Social Engineering is a hacker's clever manipulation of the natural human tendency to trust. The hacker's goal is to obtain sensitive information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. Types of social engineering attacks include pretexting, phishing, IVR or phone phishing, trojan horse, baiting, quid pro quo.
Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone. It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, ATM PIN, last bill amount) to establish legitimacy in the mind of the target.
Phishing is a criminal technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business — a bank, or Credit Card company— requesting "verification" of information and warning of some dire consequence if it is not provided. The email usually contains a link to a fraudulent web page that seems legitimate — with company logos and content — and has a form requesting everything from a user-id, password, ATM card number to home address.
This criminal technique uses a rogue Interactive Voice Response (IVR) system to recreate a legitimate sounding copy of a bank or other institution's IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the ‘bank’ via a (ideally toll free) number provided in order to ‘verify’ information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords to exploit in other cases. More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning.
A criminal could even record the typical commands (‘Press one to change your password, press two to speak to customer service’ and so on) and play back the direction manually in real time, giving the appearance of being an IVR without the expense.
Trojans take advantage of the victims' curiosity or greed to deliver any malware. An example of a Trojan might be the 'e-mail virus' which arrives as an e-mail attachment promising anything from a 'cool' or 'sexy' screen saver, an important anti-virus or system upgrade, or the latest gossip about a celebrity.
Victims succumb by opening the attachment which is then activated. Since naive users might unknowingly click on an attachment without considering legitimacy, the technique can be quite effective and a number of these cases, for example, the ‘ILOVEYOU virus’, even made international news as a result. Similarly, a program which grants the attacker access while hiding inside other software (spyware being an example) or by pretending to be something it is not (for example a download pretending to be a 'free' copy of a new software title) behaves much as the famous horse of Troy and allows an attack from inside the computer system.
Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim.
In this attack, the attacker leaves a malware infected floppy disc, CD ROM, or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device. An unknowing employee might find it and subsequently insert the disk into a computer to satisfy their curiosity, or a good samaritan might find it and turn it in to the company. This technique may not be very effective as many companies have proper scanning systems in place, before any activity takes place. But individuals may fall a prey to this act.
An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will help solve the problem and in the process have the user type commands that give the attacker access to launch malware.