Social Engineering Attacks – Glossary of Terms

Niels PetersenAugust 18, 2024

Social Engineering Reconnaissance

Social Engineering Reconnaissance is a preparatory phase in social engineering attacks, where an attacker gathers information about a target to craft more effective and convincing attacks. This information-gathering stage is critical because it allows the attacker to understand the target’s vulnerabilities, routines, and behaviors. This can include personal details, organizational structure, relationships, job roles, and technical details such as email addresses and phone numbers.

  • Public Sources: Websites, social media profiles, forums, and public records can provide a wealth of information.
  • Social media: Platforms like LinkedIn, Facebook, Twitter, and Instagram can reveal personal interests, connections, and other valuable details.
  • Search Engines: Tools like Google can be used to find additional information, such as news articles or publications related to the target.
  • Physical Reconnaissance: Observing a target’s location, routine, and in-person interactions.
  • Technical Sources: WHOIS databases, IP addresses, and network scanning can provide technical details about an organization’s infrastructure.

Phishing Campaign

A phishing campaign is a type of cyberattack where attackers send fraudulent messages, often through email, to trick recipients into revealing sensitive information, such as login credentials, financial information, or other personal data. These campaigns can be highly targeted (spear phishing) or broad-based (general phishing) and typically involve the following steps:

  • Preparation:
    • Target Identification: Attackers identify individuals or groups to target. In a broad campaign, they might target many people indiscriminately. In a spear-phishing campaign, they target specific individuals or organizations.
    • Crafting the Message: The attackers create a deceptive message designed to appear legitimate. This can involve copying the style and branding of a trusted entity, such as a bank, a well-known company, or an internal department within a target organization.
  • Execution:
    • Message Delivery: The phishing messages are sent to the targeted individuals. This can be done via email, social media, text messages, or even phone calls.
    • Luring the Victim: The message typically contains a call to action, such as clicking on a link, downloading an attachment, or responding with sensitive information. The link might lead to a fake website that looks like a legitimate login page or form.
  • Exploitation:
    • Harvesting Information: When victims follow the instructions, they might unknowingly provide their sensitive information to the attackers. For example, entering login credentials on a fake website.
    • Malware Installation: In some cases, the phishing message might contain attachments or links that download and install malware on the victim’s device, providing attackers with further access or control.
  • Follow-Up:
    • Utilizing Stolen Information: Attackers use the stolen information for various malicious activities, such as identity theft, financial fraud, or gaining unauthorized access to corporate networks.
    • Covering Tracks: Attackers may attempt to erase traces of their activity to avoid detection and prolong their access to the compromised systems.
  • Common Types of Phishing:
    • Email Phishing: The most common type, involving deceptive emails.
    • Spear Phishing: Highly targeted phishing aimed at specific individuals or organizations.
    • Whaling: A form of spear phishing targeting high-profile individuals like executives.
    • Smishing: Phishing through SMS (text messages).
    • Vishing: Phishing via phone calls (voice phishing).
  • Signs of a Phishing Attempt:
    • Unexpected requests for sensitive information.
    • Messages with urgent or threatening language.
    • Poor grammar or spelling errors.
    • Links to websites with slight misspellings or unusual domains.
    • Attachments from unknown or suspicious sources.

Vishing Campaign

A vishing campaign is a type of social engineering attack where attackers use phone calls to deceive victims into providing sensitive information, such as passwords, financial details, or personal information. The term “vishing” combines “voice” and “phishing.” Attackers often impersonate legitimate organizations, such as banks, government agencies, or tech support, to gain the trust of their targets and persuade them to divulge confidential information or perform actions that compromise security.

Physical Penetration Test

A physical penetration test is a security assessment where testers attempt to breach an organization’s physical security measures to identify vulnerabilities. This process involves simulating real-world attacks to gain unauthorized access to buildings, restricted areas, or physical assets, evaluating the effectiveness of locks, alarms, surveillance systems, and security personnel. The goal is to uncover weaknesses and provide recommendations to enhance physical security.

Baiting

Baiting in the context of social engineering refers to a tactic where an attacker uses a tempting offer or lure to trick a person into divulging confidential information or performing an action that compromises security. The bait could be something like a free software download, a flashy advertisement, a USB drive left in a public place, or an enticing email attachment. The goal is to exploit human curiosity, greed, or naivety to gain access to sensitive information or systems.

For example, an attacker might leave a USB drive labeled “Confidential” in a public area, hoping someone will pick it up and insert it into their computer, thereby inadvertently installing malware. Another example could be sending an email with a link promising a free gift, which actually leads to a phishing website designed to steal login credentials.

Baiting preys on the target’s trust and curiosity, making it an effective and often used technique in social engineering attacks.

Dumpster Diving

This refers to the practice of sifting through trash and discarded items to find information that can be used to breach security or gain unauthorized access to systems and data. This technique exploits the fact that individuals and organizations often dispose of sensitive information without proper destruction.

Here are some examples of what might be sought in a dumpster diving attack:

  • Printed documents: Discarded papers might contain valuable information such as passwords, account numbers, or confidential business data.
  • Old electronics: Devices like hard drives, USB sticks, or CDs that are not properly wiped can contain retrievable data.
  • Personal information: Items like old bills, bank statements, or medical records that reveal personal details.
  • Internal communications: Memos, internal emails, or strategic documents that provide insights into organizational operations.

Dumpster diving can be surprisingly effective because people often underestimate the value of what they throw away and may not take adequate steps to destroy sensitive information before discarding it.

Hacking Simulations

In the context of social engineering, hacking simulations, also known as social engineering penetration tests or ethical hacking exercises, involve simulating social engineering attacks to assess the security awareness and preparedness of individuals or organizations. The goal of these simulations is to identify vulnerabilities in human behavior and improve defenses against actual social engineering attacks.

Hacking simulations can take various forms, such as:

  • Phishing Simulations: Sending fake phishing emails to employees to see how many will click on malicious links or provide sensitive information. This helps identify how susceptible the workforce is to phishing attacks and where training is needed.
  • Pretexting Simulations: Conducting phone or in-person scenarios where attackers pretend to be someone they are not (e.g., a company executive, IT support) to trick employees into revealing confidential information or performing certain actions.
  • Baiting Simulations: Leaving items like USB drives or CDs in common areas to see if employees will pick them up and use them, potentially compromising the system by installing malware.
  • Tailgating Simulations: Attempting to gain physical access to restricted areas by following employees through secure doors, testing the effectiveness of physical security measures and employees’ adherence to access control policies.
  • Vishing Simulations: Making phone calls that attempt to extract sensitive information, such as login credentials or personal data, from employees.

These simulations help organizations understand their vulnerabilities, train employees to recognize and respond to social engineering tactics and strengthen overall security posture by addressing the human element of cybersecurity.