T 0.42 Social Engineering

Social engineering is a method to gain unauthorised access to information or IT systems through social action. In social engineering advantage is taken of human qualities such as e.g. helpfulness, trust, fear or respect for authority. As a result, employees can be manipulated so that they act in an inadmissible way. A typical case of attacks with the help of social engineering is the manipulation of people by phone calls where the attacker introduces himself as for example:

• a secretary whose boss must do something quickly, but has forgotten his password and needs it urgently now.
• an administrator, calling because of a system error, since he needs the user's password to fix the problem.

If such attackers are being asked critical questions in return, the enquirer is supposedly "just a temporary help" or an "important" personality.

Another strategy for systematic social engineering is to develop a longer relationship to the victim. Unimportant but numerous phone calls in advance serve the attacker to gain knowledge and build up confidence that he can make use of later.

Such attacks can also be multi-stage attacks, where in further steps knowledge and techniques are used, which have been acquired in the previous stages.

Many users know that they must not reveal their passwords to anybody. Social engineers know this and therefore must reach the desired aim using other ways. Examples of such are:

• An attacker can ask the victim, to execute commands or applications unfamiliar to him or her, for example, because this will help to solve an IT problem. This may be a hidden command to change access rights. This allows the attacker to access sensitive information.
• Although many users are using strong passwords, they are however used for multiple accounts. If an attacker can provide a useful network service (such as an email address system), for which the user must authenticate him or her self, he can get access to the desired passwords and logins. Many users will use the same credentials they chose for this service also for other services.

If attackers gain passwords or other authentication features in an unauthorised way, for example by means of social engineering, this is often referred to as "phishing" (a portmanteau word from "password" and "fishing").

During social engineering the attacker is not always visible. Often the victim never recognises that he or she was being exploited. If successful, the attacker does not have to face the risk of legal sanctions and also has a source for obtaining additional information later.