Persuasion is part of life. We all try to persuade friends and loved ones to act in a certain way, usually with the best of intentions.
Social engineering is when “persuasion” takes a darker turn. In a broad sense, it includes any action that attempts to influence a person to act against their best interests.
Technically, acts that influence people to behave within their own interests is also social engineering. However, the term is used almost exclusively within the context of fraud, scams, and cyber crime.
Con artists are master social engineers. So are modern hackers who rely on spam and phishing -- and they have a few new tricks up their sleeves.
Below we describe some of the most common social engineering tactics used today in cyber crime.
In the real world, cyber attacks do not fit into neat categories. Instead, each is unique, often combining multiple channels and tactics.
While categorization is helpful to understand the nature of the beast, remember that many of these tactics will overlap in the wild.
Impersonation is one of the most common types of social engineering. Obviously, it’s when an attacker presents himself or his communication as originating from another party.
Many other roles are impersonated: lottery officials, wireless service reps, government officials, coworkers, family members – the list is nearly infinite.
Remote tech support scams
Phone scams are nearly as old as telephones. In a typical scam, the attacker calls the victim, poses as someone else, and uses a false pretense to con the victim into sending payment.
In recent years, the tactics have been used for cyber crime.
Rather than conning the victim into sending payment, the attacker walks them through the steps to allow a connection to their computer through a remote desktop app.
Some attackers take a multi-pronged approach. Posing as the IRS, one group called victims and demanded either payment or computer access immediately.
Emergency email from the boss
Business email compromise (BEC) scams – which have accelerated in recent years – are an example of impersonation used to devastating effect.
In a typical BEC scam, the attacker has intimate knowledge of the target business, including who is authorized to send wire transfers and how the transfers are initiated.
The attacker targets this person, sending them an email purporting to be from their boss (either by compromising or spoofing the boss’ email). The email requests a large wire transfer to the attacker’s account.
The email is crafted to mimic prior wire requests. It may also inject a sense of urgency, which is a common marketing technique, by adding “I need this handled ASAP.”
Phishing occurs most often through email and it’s one of the most common ways cyber attacks are launched.
Two main types of email phishing exist:
These tactics are slightly different than BEC (described above), in which attackers detailed knowledge of the business’ operations. In email phishing, attackers simply want to steal access credentials or install malware.
In the first variety, attackers typically encourage victims to visit a phony website and enter access credentials. Occasionally, they encourage victims to send credentials directly via email.
Even here, overlap exists – where the phishing websites often attempt to force malware onto the users’ system via drive-by-download or a disguised software update.
Many phishing emails attempt to trick users into installing malware directly via a disguised email attachment. While any type of malware can be used, trojans are a common variety designed to persist on the infected system and collect sensitive information, such as banking credentials.
Vishing – or ‘voice phishing’ – is used by brazen attackers who call their targets directly. They often impersonate authority figures and threaten victims to send payment, or else…
Some of tech support scams described are another example of vishing (see ‘Remote tech support scams’ above). Here are a few other examples.
Malware Routes Calls to Attackers
In one recent example of vishing, rather than calling victims, attackers used malware on victims’ smartphones to redirect their calls.
Once installed, the malware detected when calls were placed to banks and redirected them to scammers who impersonated a banking employee. The phone’s caller ID even listed the bank’s legitimate phone number.
In one example, more than 130 utility customers – many of them restaurants – received calls from a person threatening to shut off their electrical service unless payment was made.
Many of the calls came at busy times – such as the dinner rush – and at least one victim paid $4,000 to avoid having the power cut. Payments were made online or via prepaid card.
Caller ID Spoofing
The attacker may use caller ID spoofing to make their efforts more convincing.
For example, several New Jersey residents experienced vishing attacks in which the caller impersonated a local sheriff’s office.
The attacker attempted to extort money from victims using the threat of arrest and successfully caller ID spoofing to mimic the sheriff’s office phone number.
In another example of impersonating police, the caller posed as a officer and pressured the victims into share personal information that could be used to fraud.
SMiSHing applies phishing tactics through text messages.
Although this channel is less effective at convincing victims of the sender’s authority, attackers find other uses.
Fake shipping service in Japan
In an on-going SMS phishing attack in Japan, victims receive text messages claiming to be from a parcel delivery service. The message guides victims to a website with more information.
Rather than collecting information online, the site prompts users to send personal information via SMS.
A variation of the attack encourages victims to install a smartphone app. The mobile malware intended to collect login credentials and credit card info and send SMS messages to more potential victims.
SMS phishing via Atlanta
Two Romanian hackers were extradited to the U.S. in April for an elaborate phishing scam that leveraged SMiShing and vishing.
From Romania, the pair used compromised computers around Atlanta to send thousands of automated phone calls and text messages throughout the U.S.
The messages claimed to be from a financial institution and directed victims to call a phone number to resolve a problem. After calling, victims were prompted to enter their bank account numbers, PINs, and/or social security numbers.
The hackers collected more than 36,000 bank account numbers, according to court records.