Social Engineering is a term used to describe an attempt to manipulate people into performing actions or divulging confidential information.
What Social Engineering Can Do
It can gain unauthorized access to information systems. For instance, by tricking users into divulging confidential information such as login names and passwords. In addition, social engineering can be used to trick users. For example, into installing Trojan horse programs or other malware on their systems.
Moreover, others define social engineering as “a technique of psychological manipulation that is used to deceive users into giving up access credentials; or performing actions they would not otherwise perform.”
What are the Goals of Social Engineering?
Social engineers generally aim to gather the information that they can use to gain access to networks or systems. They also may try to trick people into installing malware on their computers or revealing confidential information such as passwords.
Once they have obtained this information, they will try and break into or otherwise exploit systems or networks. For example, hackers have used social engineering to trick people into installing malicious software on their computers.
This software records keystrokes. So that hackers can obtain usernames and passwords for online banking accounts and other financial websites. As well as email accounts at which users generally receive sensitive financial information. Such as credit card numbers and bank account access codes.
However, social engineers will also conduct social engineering attacks simply for their amusement or for self-publicity, often publishing stories about their attacks in various forums on the internet.
Others do simply for enjoyment.
Social engineers may also use social engineering attacks simply because they enjoy deceiving people. For example, one report described how an 11-year-old boy broke into his high school’s computer system using a fake email message that appeared to be from his school principal requesting login credentials for the system.
Besides, the boy had learned how to circumvent school filters that blocked students from playing games during class time by using a proxy server at home and he used this knowledge to impersonate his principal requesting the login credentials from teachers and staff members using their work email addresses.
How is Social Engineering Attacks Conducted?
Social engineering attacks are generally with some form of human interaction; whether in person or via telephone or other electronic means. For instance, such as instant messaging over the internet; or sending an email message with a malicious attachment (see next section for more information about malicious attachments).
Variety of Techniques
Social engineering attacks may be possible using a variety of techniques, including:
For example, a social engineer might call an employee of a business claiming to be from the company’s IT department and ask for login credentials for the company’s computer system. Or, they might send an email message that includes a link to what appears to be a legitimate website.
However, the link leads to a website controlled by the social engineer where malicious software is downloaded onto the computers of people who click on the link.
In another example, social engineers may try to trick employees into giving away information about the company that they should not have access to. For example, they might pose as customers asking employees sensitive questions about their employer’s products or services.
Or they may pose as security personnel and call employees telling them that there is a security breach at the company; and that it has been traced back to one of their computers. They will then try to trick the employee into revealing information about their computer system so that they can gain access to it.
Finally, social engineers may also use physical means to attack networks and systems, such as trespassing onto corporate or government property and breaking into buildings to install malicious software on computer systems or steal documents that contain sensitive information.