over the web. While the user is surfing on his dial-up account, a Java pop-up window appears, stating that he has been logged off his ISP. It prompts the user to reenter his username and password and then click OK. Once he does this, the information the user typed is sent directly to the cyber-criminal.