Upgrade Your Career with Exciting Offers on our Career-defining Courses Upto 50% OFF | Offer ending in:
D H M S Grab Now

Social Engineering and its use cases

‘Social Engineering’ in the context of information security, refers to the manipulation of people to  execute an action or to release confidential information. It can be called a ‘method attack’, where one makes use of persuasion, sometimes abusing the user’s trust, to get information that can be utilized to access unauthorized computer or information.

This technique is applied in several sectors of information security, and it is independent of the computer system, software or platform and utilizes, the more vulnerable element of any system, the human, become a target of social engineering attacks. This technique is not used only in information technology. It is a tool that exploits human fails in companies physical or jursdictional area. 

Other definitions of social engineering – It is the art of deceiving a victim in order to obtain confidential information or information that may aid in the attack. There are several techniques of attack that use social engineering for this and among them we have:

– Vishing: this is a practice in which the subject initiating the attack will make use of a telephone system (it can be via VoIP) to have access to personal information from the victim.

– Phishing: This type of attack tries to deceive the victim in order to get her to open the email attachments thinking it is legitimate.

Spear Phishing: This attack is similar to phishing, but with a specific target, such as a company, a government agency, etc.

Hoax: This is a lie, when divulged by dissemination vehicles in mass, may seem true. This dissemination can be via a social network, e-mail or even TV.

Whaling: This is a technique very similar to ‘spear phishing’ but it is with content and even more specific than spear phishing. The most classic example of ‘whaling’ is an e-mail that will stop in the inbox of a call center manager as if it were a complaint about the service. In the body of the email, there will be links to sites malicious people who try to steal information from the victim.

Shoulder Surfing: It is a thorough mechanism offered by so-called social engineering that an individual naively provides proprietary information to another believing it to be something normal,

thinking that it can be revealed. Often the leakage of information occurs by simpler means, with a technique called “look over the shoulder” (shoulder surfing). This is basically that famous “spy” of what the other is doing, which is typing, and pay attention to details of the work of others.

Dumpster Diving: This method of social engineering is one of the oldest and does not require any kind of technology. How many times have you thrown something in the trash that, meant nothing to you, but is valuable for somebody else? For this reason the companies and even some people use the “paper shredder” ) before putting in the trash to make sure that this document is not  useful to anybody else.

Tailgate: This attack is often due to over-courtesy of people. How many times have you kept the door open because someone else was coming right behind you? This is undoubtedly a matter of education in public places like the cinema, restaurant, and others while it is not necessary for some one else to enter the premises of that location. In companies that use the reader card as a way of validating for the door to open, keeping it open so that another person can enter, in between, can be a fatal error, because that person may be someone with malicious intentions and who just made use of the tailgate to enter without permission. So the next time you’ll be polite and let someone come in with you, think about the possible consequences and also that you may be violating the policy of the company.

Check out these real cases of social engineering attacks:

  1. Ethereum Classic, 2017

Several people lost thousands of dollars in cryptocurrency after the Ethereum Classic website was hacked, in 2017. Using social engineering, hackers impersonated the owner of Classic Ether Wallet, gained access to the domain registry, and then redirected the domain to their own server. Criminals extracted Ethereum cryptocurrency from the victims after entering a code on the website that allowed them to view private keys that are used for transactions.

  1. Ubiquiti Networks, 2015

Ubiquiti Networks, a manufacturer of technology for networking, lost almost $40 million dollars, in 2015, after a phishing attack. It is believed that an employee email account was compromised in Hong Kong. Then, hackers used the technique of employee impersonation to request fraudulent payments, which were made by the accounting department.

  1. Sony Pictures, 2014

After an investigation, the FBI pointed out that the cyber attack on Sony Pictures, in 2014, was the responsibility of a foreign government. Thousands of files, including business agreements, financial documents, and employees’ information, were stolen. Sony Pictures was targeted by spear-phishing attacks. It appears employees were lured by fake Apple emails.

  1. Target, 2013

As a result of the Target data breach, in 2013, hackers gained access to 40 million customers’ payment information. Through a phishing email, criminals installed a malware on a Target partnering company, which allowed them, in a second moment, to access the network of the second-largest department store retailer in the United States. Hackers then installed another malware on Target’s system to copy customers’ credit and debit card information. What can we learn from this attack? Be very cautious with companies and partners that have access to your network.

Reference: Certification Security+ of the practice for the exam
Authors: Yuri Diorgenes, Daniel Mauser.

Zoziel Freire ( )
Cyber Security Analyst Vitória, Espírito Santo, Brazil
To provide growth and maturity to the IT environments of companies with my expertise in the area ofinformation technology, as well as to obtain personal and professional knowledge and maturity.