Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

5.2 Social Engineering

Social Engineering Methods, by Section

Physical Theft

5.2.1

Emotional Pressure

5.2.2

Haste

5.2.3

Reliance on Inadequate Protection

5.2.4

Instilling Undeserved Trust

5.2.5

Breaking Prior Trust

5.2.6

Trusted Resource Attack

5.2.7


Malicious actions performed against people, including deception or the physical theft of sensitive information such as credentials, represent highly effective avenues of attack against computers. In these cases, the errors or failures are human, and for this reason approaches that utilize human failings are known as social engineering attacks.

"I became absorbed in everything about telephones—not only the electronics, switches, and computers, but also the corporate organization, the procedures, and the terminology. After a while, I probably knew more about the phone system than any single employee. And I had developed my social engineering skills to the point that, at seventeen years old, I was able to talk most Telco employees into almost anything, whether I was speaking with them in person or by telephone." —Kevin Mitnick

Deception perpetrated for the purpose of theft or subversion, known as fraud, usually involves misplaced confidence in the perpetrator, and for this reason fraud schemes are often referred to as confidence schemes, or "con games." More direct attacks against humans involving the theft of information through surveillance or the actual theft of information or assets of value are also common, such as the theft of volumes of customer information.

Social engineering attacks are as old as civilization. What is new is their application to obtain computer access. Most social engineering computer attacks utilize one or more of the techniques discussed next. For those who are interested, comparable "con schemes" used by non-computer crooks are listed in the sidebars.

5.2.1 Physical Theft

Physical theft of computer assets or documents that contain computer-related information can be used to compromise a system. An example is the theft of a computer or storage media containing information of value. Another example is the theft (or reclamation) of discarded assets from which computer-related information can be retrieved—so-called "dumpster-diving" (see "Exploit of Residual Artifacts").

5.2.2 Emotional Pressure

Most social engineering techniques utilize some form of emotional pressure in order to induce the target to accept something that is unvalidated or to make a decision based on unvalidated information. This is usually done in conjunction with a technique to instill trust in the perpetrator. The emotional pressure usually takes one of these forms:

  1. Emotional investment: Example: Claim to need help with something, but then in the middle of the effort, request help with something else that would require authorization—and explain that it would be very helpful to bypass procedure in order to expedite things.

  2. Intimidation: Example: Telling an administrator that if they do not expedite a request by circumventing a security procedure, the company’s profit might be at risk, and hence their job.

  3. Pride: Example: Challenging an administrator to do something that requires broad-ranging privileges.

  4. Inconvenience (for example, inconvenience of checking something out): Example: Presenting proof of validity that is unusual and appears legitimate but that would take time and effort to verify.

  5. Enticement (perhaps sufficient to induce you to avoid safeguards): Example: Promising an insider that they will participate in a lucrative fraud scheme, when in fact the only objective is to get them to perform an act of subversion, such as allowing use of their computer account.

  6. Crisis: Create a crisis that needs a solution and offer the solution (target accepts inadequate validation from the responder). Example: Send advertisement for a service professing to identify hackers and then slightly hack the target’s computer; if contacted, induce the target to provide full and direct access to their system.

Traditional Examples of Enticement Schemes

Scheme Name

Method

Nigerian Letter

Letter recipient is enticed into participating in a lucrative scheme—for a fee that is later revealed.

Pigeon Drop

Target is enticed into sharing in a valuable treasure find, provided the target puts up "good faith money." The treasure is either worthless or taken away.

Pump-and-Dump

False rumors are generated to cause a stock price to inflate. This is an enticement scheme because the rumors are not substantiated.

Spanish Prisoner

Purported ex-prisoner entices target into sharing a stolen fortune, as long as target provides funds to get to it.

Rocks-in-the-Box

Target is enticed into buying purportedly valuable but shady merchandise for cash, only to find that the merchandise is worthless.

Country Boy

Target is enticed into defrauding an apparently naïve person, provided that the target provides "good faith money."

Contest Winner

Target is enticed into sending money to claim a supposedly large prize.

3-Card Monte

Target is enticed into playing a rigged card game based on a controlled demonstration that it is easy to win.

Truck load scam

Target is enticed into buying shady merchandise and pays up front only to find the truck has left.

Bankruptcy fraud

Naïve creditors are enticed into accepting an early unconditional settlement of a debt when told that a bankruptcy is imminent for the debtor, but the bankruptcy application is then rescinded.


5.2.3 Haste

Most schemes to deceive involve a sense of haste or urgency. The perpetrator requires haste in order to prevent detection, because given time, credentials can be validated, and a story double-checked. Also, given time, intrusion detection processes and notification processes complete.

The most common way to induce haste in a victim is to create a form of pressure that is time-based; the time aspect may be real (verifiable) or artificial (would fail verification, but the time pressure makes verification inconvenient or seemingly risky). For example, the perpetrator might ask that things be done quickly in order to make some form of deadline.

Traditional Examples of Crisis-Based Pressure

Scheme Name

Method

Bail bond scheme

Target is contacted and urged to provide bail money for a relative who is known to be presently inaccessible. The target is under pressure to provide the money immediately without confirming that their relative is indeed in jail.

Phony COD delivery

Target is approached at home by a legitimate-looking delivery person asking for a COD fee. In the pressure of the moment, the target pays the fee.


5.2.4 Reliance on Inadequate Protection

Software applications protect assets of value: information and transactions. If the protection mechanisms have loopholes or are inadequate, an attacker merely needs to discover those sources of inadequacy.

Inadequate protection can result from merely not having enough resources to respond to an emergency of large magnitude or to multiple emergencies concurrently. Many of the attacks in this category rely on overwhelming a response system. The techniques include:

  1. Diversion: Cause an unexpected crisis that overwhelms response resources. Example: Attack a system that is not of interest but that is easy to attack so that security administrators are focusing their attention there; then attack the actual target. Another example is to cause a different kind of crisis, such as a fire.

  2. Decoys: Overwhelm response resources, by creating a storm of false events that prevent the responders from identifying the real events.6 An example of the use of decoys would be a storm of packets from many compromised "decoy" systems preventing security administrators from tracking the true source of the attack.

  3. Distraction: Create innocent confusion that disrupts thought processes or safeguards. Example: Ask an administrator for help that requires that he access sensitive information in your presence and have someone else interrupt him several times.

  4. Reliance on naiveté: Identify a new and inexperienced administrator.

  5. Reliance on ineffectiveness: Rely on incompetence, lack of diligence, or an inability to contain or identify an attacker. Example: Falsifying fulfillment transactions that are less well protected. All technical security weaknesses also fall into this category because they represent an ineffective system.

  6. Attack the responders (or compromise them): Example: Implant a trojan horse in a recovery image.

Traditional Examples of Reliance on Ineffectiveness

Scheme Name

Method

False Claims

Reliance on the inability of a claim processing system to validate claims of expenses.

Kiting

Reliance on the inability of a clearing operation to reconcile related transactions in real time.

Shorting

Delivering less than promised and relying on the inability of the recipient to verify the amount or quality.


Distraction and diversion are classic human behavior techniques that rely on the limited ability of people to deal with multiple situations at the same time as well as the inability of people to think through unusual situations in a timely manner. For example, if an intrusion detection system is repeatedly triggered in some manner that is identified as a "false alarm," the response staff might temporarily disable it until it can be examined. This opens a window of vulnerability.

Distraction can be caused by any abnormal situation that diverts the attention of staff. Diversion involves deliberately triggering an alarm so that response staff will then not notice other alarms because they are responding to the first.

Attacking emergency responders is a very powerful technique because when they are not "on-guard" they are usually poorly protected compared with the assets that they protect.

5.2.5 Instilling Undeserved Trust

In order to convince someone to perform an action that you request, you must get them to trust you. Therefore, most social engineering schemes include a method of instilling trust and then exploiting that trust such as inducing the target to perform an unprotected action (especially when you are desperate and your guard is down).

The common methods of instilling undeserved trust are:

  1. Stolen credentials (or any validation information): Example: "Shoulder surfing" to obtain someone’s logon, and then using it. Another example: Enrollment through fraudulent representation. Another example: Using the customer service pathway; for example, calling to change your address and then having sensitive information mailed to you.

  2. Counterfeit credentials: By presenting counterfeit credentials or evidence of legitimacy. Example: Posing as a system administrator and demonstrating knowledge to buttress the claim, and asking a user to provide sensitive information. This is a variation of the so-called "bank examiner" fraud in which a perpetrator poses as a bank official and tells a customer to turn over funds from their account under false pretenses. Another example: Similar domain names. Another example: Imitation PayPal link schemes, or clicking on any legitimate-looking link in an email from an unvalidated source.

  3. Juxtaposition with something legitimate: By association or juxtaposition with something legitimate. Example: Links to the Web page of legitimate services.

  4. Successful interactions: Through legitimate or seemingly legitimate interactions. Example: Free services that build trust and eventually solicit sensitive information.

  5. Traditional Examples of Instilling Undeserved Trust Through Successful Interactions

    Scheme Name

    Method

    Ponzi scheme

    Targets invest more and more, based on what they perceive to be good experiences. Their money is eventually taken.

    Big store

    Target witnesses lots of apparently successful transactions, and uses that as a basis for trust.

    Salting the gold mine

    Target trusts an investment based on the initial discovery of valuable resources or gains that were actually planted.

    Sweetheart swindle

    Trust is developed through courtship.


  6. Peer collusion: Through interactions with a third party that is secretly collusive. Example: Relationships with other seemingly legitimate companies, that are actually "fronts."

  7. Interactions with trustworthy entities: Through interactions with an entity trusted by the target. Example: Evidence that services were obtained from a trusted security company.

5.2.6 Breaking Prior Trust

Rather than instill trust, it is often possible for a perpetrator to persuade a party that is already trusted to act in collusion with them. This is usually achieved through some form of incentive, such as bribery or mutual gain. The forms of collusion include:

  1. Collusion with an insider: Often a result of a conflict of interest, or when roles are not sufficiently separated. Examples: An administrator altering a transaction log; a back door inserted by a trusted programmer; causing a financially favorable error in the account of an employee who has high authority to see if they report the error; transactions recorded as discounted when they are not.

  2. Collusion with outsiders: Example: A collusive security monitoring service.

Indeed the members of the notorious DrinkorDie Web piracy group often relied on moles in large corporations and cracked security codes for Norton Antivirus, Microsoft’s Word and Excel products, pirated games and design programs, and posted the entire Windows 95 operating system on the Internet two weeks before it was released. [25]

Traditional Examples of Insider Collusion

Scheme Name

Method

Embezzlement, or "Cooking the Books"

An employee modifies accounting records in order to conceal unauthorized transactions.

Kickback

An insider grants a contract based on the expectation that the contractor will secretly provide a gift.

Salami

An unnoticeable portion ("slice") of proceeds is taken on an ongoing basis.

Under-Ring

A transaction is entered for less than the actual amount charged, and the difference is pocketed.

Employee Account Fraud

The insider has both a work relationship and a business relationship with the organization, and uses employee access to business records to modify the account.

Fictitious Refunds, Fictitious Sales, Negative Invoicing

False refunds, sales, and invoices are submitted by an outsider and facilitated by the insider.

"Ghost" employees

A managerial employee budgets for staff who do not exist, and pockets their payroll checks.

"Salting Cash"

Insiders who would be willing to compromise their organization are identified by causing errors in their favor and observing if they report the error.


5.2.7 Trusted Resource Attack

This form of attack has already been discussed in the context of technical attacks. It is included here because it can be used to attack non-computing assets, and also because of its tremendous power and importance.

Example: Compromise the tools used by emergency response personnel.

  • + Share This
  • 🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020