Social Engineering ‘Exploitation Techniques’

Social Engineering is a continuous and ongoing threat. If executed well, against those unprepared to combat this contest, the perpetrator can get access to what ever they had set their eyes on, with minimal effort. For this reason, it is important to understand possible routes which are normally used by Social Engineers to trap people. Being able to recognise an attack type, might help a person set into automatic ‘alert mode’, preventing them from becoming an unfortunate victim.

A breakdown of common tools and techniques used by Social Engineers, are listed below.

1- Phishing

Phishing is an ultimate form of deception. With phishing, a Social Engineer tricks the target into thinking that they are communicating with a legitimate and trusted source. However, in reality the attacker is almost always in full control and can see the sensitive information, which is given up by the victim.

By far, email is the most popular method of luring victims to a specially drafted webpage, which records all information. However, the attacker may also make use of other medium of communications, such as phone calls, social media, online chatting and spoofed websites promoted through malicious plugins, malwares or other compromised websites, to allure the victim and make them give up their personal, financial or other sensate information.

2- Spear Phishing

Spear phishing is an advanced type of phishing attack in which the attacker is already in possession of some information about their target. The attacker makes their move in a targeted attempt and use the information, which is relevant to the victim, to gain their confidence.

Due to a large number of people in the developed world using social media and not utilising the full potential of privacy settings on offer, Social Engineers often harvest specific details about their targets from this medium and other online services such as

By using this personalised method, a Social Engineer can enhance their chances of a successful attack. They can quickly gain the trust of their victims and persuade them into divulging sensitive information i.e. business or financial data, trade secrets etc.

3- Quid pro quo

As the name suggest, in this type of attack the attacker tempts the target in to giving up sensitive information in exchange for a favour or a gift. For example, a Social Engineer may ask an employee of a company to share a confidential file with them, in exchange for a brand new smart phone.

This type of offer sounds dubious and should raise immediate suspicion in a normal person’s mind about the motives of the individual making the offer. Upon contact, it is sensible for an employee to record as much details about the attacker they can, and then pass over the information to a manager in-charge, so some type of action can be taken to deter the attackers from attempting the attack again.

4- Baiting (Road Apple)

Social Engineers conduct baiting (also known as Road Apple) by leaving malware or virus infused USB or CD near the target’s location. In a place where they know their potential victim is likely to be. This could be right in front of their office, at a time when they are expected to enter or exit the office, or they could leave it right outside their target’s home.

It must be noted here that CD’s are not as frequently used now as a bait, because use of this technology is in continues decline. ‘Rubber ducky’ or the likes of ‘USB armoury’ are the weapon of choice for attackers due to their capability to act as an injection attack platform, by tricking the computer into thinking that the device being attached is a HID (human interface device) keyboard.

The idea is that once the target sees the ‘bait’, they will pick it up and out of curiosity, insert it into their computer at home or at the office and inadvertently install the malware or virus. Once installed, the malicious application will allow the attacker to gain access to the computer and perform tasks remotely.

5- Pretexting

Pretexting is an art of creating a false scenario and by presenting oneself as an authoritative figure, which makes the target comfortable in divulging information they normally would not. For instance, after gathering sufficient information about the potential victim online (through social media and Internet), the attacker may call the victim on their phone and tell them that they are speaking from their bank to discuss some suspicious transactions on their account. To gain the trust of the victim and appear legitimate, the attacker will reveal correct date of birth and address of the victim (obtained through Internet), and then request to victim to confirm account details so they know that they are speaking to the account holder.

Typically, once the trust is established the victim will be prepared to divulge any information about their account. Exploiting this weakness, the attacker gathers as much private information about the victim as they can, before calling the victim’s bank. In possession of up to date private information about the victim, through false impersonation, the attacker can potentially reset security on the account and maliciously carry out financial transactions on victim’s behalf, without them knowing.

6- Tailgating

Tailgating is a physical Social Engineering approach in which an unauthorised individual attempts to gain access to the secure target location by following ‘tailing’ an authorised worker. The objective is to gain access to a location and then to acquire valuable sensitive or confidential information. This is achieved by introducing a malware to the computers located in the target area or by impersonation and acting as someone in charge, and extracting information by physically interacting with employees on site.

7- Pharming

Pharming attack, which is a combination of words ‘Phishing’ & ‘Farming’, tricks the victim into thinking that the website they are browsing is legitimate, when in fact they are surfing an identical but forged version of the original website. By DNS cache poisoning or unauthorised modification of ‘Hosts’ file, the attacker can deceive the system into thinking that the website being visited is genuine, when it is not.

Pharming requires little or no direct contact between the victim and the attacker as most of the attack is conducted by technical manipulation of technology. However, this attack is still classified as a tool employed actively by Social Engineers, because of the trickery involved in making the victims think that they are browsing the intended website. Employing this type of attack provides high degree of success, which makes this type of attack a weapon of choice for Social Engineers.

8- Trojan Horse – Gimme

This is another method where a Social Engineer needs minimum physical interaction with the target. This technique exploits natural curiosity and greed of the victims and tempts them into clicking on an attachment of an email, with malicious application.

The attacker usually sends an email to a batch of recipients on the list with an attached virus. The email offers the recipients free screensaver, or an antivirus, or another popular software of some value to the users. In this type of attack, negligence and naivety of the users benefits the attacker and consequently those who trust the originator and install the application from the attachment, inadvertently gets malware or Trojan horse virus on their system.

Leave a comment