Social Engineering

(Deception, manipulation, information extraction, action persuasion)

Social Engineering is about manipulating people through deception to achieve a specific outcome. We can understand this in two different ways:

• Manipulating People by Deception: It involves using deceitful tactics to influence individuals into taking certain actions or divulging confidential information.
• Taking Out Information or Performing an Action: It typically obtains sensitive information or persuades individuals to perform actions that benefit the attacker. It includes extracting passwords, financial data, or proprietary information or convincing individuals to click on malicious links, install malware, or provide access to secure systems.

Social engineering aims to deceive individuals. It captures two outcomes:

Direct loss of information.

Successful execution of actions desired by the attacker.

Who can perform the Social Engineering?

Anyone with the intent and knowledge to manipulate people through deception can carry out social engineering attacks. As such, awareness, education, and security measures are essential in defending against such tactics, even in familiar or familial settings.

• Cybercriminals: Individuals or groups with expertise in exploiting human psychology for financial gain.
• Hackers: Those with technical skills may use social engineering as a complementary technique to gain unauthorized access to systems or networks. They can acquire credentials or trick individuals into revealing security information by manipulating people.
• State-sponsored Actors: Some government-sponsored entities may use social engineering tactics in espionage or cyber warfare campaigns. They may seek to manipulate individuals within targeted organizations or institutions to gain strategic advantages.
• Malicious Insiders: Employees or individuals with insider knowledge of an organization may use social engineering to exploit trust and access sensitive information for personal gain or to harm the organization.
• Hacktivists: Individuals or groups with a social or political agenda may use social engineering to manipulate public opinion or gather information to support their cause.
• Phishing Gangs: Organized groups specializing in phishing attacks create deceptive emails or messages to trick individuals into revealing sensitive information.
• Individuals of Any Gender: It's important to note that individuals of any gender can perpetrate social engineering attacks. Everyone should be aware of the potential for manipulation, regardless of gender, and education on cybersecurity is essential for all individuals to recognize and prevent social engineering threats.
• Family Members: Sometimes, family members may exploit trust and familiarity to carry out social engineering attacks.

Social Engineering Attack Cycle

Understanding the social engineering attack cycle is crucial for developing effective countermeasures and security awareness.

1. Research
2. Developing Trust
3. Exploiting the Trust
4. Utilize Information

Research

• Collecting Information: In this initial stage, attackers gather comprehensive data about their target. This information could include personal details, organizational structure, online activities, and any vulnerabilities that can be exploited.
• Targeted Attacks: The collected information is strategically utilized to tailor attacks specifically to the weaknesses and characteristics of the targeted individuals or organizations.

Developing Trust

• During this phase, attackers work on building a sense of trust with their potential victims. It could involve creating a false identity, posing as a trustworthy entity, or leveraging social dynamics to establish credibility.

Exploiting the Trust

• Exploitation Phase: Once trust is established, the attackers exploit this trust to their advantage.
• Achieving Gains: This phase aims to obtain a measurable gain, such as extracting sensitive information, acquiring login credentials, or gaining access to privileged areas within an organization.

Utilize Information

• In the final phase, "Cashing", the attackers leverage the information acquired in previous stages for their intended purposes. This could involve unauthorized access, financial fraud, or other malicious activities based on the specific goals of the social engineering attack.

Architecture of Social Engineering

Social Engineering Techniques and Primitives

• Phishing: Sending fraudulent emails or messages from seemingly trustworthy sources to trick individuals into revealing sensitive information like passwords or credit card details.
• Pretexting: Creating a fabricated scenario or pretext to obtain information, often by pretending to be someone in authority or using a false identity to gain trust.
• Baiting: Offering enticing items, such as free downloads or USB drives labelled as interesting, to lure individuals into performing specific actions like clicking links or plugging in a USB drive containing malware.
• Quid pro quo: Offering a service or benefit in exchange for sensitive information. For instance, posing as technical support to help with a computer issue in exchange for login credentials.
• Impersonation: Pretending to be someone else, such as a coworker, support representative, or even a family member, to gain trust and access to information.
• Tailgating or Piggybacking: Physically following someone into a secure area without proper authorization, often by pretending to be an employee or posing as someone who has forgotten their access card.
• Dumpster Diving: Going through discarded materials, such as trash or recycling, to find sensitive information that may have been improperly disposed of.
• Shoulder Surfing: Observing someone's sensitive information, like passwords or PINs, by looking over their shoulder as they enter or access this information.

Medium of Social Engineering

• Email: Phishing emails claiming urgent action is needed, directing recipients to malicious websites or requesting sensitive information.
• Face to Face: In-person interactions involving deception or manipulation to gain trust and extract confidential information.
• Telephone: Social engineers making phone calls, impersonating authority figures or support personnel to trick individuals into revealing sensitive data.
• SMS: Sending text messages with misleading information, often containing links to phishing websites or requesting personal information.
• Paper Mail: Deceptive letters or documents sent through traditional mail to create a false sense of legitimacy and trick recipients into taking specific actions.
• Storage Media: Leaving infected USB drives in public spaces, relying on curiosity to prompt individuals to use the media, leading to malware infection.
• Web Pages: Creating fraudulent websites that mimic legitimate ones, tricking users into entering sensitive information or downloading malicious content.
• Pamphlets: Distributing deceptive pamphlets containing misinformation or fake offers to manipulate individuals into taking certain actions.

Goals of Social Engineering

• Information Gathering
• Unauthorized Access
• Financial Gain
• Identity Theft
• Spread Malware
• Reputation Damage
• Espionage
• Sabotage
• Political or Social Manipulation
• Employee Manipulation
• Personal Vendettas
• Recruitment for Cybercrime

Framework of Social Engineering

There are six steps involved in social engineering:

1. Attack Formulation
2. Information Gathering
3. Preparation
4. Develop Relationship
5. Exploit Relationship
6. Debrief

Attack Formulation

• Define: Clearly define the social engineering attack's target, objectives, and overall purpose.
• Goals: Outline specific goals and outcomes the attacker aims to achieve.
• Plan: Develop a detailed plan that includes strategies and tactics to carry out the attack successfully.

Information Gathering

• Identity: Understand the target's identity, including personal details, roles, and relationships.
• Gather Information: Collect relevant data about the target, such as habits, preferences, and vulnerabilities.
• Access Information: Determine the availability and accessibility of information needed for the attack.

Preparation

• Combination and Analysis: Analyze the gathered information to identify potential vulnerabilities and opportunities for exploitation.
• Development of Attacks: Create a comprehensive plan for the attack, combining various tactics and techniques to maximize effectiveness.

Develop Relationship

• Establishment of Communication: Initiate contact with the target, establishing a means of communication.
• Build Positive Relationships: Cultivate trust and rapport with the target to create a positive relationship.

Exploit Relationship

• Priming Target: Prepare the target for manipulation by influencing their perceptions and attitudes.
• Manipulate Victim Emotion: Exploit emotional triggers to influence the target's behaviour.
• Elicitation: Request favours or information from the victim, taking advantage of the established relationship.

Debrief

• Maintenance: Sustain the emotional exploitation at an extreme level to maintain control over the victim.
• Transition: Assess whether the attack objectives have been achieved or determine the need to restart the complete phase.

Defenders can use this understanding to implement countermeasures and raise awareness about potential social engineering threats.

In conclusion, the discussion on social engineering has provided a comprehensive overview of the tactics, techniques, and methodologies involved in manipulating individuals or groups for malicious purposes. Defending against social engineering requires a multifaceted approach involving technical measures, user education, and ongoing vigilance. By understanding the intricacies of social engineering and staying informed about evolving tactics, individuals and organizations can better protect themselves against these manipulative tactics.

Some Security Material

1. Srivastava, N., Sharma, H., Maliyal, A., Verma, M., & Sinha, K. (2024). Fortifying Data Security in the Evolving Digital Landscape. Handbook of Research on Innovative Approaches to Information Technology in Library and Information Science, 209–232. https://doi.org/10.4018/979-8-3693-0807-3.ch010
2. Karmakar, M., Priya, A., Sinha, K., & Verma, M. (2023). Shrinkable Cryptographic Technique Using Involutory Function for Image Encryption. Advanced Network Technologies and Intelligent Computing, 275–289. https://doi.org/10.1007/978-3-031-28183-9_20
3. Sinha, K., Paul, P., & Amritanjali, A. (2022). An Improved Pseudorandom Sequence Generator and its Application to Image Encryption. KSII Transactions on Internet and Information Systems, 16(4). https://doi.org/10.3837/tiis.2022.04.012
4. Sinha, K., Paul, P., & Amritanjali, A. (2021). Randomized Block Size (RBS) Model for Secure Data Storage in Distributed Server. KSII Transactions on Internet and Information Systems, 15(12). https://doi.org/10.3837/tiis.2021.12.014
5. Sinha, K., Priya, A., & Paul, P. (2020). K-RSA: Secure data storage technique for multimedia in cloud data server. Journal of Intelligent & Fuzzy Systems, 39(3), 3297–3314. https://doi.org/10.3233/jifs-191687