Scribd
Upload
49 views3 pages

Module 3 Notes - 4

Social engineering involves manipulating individuals to breach security protocols and disclose sensitive information. Techniques include baiting, scareware, pretexting, phishing, and spear phishing, each leveraging human interaction to exploit vulnerabilities. These attacks can occur in both physical and digital environments, making them particularly dangerous due to the unpredictability of human behavior.

Uploaded by

lokeshkonatala
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
49 views3 pages

Module 3 Notes - 4

Social engineering involves manipulating individuals to breach security protocols and disclose sensitive information. Techniques include baiting, scareware, pretexting, phishing, and spear phishing, each leveraging human interaction to exploit vulnerabilities. These attacks can occur in both physical and digital environments, making them particularly dangerous due to the unpredictability of human behavior.

Uploaded by

lokeshkonatala
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Ethical Hacking 8.

4 SOCIAL ENGINEERING

Through human interaction malicious activities are done which is called as


Social engineering which has a broad range. It makes user manipulation to
trick and influence the user to make security mistakes or giving away
sensitive information.
It can be done in one or more steps. A hacker or bad user’s first preference
is to gather the victim’s necessary background information, such as
potential points of entry and weak security protocols, needed to proceed
with the attack. After this the victim’s trust and provide stimuli for
subsequent actions that break security practices, such as revealing sensitive
information.

Social engineering involves human intervention that makes social


engineering very dangerous. Human Mistakes made by legitimate users are
much less predictable, making them harder to identify and thwart than a
malware-based intrusion.
8.4.1 Social engineering attack techniques
Many of the ways are there of social engineering attacks and can be
performed anywhere where human interaction is involved.
1. Baiting
As per the name, in baiting attacks a hacker uses a false promise to
pique a victim’s greed or curiosity. They trap users and steals their
personal information or inflicts their systems with malware.
The physical media is used to revile form of baiting to disperse
malware. For example, attackers leave the bait—typically malware-
infected flash drives—in conspicuous areas where potential victims
are certain to see them (e.g., bathrooms, elevators, the parking lot of
148
148
a targeted company). The bait has an authentic look to it, such as a Trojans and Other Attacks
label presenting it as the company’s payroll list.
Victims pick up the bait out of curiosity and insert it into a work or
home computer, resulting in automatic malware installation on the
system.
Baiting scams don’t necessarily have to be carried out in the physical
world. Online forms of baiting consist of enticing ads that lead to
malicious sites or that encourage users to download a malware-
infected application.
2. Scareware
False alarms and fictitious threats are used in Scareware in which the
user is bombarded with this. This is look like a repairable software
techniques which users may think their system is infected with
malware, and the system is asking to install software that has no real
benefit or is malware itself. Scareware is also referred to as deception
software, rogue scanner software and fraudware.
A common scareware example is while using the web browser the
legitimate-looking popup banners appearing while surfing the web,
displaying such text such as, “Your computer has many harmful
spyware programs.” And it may offers to install the tool often
malware-infected, or will direct you to a malicious site where your
computer becomes infected.
The spam emails can be used in scareware as it is distributed fast and
it also can contain bogus warnings, or makes offers for users to buy
worthless/harmful services.
3. Pretexting
Crafted lies prepare by attacker using the obtains information is
considered in pretexting. In this scam preparator pretending to need
sensitive information from a victim so as to perform a critical task.
The main aim is to gain the trust of the victim hence they starts by
establishing trust with their victim by impersonating co-workers,
police, bank and tax officials, or other persons who have right-to-
know authority. After getting the trust they asks questions that are
ostensibly required to confirm the victim’s identity, and gather
important personal data of the victim.
All type information and records is gathered using this scam, this
information may consist security numbers, personal addresses and
phone numbers, phone records, staff vacation dates, bank records and
even security information related to a physical plant.

149
Ethical Hacking 4. Phishing
It is one of the most popular social engineering type of attack,
phishing scams can be done through the email and text message
campaigns aimed at creating a sense of urgency, curiosity or fear in
victims. It then prods them into revealing sensitive information,
clicking on links to malicious websites, or opening attachments that
contain malware.
The best example is an email sent to users giving an online service
that alerts them of a policy violation requiring immediate action on
their part, such as a required password change. It includes a link to
false website which look like identical in appearance to its original
version prompting the unsuspecting user to enter their current
credentials and new password. Once the form submission is done the
information is sent to the attacker.
Given that identical, or near-identical, messages are sent to all users
in phishing campaigns, detecting and blocking them are much easier
for mail servers having access to threat sharing platforms.
5. Spear phishing
Most targeted version of the attack is phishing scam where an attacker
chooses specific individuals or enterprises or authorities. And send
them messages based on characteristics, job positions, and contacts
belonging to their victims to make their attack less conspicuous. It
require more efforts as it may consist sensitive information of the user
or on behalf of the perpetrator and may take weeks and months to pull
off. In this type of attack the attacker who, in impersonating an
organization’s IT consultant, sends an email to one or more
employees. It looks like real emails in which word and signed exactly
match with the consultant normally does, hence the recipients
thinking it’s an authentic message. The message prompts recipients to
change their password and provides them with a link that redirects
them to a malicious page where the attacker now captures their
credentials.

8.5 EXAPMLES OF PHYSICAL ENGINEERING

1. The fake IT guy

150
150

You might also like