PeakMaven

DE Book a Consultation
G 0.42

G 0.42 Social Engineering

Social Engineering is a method to obtain unauthorized access to information or IT systems through social actions. In social engineering, human...

Keywords: Social Engineering Elementary Threat

Social Engineering is a method to obtain unauthorized access to information or IT systems through social actions. In social engineering, human characteristics such as helpfulness, trust, fear or respect for authority are exploited. This can manipulate employees to act improperly. A typical case of attacks using social engineering is manipulating employees via telephone call, where the attackers, for example, pose as:

  • a secretary whose manager wants to quickly accomplish something but has forgotten their password and needs it urgently,
  • a person from IT operations who calls due to a system error, for which the password is still needed to fix it.

If critical questions arise, the caller is allegedly “only a temporary helper” or an “important” personality.

Another strategy in systematic social engineering is building a longer-term relationship with the victim. Through many unimportant telephone calls beforehand, attackers can gather knowledge and build trust that can be exploited later.

Such attacks can also be multi-stage, building upon knowledge and techniques acquired in previous stages.

Many users know that they should not share passwords with anyone. Social engineers know this and must therefore find other ways to reach their desired goal. Examples include:

  • Attackers can ask the victim to execute unfamiliar commands or applications, for example because this should help with an IT problem. This could be a hidden instruction for changing access rights. This way, attackers can access sensitive information.
  • Many users use strong passwords, but they use these for multiple accounts. If attackers operate a useful network service (such as an email address system) where users must authenticate, they can obtain the desired passwords and logins. Many users will use the login credentials they use for this service with other services as well.

If attackers obtain passwords or other authentication credentials without authorization, for example with the help of social engineering, this is also often referred to as “phishing” (a portmanteau of “password” and “fishing”).

In social engineering, attackers do not always appear visibly. Often, the victim never finds out that they were exploited. If successful, attackers do not have to reckon with criminal prosecution and furthermore have a source to access further information later.