Social Engineering: Difference between revisions

Social Engineering is a type of non-technical retrieval of confidential information or gain of access to computer systems. It makes use of characteristics in human behaviour.

Social Engineering can include:

• faking authorities like administrators, members of a certain company,...
• trick uninformed or credulous persons
• physical access to written passwords, serial numbers, security related information,...

It's often aimed on:

• retrieval of user data and passwords
• gaining of permissions
• gaining access to networks
• deleting files
• executing actions or programs

Example: password retrieval via telephone

Hi,

this is Mallory Malicious from the IT security company. You know, I'm responsible for improving your network's safety. Excuse me for using your time, but I have changed the security mode. Now all users have to be updated if they are to have access again. Would you please give me your user name and password, so I can adjust your account properly?

Thank you very much

Obtained user name and password for access on foreign network.

Example: backdoor install via mail

Dear Sir or Madam,

we, the IT security company are responsible for administering your corporate's network. We caught a security hole. Fixing it is of utmost importance to the company. Please help us with downloading and installing the security fix now:

http :// www .reliable-looking-web-address .net/security_fix_2004-11-16.zip

Thanks for your cooperation

Installed backdoor or botnet client.

Example: "socially engineered" worm via mail

Hi Alice,

have you heard of this horrible ABC virus? I have been infected! All my files were deleted. It's a total chaos.

If you have this virus you MUST delete it! It hides in your C:\WINDOWS\SYSTEM folder. Look there and delete the EMM386.exe!

Be sure to post this mail to all your friends, too! They might be infected.

Bob

Deleted system files and spread a worm.