Social Engineering is the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, it is typically trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims.
Each Social Engineering attacks are different and unique but they do have some common pattern. That pattern has four phases (Information Gathering, Relationship Development, Exploitation and Execution). Social Engineering attack and/or may even incorporate the use of other more traditional attack techniques to achieve the desired end result.
Techniques of Social Engineering
Gathering and Using Information
When it comes right down to it the key to being a successful social engineer is information gathering. The more information you have about your mark the more likely you are to get what you want from him or her, obviously. Good places to gather this info:
1. Parking lot - Cars that are unlocked (or are easily unlocked) might have security badges, uniforms, paperwork, smart phones, wallets, all sorts of goodies you can use.
2. Online site like Linked In, Google, Facebook, MySpace, etc.
3. Things in their workspace area (posters, pictures, books, etc.)
4. Asking their friends and colleagues. Pretend to be a manager from another office or branch.
5. Tail them home or to their favorite watering hole. Try to figure out their patterns, interests, places they frequent. These are all good data points you can use to help make a personal connection to the mark.
6. Dumpster diving - Sure going through their trash is nasty but the gems that will be there are invaluable.
Pretexting
Pretexting is the act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.
This technique can be used to fool a business into disclosing customer information as well as by private investigators to obtain telephone records, utility records, banking records and other information directly from company service representatives. The information can then be used to establish even greater legitimacy under tougher questioning with a manager, e.g., to make account changes, get specific balances, etc.
Phishing
Phishing is a technique of fraudulently obtaining private information. Typically, the Phisher sends an e-mail that appears to come from a legitimate business—a bank, or credit card company—requesting "verification" of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate—with company logos and content—and has a form requesting everything from a home address to an ATM card's PIN.
IVR or phone phishing
This technique uses a rogue interactive voice response (IVR) system to recreate a legitimate-sounding copy of a bank or other institution's IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the "bank" via a (ideally toll free) number provided in order to "verify" information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning.
One could even record the typical commands ("Press one to change your password, press two to speak to customer service" ...) and play back the direction manually in real time, giving the appearance of being an IVR without the expense.
Phone phishing is also called vishing.
Quid pro quo
Quid pro quo means something for something. An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malware.
