Social Engineering

By | 16/04/2015

Social Engineering

Use influence and persuasion to deceive people to obtain information or perform some action.

Techniques:

  • Build trust relationship
  • Get information piece by piece, and obtain it from different sources, so individually they are not aware of the information they are providing
  • Use qualities on human nature: desire to be helpful, tendency to trust people, fear of getting in trouble
  • Dumpster Diving
  • Phishing / Pharming

 

14 possible manipulations

  • Friendliness – Flattery, Flirtation. Give information just to be friendly
  • Impersonation – Pretend to be somebody you aren’t – 3rd party (IT, maintenance), employee on holiday through the phone, new boss, etc.
  • Conformity – (Social Proof) Tendency to see an action as appropriate when others are doing it.
  • Decoying – Stress with lot of information. Create distractions.
  • Diffusion of Responsibility – When someone beleive that others have done similar action, it alleviates the stress
  • Reverse social engineering – Allow to make questions.
  • Reciprocity – Provide information to obtain other information
  • Commitment and consistency – Tendency to honor commitment. Securing an initial commitment form the victim.
  • Scarcity – People give more value to limited (quantity/time) opportunities
  • Sympathy – Sharing unhappiness or suffering.
  • Guilt – Feeling of obligation for not pleasing or not helping
  • Equivocation – An equivocal statement sounds reasonable and gets the target to agree certain ideas. After that, the meaning of key terms change so he agrees things he would never accepted at the beginning.
  • Ignorance – Pretending to be uninformed to manipulate
  • Affiliation – Name dropping or give information to establish credibility
  • Authority – Impersonate someone that have authority over the target or fake it.

 

Controls to avoid Social Engineering attacks

  • Stop installing software
  • Policy
  • Awareness
  • Shredding
  • Degaussing