Types of Social Engineering

8.2 Types of Social Engineering

.Pretexting
.Phishing
.Baiting
.Physical

8.2.1 Pretexting

Pretexting is the art of placing a person in a realistic but fake situation, in order to get them to divulge information such as social security, bank account, user id and passwords. An example of such an invented scenario may be to impersonate a help desk employee and assisting another target employee with either a data move or software update.

In a similar situation, the help desk technician may have the employee download an update for their machine, thereby tricking the employee into running malware on their system. Pretexting often involves a great deal of research and planning in order to be able to specifically target employees within an organization. Persistence is often the key, as eventually there will be someone either more than willing to divulge the necessary information or, perform the necessary action(s) in order to be a helpful employee.

Unlike Pretexting, Phishing is an attack that utilizes a fraudulent email, in order to coerce people into executing malicious code or revealing pertinent information. • The email is crafted in a way to make it appear as if it is from a legitimate company. • In addition, this can be a really cool advertisement for a product that no one would want to live without.

8.2.2 Phishing

Unlike Pretexting, Phishing is an attack that utilizes a fraudulent email, in order to coerce people into executing malicious code or revealing pertinent information. • The email is crafted in a way to make it appear as if it is from a legitimate company. • In addition, this can be a really cool advertisement for a product that no one would want to live without.

There are types of phishing attacks which target a specific group of individuals for the purpose of obtaining specific type of information. Some type of phishing schemes are:

          _________                                   
          |Whaling|                                   
          ---------                                   
Targets Executives in an organization,          
such as the CFO for gaining specific
types of information.

     ________________
     |Spear Phishing|
     ----------------
Targets specific individuals within an
organization, to try and circumvent
detection.

8.2.3 Baiting

Baiting takes advantage of one of the most basic traits of humanity, “Curiosity”. In baiting, a social engineer will leave media such as a CD, DVD or USB Stick in a conspicuous location, relying on the curiosity factor of a passerby to pick up the media and attempt to “take a look” at its contents.

The engineer will place malware such as keystroke loggers, backdoors, etc. on the media, in order to either gain access or gather information from any system that tries to read the media.

8.2.4 Physical

Social Engineering can also take on a more physical form. In this case, the engineer will try and gain access to a facility or a restricted area. This is often accomplished by either piggybacking or shadowing a person into an entrance. The pen test engineer may wear a fake badge in order to both trick the person they are following and, if they loose the person they followed in, be more convincing to other staff.

Most organizations lack proper training for their staff when it comes to simple observation as to the validity of an ID badge. Many times, employees are wary of confrontation therefore, they either avoid asking someone to see the ID badge or, challenge the person following them in.