Information Security Office
Social Engineering is the act of influencing a person's behavior to perform actions or to divulge confidential or sensitive information. Social Engineering attacks are mainly trickery or deception for the intended purposes of gathering information, gaining access to a computer system or committing fraud. In most cases of Social Engineering, the victim is very rarely face-to-face with the attacker. Social Engineering attack techniques exploit specific human decision-making attributes. These exploits are used in various combinations to create specially crafted attack techniques, bellow are some examples:
Pretexting: The act of using a fictitious scenario to persuade a targeted victim to release sensitive or personal information or perform an action. This attack technique is used to trick businesses into disclosing detailed information on its customers.
- Phishing: A criminally fraudulent process of attempting to obtain personal or sensitive information such as usernames, passwords, credit card and bank account information by impersonating a trustworthy entity via electronic communication. Communications claiming to be from a legitimate source such as popular social networking sites, online web payment, banking and credit card institutions are commonly used to lure the unsuspecting public. Phishing is generally carried out by email or instant messaging by requesting the user to input confidential or sensitive information on a fake website with an almost identical look and feel of the legitimate one.
- IVR or Phone Phishing: A rogue Interactive voice response (IVR) system that is recreated to sound like a legitimate bank or credit card institution's IVR system. This type of attack is coupled with an email phishing attempt and requires the victim to place a call to a toll free number provided. Once the victim has connected to the IVR the victim is prompted to enter confidentail information like account numbers, PINs or passwords. Some of the more sophisticated systems transfer the victim to an attacker posing as an account services representative for more in-depth questioning.
- Baiting: An attack methodology that uses physical media and relies on the curiosity or greed of the victim. For this attack to be successful an attacker will leave malware infected media (CD/DVD ROMs, USB drives, or floppy disks) in locations where they are sure to be found (elevators, sidewalks, parking lots, break rooms or bathrooms). The attacker usually brands the media to its target company or victim complete with company logos and commonly named files used within the organization. Once the victim places the media into his or her computer system the media auto launches its payload. In most cases the payload associated with the attack gives the attacker the ability to know when the system has been infected and will setup a communication path so that the attacker can remotely control or modify the infected system.
- Quid pro quo: Attack scenario in which attacker calls random numbers within a company claiming to be from technical support. Once the attacker has hit someone with a legitimate problem, the attacker then "assists" the victim in solving their issue. While "assisting" the victim, the attacker gathers useful information about the system, network and the security measures in place or has the victim type commands that give the attacker access to the system or launch malware.
- Vishing: Literally means "Voice Phishing", this attack methodology utilizes the public's trust in the telephone system. A phone call from what appears to be a trusted source, such as a bank, utility company or other trusted entity is actually inititiated by an attacker posing as one of these entities. The attacker's goal is to acquire financial data or payment, and will attempt to acquire this information from the victim.
Social Engineering has become a common method of information gathering used by hackers to gain access to unauthorized information or systems. The key to defeating Social Engineering is education and familiarization with the policies and procedures of the University of Texas at Arlington. Another key to protecting your personal information as well as University information and systems is to be inquisitive of any and all persons asking for personal or confidential information. Always ask to see a UTA ID card when someone is asking for information in person. If you should suspect any unusual activity, report it immediately to the UT Arlington Police x3381.