Principles of Social Engineering – SY0-601 CompTIA Security+ : 1.1

Social engineering attackers know how to convince their victims to get information. In this video, you’ll learn the principles of social engineering and how to watch for these methods of manipulation.

<< Previous Video: Other Social Engineering Attacks Next: An Overview of Malware >>

 

 


Social engineering is a constantly changing attack, and that’s because the world around us is constantly changing. The attackers are constantly changing their strategies. You never know exactly what direction they’re going to come from next.

These days, we see these attacks occurring from more than one person or organization. They’ll use multiple people to ultimately perform the social engineering attack. We’re also seeing social engineering attacks that are more automated and using a lot more open source intelligence.

They’re able to find out more information about you, or the organization you work for. They might call in as an aggressive customer. Or they might find out the name of someone you know, and send you an email with a funeral notification, even though this person you know hasn’t passed away. But they know that they can take advantage of your emotion and have you click on the things that are inside of that email as this social engineering attack.

Social engineering attackers use many different principles one of the principles. They use is authority. They’ll call in and say that they are calling from the CEO’s office, or they’re calling from the help desk, so they have a bit of authority when they are talking to you.

Another technique they use is intimidation. They want you to perform a function. They want you to give them information, and they are going to intimidate you to be able to do that. They might say that the payroll checks won’t go out because you’re holding up the process. You have to provide them with this information so that everybody in the organization will be properly paid.

They can also take advantage of social proof, or consensus in the organization. They may say that someone in your department, like Jill, did this for them last week, so it would be OK if you did it for them this week.

There might also be an element of scarcity, which means there is a clock ticking and we have to get this done in a certain amount of time. This goes hand in hand with the characteristic of urgency, where they want to make it seem like this is something that needs to happen very quickly, whether this is something that will go away, in the case of scarcity, or just something that needs to be done immediately with urgency. Both of these try to make us react without thinking about what we’re doing.

There might also be a method of familiarity, or liking. They want to be able to be your buddy. And they’ll talk about people that both of you might happen to know. If this attacker has gone through your Facebook friends list, they may be able to name drop and say that you both know the same people, so it’s OK to provide this information or to perform this function.

And another important principle of social engineering is trust. The attacker want you to gain some level of trust with them, so they’ll say that they’re from your IT department, they’re helping everyone with this particular problem, and all you have to do is click these things on the screen and everything will be taking care of.

A good example of these social engineering techniques being used is the case of Naoki Hiroshima. This is the case where a one letter Twitter username was stolen by using social engineering techniques. You can read about this in the story by visiting ProfessorMesser.link/twittername. In this attack, the attacker called PayPal and used social engineering to obtain the last four digits of the Naoki’s credit card number. They then called the hosting provider, GoDaddy, with this information of the last four digits and used that to help prove to the person on the phone that they were the proper owner of these accounts.

The attacker was so good at social engineering that even though they didn’t have the entire credit card number, they only had the last four digits, they were able to work with the GoDaddy representative to guess at the first two digits of the card until they were able to get that right. At that point, the account was turned over to the attacker, and the attacker had full control of their internet service provider accounts.

Now the attacker is in control of these domain names, but the attacker ultimately wanted that one letter Twitter username . So they extorted and said, we’ll give you all of these domain names back if you turn over the access to that one letter Twitter username, and ultimately, Naoki agreed that that’s what should happen.

After the domain names were back in control, a case was opened with Twitter. They looked over the situation for about a month, and then decided that the username should be back in control of its original owner.

There were many different techniques used by the attacker to be able to gain access to this particular account. It wasn’t just one single thing. And so we always have to keep in mind that the attackers are going to use many of these techniques to be able to get what they want by using this social engineering attack.