In the context ofinformation security,social engineering is the use of psychological pressure to influence people to perform actions or divulgeconfidential information. It has also been more broadly defined as "any act that influences a person to take an action that may or may not be in their best interests."[1][2] A type ofconfidence trick for the purpose of information gathering,fraud, or system access, it differs from a traditional "con" in the sense that it is often one of many steps in a more complex fraud scheme.[3]
Social engineering attacks have been increasing in intensity and number[when?], prompting research into novel detection techniques andcybersecurity educational programs.[4]
Research undertaken in 2020 has indicated that social engineering will be one of the most prominent challenges of the upcoming decade.[citation needed] The ability to thwart social engineering attacks will be increasingly important for organizations and countries.[citation needed] Social engineering raises the question of whether our decisions will be accurately informed if our primary information is engineered and biased.[5]
All social engineering techniques are based on exploitable weaknesses in humandecision-making known ascognitive biases.[6][7] Social engineering differs frompsychological manipulation in that it doesn't need to be controlling, negative or a one-way transaction. Manipulation involves azero-sum game where one party wins and the other loses while social engineering can be win-win for both parties.[3]
An example of social engineering would be an attacker who walks into a building and posts an official-looking announcement to the company bulletin that says the telephone number for the help desk has changed. When employees call the false number for help, the individual asks them for their passwords and IDs, thereby gaining access to the company's private information.Another example of social engineering would be a hacker contacting the target on asocial networking site and starting a conversation with them. Gradually, the hacker gains the trust of the target and then uses that trust to gain access to sensitive information like password or bank account details.[8]
Pretexting (adj. pretextual), also known in the UK as blagging,[9] is the act of creating and using an invented scenario (thepretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.[10] An elaboratelie, it most often involves some prior research or setup and the use of this information for impersonation (e.g., date of birth,Social Security number, last bill amount) to establish legitimacy in the mind of the target.[11]
Water holing is a targeted social engineering strategy that capitalizes on the trust users have inwebsites they regularly visit. The victim feels safe to do things they would not do in a different situation. A wary person might, for example, purposefully avoid clicking a link in an unsolicited email, but the same person would not hesitate to follow a link on a website they often visit. So, the attacker prepares a trap for the unwary prey at a favored watering hole. This strategy has been successfully used to gain access to some (supposedly) very secure systems.[12]
Baiting is a form of real-worldTrojan horse that uses physical media and relies on the curiosity or greed of the victim.[13] In thisattack, attackers leavemalware-infectedfloppy disks,CD-ROMs, orUSB flash drives in locations people will find them (bathrooms, elevators, sidewalks, parking lots, etc.), give them legitimate and curiosity-piquing labels, and wait for victims.
Unless computer controls block infections, insertion compromises PCs "auto-running" media. Hostile devices can also be used.[14] For instance, a "lucky winner" is sent a freedigital audio player compromising any computer it is plugged to. A "road apple" (the colloquial term for horsemanure, suggesting the device's undesirable nature) is anyremovable media with malicious software left in opportunistic or conspicuous places. It may be a CD, DVD, orUSB flash drive, among other media. Curious people take it and plug it into a computer, infecting the host and any attached networks. Again, hackers may give them enticing labels, such as "Employee Salaries" or "Confidential".[15]
One study published in 2016 had researchers drop 297 USB drives around the campus of the University of Illinois. The drives contained files on them that linked to webpages owned by the researchers. The researchers were able to see how many of the drives had files on them opened, but not how many were inserted into a computer without having a file opened. Of the 297 drives that were dropped, 290 (98%) of them were picked up and 135 (45%) of them "called home".[16]
Ad phishing is a social engineering technique in which malicious actors use online ads to deceive users into believing they are interacting with legitimate brands or services. According to Google, these deceptive ads often mimic trusted entities such as banks, software providers, or customer support pages, leading users to fraudulent sites that attempt to steal passwords, credit card information, or other sensitive data.[17]
An attacker offers to provide sensitive information (e.g. login credentials) or pay some amount of money in exchange for a favor. The attacker may pose as an expert offering free IT help, whereby they need login credentials from the user.[18]
The victim is bombarded with multiple messages about fake threats and alerts, making them think that the system is infected with malware. Thus, attackers force them to install remote login software or other malicious software. Or directly extort a ransom, such as offering to send a certain amount of money incryptocurrency in exchange for the safety of confidential videos that the criminal has, as he claims.[18]
An attacker pretends to be a company employee or other person with access rights in order to enter an office or other restricted area. Deception and social engineering tools are actively used. For example, the intruder pretends to be a courier or loader carrying something in his hands and asks an employee who is walking outside to hold the door, gaining access to the building.[18]
Incommon law, pretexting is an invasion ofprivacy tort of appropriation.[19]
In December 2006,United States Congress approved a Senate sponsored bill making the pretexting of telephone records a federalfelony with fines of up to $250,000 and ten years in prison for individuals (or fines of up to $500,000 for companies). It was signed byPresident George W. Bush on 12 January 2007.[20]
The 1999Gramm-Leach-Bliley Act (GLBA) is aU.S. Federal law that specifically addresses pretexting of banking records as an illegal act punishable under federal statutes. When a business entity such as a private investigator, SIU insurance investigator, or an adjuster conducts any type of deception, it falls under the authority of theFederal Trade Commission (FTC). This federal agency has the obligation and authority to ensure that consumers are not subjected to any unfair or deceptive business practices. US Federal Trade Commission Act, Section 5 of theFTCA states, in part:"Whenever the Commission shall have reason to believe that any such person, partnership, or corporation has been or is using any unfair method of competition or unfair or deceptive act or practice in or affecting commerce, and if it shall appear to the Commission that a proceeding by it in respect thereof would be to the interest of the public, it shall issue and serve upon such person, partnership, or corporation a complaint stating its charges in that respect."
The statute states that when someone obtains any personal, non-public information from a financial institution or the consumer, their action is subject to the statute. It relates to the consumer's relationship with the financial institution. For example, a pretexter using false pretenses either to get a consumer's address from the consumer's bank, or to get a consumer to disclose the name of their bank, would be covered. The determining principle is that pretexting only occurs when information is obtained through false pretenses.
While the sale of cell telephone records has gained significant media attention, and telecommunications records are the focus of the two bills currently before theUnited States Senate, many other types of private records are being bought and sold in the public market. Alongside many advertisements for cell phone records, wireline records and the records associated with calling cards are advertised. As individuals shift to VoIP telephones, it is safe to assume that those records will be offered for sale as well. Currently, it is legal to sell telephone records, but illegal to obtain them.[21]
U.S. Rep.Fred Upton (R-Kalamazoo, Michigan), chairman of the Energy and Commerce Subcommittee on Telecommunications and the Internet, expressed concern over the easy access to personal mobile phone records on the Internet during a House Energy & Commerce Committee hearing on "Phone Records For Sale: Why Aren't Phone Records Safe From Pretexting?"Illinois became the first state to sue an online records broker when Attorney General Lisa Madigan sued 1st Source Information Specialists, Inc. A spokeswoman for Madigan's office said. The Florida-based company operates several Web sites that sell mobile telephone records, according to a copy of the suit. The attorneys general of Florida andMissouri quickly followed Madigan's lead, filing suits respectively, against 1st Source Information Specialists and, in Missouri's case, one other records broker – First Data Solutions, Inc.
Several wireless providers, including T-Mobile, Verizon, and Cingular filed earlier lawsuits against records brokers, with Cingular winning an injunction against First Data Solutions and 1st Source Information Specialists. U.S. SenatorCharles Schumer (D-New York) introduced legislation in February 2006 aimed at curbing the practice. The Consumer Telephone Records Protection Act of 2006 would createfelonycriminal penalties for stealing and selling the records of mobile phone,landline, andVoice over Internet Protocol (VoIP) subscribers.
Patricia Dunn, former chairwoman ofHewlett Packard, reported that the HP board hired a private investigation company to look into who was responsible for leaks within the board. Dunn acknowledged that the company used the practice of pretexting to solicit the telephone records of board members and journalists. Chairman Dunn later apologized for this act and offered to step down from the board if it was desired by board members.[22] Unlike Federal law, California law specifically forbids such pretexting. The four felony charges brought on Dunn were dismissed.[23]
![[icon]](/mt/?noimg=&dark=on&url=http%3a%2f%2fen.wikipedia.org%2fwiki%2fFile%3aWiki_letter_w_cropped.svg) | This sectionneeds expansion. You can help byadding missing information.(May 2024) |
Following the2017 Equifax data breach linked toChina'sPeople's Liberation Army[24] in which over 150 million private records were leaked (includingSocial Security numbers, anddrivers license numbers, birthdates, etc.), warnings were sent out regarding the dangers of impending security risks.[25] In the day after the establishment of a legitimate help website (equifaxsecurity2017.com) dedicated to people potentially victimized by the breach, 194 malicious domains were reserved from small variations on the URL, capitalizing on the likelihood of people mistyping.[26][27]
Two tech giants—Google andFacebook—were phished out of $100 million by aLithuanian fraudster.[28] He impersonated a hardware supplier to falsely invoice both companies over two years.[29] Despite their technological sophistication, the companies lost the money, although they were later able to recoup the majority of the funds stolen.[30]
During the2016 United States Elections, hackers associated withRussian Military Intelligence (GRU) sent phishing emails directed to members ofHillary Clinton's campaign, disguised as a Google alert.[31] Many members, including the chairman of the campaign,John Podesta, had entered their passwords thinking it would be reset, causing their personal information, and thousands of private emails and documents to be leaked.[32] With this information, they hacked into other computers in theDemocratic Congressional Campaign Committee, implanting malware in them, which caused their computer activities to be monitored and leaked.[32]
In 2015, specializedWi-Fi hardware and software maker Ubiquiti lost nearly $47 million to hackers. Attackers sent Ubiquiti's accounting department aphishing email from aHong Kong branch with instructions to change payment account details. Upon discovering the theft, the company began cooperating with law enforcement, but was only able to recover $8 million of the stolen funds, although they had hoped for $15 million.[33][34]
On24 November 2014, thehacker group "Guardians of Peace"[35] (probably linked toNorth Korea)[36]leaked confidential data from the film studioSony Pictures Entertainment. The data included emails, executive salaries, and employees' personal and family information. The phishers pretended to be high up employees to install malware on workers' computers.[37]
In 2013, aU.S. Department of Labor server was hacked and used to host malware and redirect some visitors to a site using a zero-dayInternet Explorer exploit to install a remote access trojan calledPoison Ivy. Watering hole attacks were used, with the attackers creating pages related to toxic nuclear substances overseen by theDepartment of Energy. The targets were likely DoL and DOE employees with access to sensitive nuclear data.[33][38]
In 2011, hackers broke into the сryptographic corporationRSA and obtained information aboutSecurID two-factor authentication fobs. Using this data, the hackers later tried to infiltrate the network of defense contractorLockheed Martin. The hackers gained access to the key fob data by sending emails to four employees of the parent corporation from an alleged recruitment site. The emails contained anExcel attachment titled 2011 Recruitment Plan. The spreadsheet contained azero-day Flashexploit that providedbackdoor access to the work computers.[33][39]
Susan Headley became involved inphreaking withKevin Mitnick inLos Angeles.[40][41]
Mike Ridpath is a security consultant, published author, speaker and previous member ofw00w00. He is known for developing techniques and tactics for social engineering throughcold calling. He became known for live demonstrations as well as playing recorded calls after talks where he explained his thought process on what he was doing to get passwords through the phone.[42][43] As a child, Ridpath was connected with Badir Brothers and was known within thephreaking andhacking community for his articles with popular undergroundezines, such as Phrack, B4B0 and 9x on modifying Oki 900s, blueboxing,satellite hacking and RCMAC.[44][45]
Brothers Ramy, Muzher, and Shadde Badir—all of whom were blind from birth—set up an extensive phone and computer fraud scheme inIsrael in the 1990s using social engineering, voice impersonation, andBraille-display computers.[46][47]
Christopher J. Hadnagy is an American social engineer and information technology security consultant. He has written several books on social engineering and cyber security.[48][49][50]
{{cite web}}: CS1 maint: archived copy as title (link)
