You are here

Social Engineering

Most people are aware of social engineering because of phishing, but there are many other methods used.

Sacreware

Scareware is a technique that scares the victim into performing something the threat actor wants. An example could be a compromised website that pops up multiple messages, that look like critical system messages, saying the computer is infected and “click here to clean” type of message. When the person clicks the message, it actually installs a malicious software rather than removing one. The message could even include a payment requirement costing the victim time and money for the initial false notification, and more time and money to resolve the infection clicking on the message created.

Baiting (not for fishing)

Baiting is a technique that lures someone in by providing an opportunity which often can be in the form of an offer that’s “too good to be true”. An example of this could be someone offering you a free piece license to an expensive software just for answering a survey about something but the download to the software includes malware. Another example is a physical one where someone finds a USB drive in the parking lot and plugs it into their computer to see what’s on it so they can return it to the rightful owner. Unfortunately for them, the USB drive was infected with malware that automatically installed when plugging it in and now the threat actor has access to your computer.

Tailgating (not sporting events)

Tailgating is a technique where the malicious actor waits for someone to open a door and follows them in. This can be done in both technical and physical realms. From a technical perspective, tailgating can be performed when a threat actor has remote access to your computer but waits to use it until you log into something they want to have access to (ie, bank account). From a physical perspective, a threat actor could pose to be a delivery person and wait to approach a building until they see someone approaching a secured entrance and ask them to hold the door for them. Because their hands a full, an unsuspecting person may hold the door and allow the threat actor into a building.

Dumpster Diving

Dumpster diving is another technique that spans both the technical and physical realms. From a technical perspective, a threat actor could gain access to the file system on a computer and search for deleted items with information they could be interested in. This could happen to files left in a recycle bin on a computer or with advanced forensic techniques that attempt to reassemble files that haven’t been securely deleted. From a physical perspective, dumpster diving is the act of retrieving information from a garbage can or dumpster. Sensitive information could include things like, bank statements, pre-approved credit cards, student loan information, health care information, or any other sensitive information that has been printed and not securely disposed of.