Significant words in social engineering

Phishing is the practice of sending email to users with the purpose of tricking them into clicking on a link or revealing personal information. Spear phishing and whaling are targeted phishing attacks (see below).

Vishing is voice or telephone phishing.

Spear phishing is a special type of an attack wherein a specific individual is targeted, rather than a mass of users, analogous to a spear that can be used to attack only one person at any given point of time.

An extension of Spear Phishing is Whaling, where an executive, celebrity or high-ranking government official is targeted.

Clone phishing is a type of phishing attack where a hacker tries to clone a website that his victim usually visits. The cloned website usually asks for login credentials, mimicking the real website.

Shoulder surfing is a security attack where-in, the attacker uses observational techniques, such as looking over someone's shoulder, to get information while they are performing some action that involves explicit usage of sensitive, visible information. This can be performed at a close range as well as at a long range using binoculars or other vision-enhancing devices.

Going through the trash can yield one of the most lucrative payoffs for information gathering. People often throw away invoices, notices, letters, CDs, computers, USB keys, and a plethora of other devices and reports that can truly give amazing amounts of information. The attacker can use these items to get a huge amount of information about people, organisations they participate in, and network structure.

Some people shred documents but some types of shredding can be thwarted with a little time and patience and some tape.

Role playing is one of the key weapons for a social engineer. It involves persuading or gathering information through the use of online chat sessions, emails, phones or any other method that you use to interact online with others, and in which the social engineer plays the role of a help desk or technician, helplessness, or whatever may work in that context to get targets to divulge confidential information.

Using Trojan horses is one of the most predominant methods currently used by online criminals and intelligence agencies that involve tricking victims into downloading a malicious file to their machine, which on execution creates a backdoor in the machine that can be used by the attacker any time in the future and thus having complete access of the victim's machine. Compromising a browser is relatively easy and it is cross-platform, hence an often chosen attack vector.

Among all of the NSA hacking operations exposed by whistleblower Edward Snowden over the last two years, one in particular has stood out for its sophistication and stealthiness. Known as Quantum Insert, the man-on-the-side hacking technique has been used to great effect since 2005 by the NSA and its partner spy agency, Britain’s GCHQ, to hack into high-value, hard-to-reach systems and implant malware.

A reverse social engineering attack is an attack in which an attacker convinces a target that he or she has a problem or might have a certain problem in the future and that the attacker, is ready to help solve the problem.

Reverse social engineering involves three parts:

  • Sabotage: After the attacker gains a simple access to the system, he corrupts the system or gives it an appearance of being corrupted. When the user sees the system in the corrupted state, he starts looking for help so as to solve the problem.
  • Marketing: In order to make sure that the user approaches the attacker with the problem, the attacker advertises himself as the only person who can solve the problem.
  • Support: In this step, the attacker gains the trust of the target and obtains access to sensitive information.