Hacking is not always related to technical things. There are some other non-technical ways that hackers use to compromise the victims. We’ll be covering those non-technical techniques that are commonly known as social engineering techniques in the cybersecurity world, let’s see the different types of social engineering techniques hackers use to hack victims. Let’s start this post with what social engineering is. Why is it so effective? We’ll also cover specifically the different types of social engineering techniques, such as phishing, smishing, vishing, shoulder surfing, dumpster diving, influence campaigns, and things like hybrid warfare, and then we’ll also talk about the reasons for effectiveness such as authority, intimidation, trust, and so forth. So let’s go ahead and get started.
What Is Social Engineering?
What is a social engineer? What is social engineering? Well, a social engineer is someone who is a master of asking seemingly non‑invasive or unimportant questions to gather information over time. All right, so what they do is they gain trust, and they also reduce the defenses of that specific target.
So over time, that can be combined with a number of other techniques to gain sensitive information. So, in other words, if someone were to call and speak to a customer service rep or someone may be internal to a company and if they act like they are someone of importance, maybe someone from corporate, perhaps a different part of the building or even a different state or a different part of the world even, if they call and ask a few non‑invasive questions, asking about a specific application or what a specific piece of infrastructure is called or an application is called or what’s the buzzword or the acronym that person uses, well, they’ll gain that piece of information. Then they might call someone else in that same department or maybe a different part of the company and use the buzzwords or use the information they just got. Now they’re going to act like they know what they’re talking about even more. So that person on the other end of the phone thinks, hey, this person belongs here. They have all the buzzwords. They know our internal lingo. So they’ll give up even more information. Then they might make a third call and a fourth call. And over time, they’re gathering bits and pieces of information, so when they do make that call to get the sensitive information, they have the lingo down, they know what they’re talking about, they know the buzzwords, they know where the infrastructure is located. So all of these things add up. So the person on the other end of the phone gains trust, and they reduce their defenses. They think that person is an insider. And when they do that, boom, they give up some sensitive information, something that’s crucial. They may not know it. They may not realize it, but that person, that attacker, now has the information they need to target, very specifically some piece of infrastructure or some application or some database or what have you. So they gather stuff over time, and it makes them highly effective.
So it’s obtaining sensitive information, whether that be usernames, passwords, credit card information, and so forth, by tricking the user into entering their information into a fake website. Now that phishing campaign could come from email spoofing, where we get a fake email or a fraudulent email, and we are sure you’ve seen these in the past.
So it becomes even more critical that we take due diligence when answering emails or looking at emails, not clicking on links that we’re not familiar with, not opening emails and attachments from things or from places that we’re not sure of, or we’re not familiar with, and so forth, common sense things. But as these emails, these phishing attacks, become more kind of targeted to us specifically, it becomes harder to differentiate what’s good versus what’s bad.
- Spear Phishing:
2. Dumpster Diving
Next, we have Dumpster diving. All right, so Dumpster diving, as you might guess, removing trash from dumpsters that could reveal sensitive information. This is a big one that people don’t want really think about. It’s important, extremely important, that any documentation that has things like usernames and passwords, or if it has personally identifiable information, PII, or company documents, resumes, and things along those lines, have to be shredded or disposed of properly.
Some companies will have locked Dumpsters or locked trash cans, where you can just put things in, and they’ll be disposed of through some type of third‑party service. Or, if not, make sure you have a shredding area or shredder in your office or some common area. Things that have any of this sensitive information need to be shredded. If you have thousands of documents, maybe not as easily. So cross‑shredding, or cross‑cutting, actually cuts them into smaller bits and pieces. That makes it much more challenging to reconstruct. And then locked waste cans, as we mentioned, can be transported offsite for shredding or disposal. Can use some third‑party company that can do that in bulk.
3. Shoulder Surfing
Another big type of social engineering technique hackers use to hack people don’t necessarily think about is something referred to as shoulder surfing. So shoulder surfing, combined with social engineering, can really be used effectively, very effectively, to trick someone into entering credentials into an application or a website. So if you go up to somebody and say, hey, you know what, I’m having trouble logging into my computer. Can you do me a quick favor and just log in to this website or this application so we can check something real quick? While they’re standing over you, it’s very easy for them just to watch what you put in, or they could go up to someone and strike up a conversation, start talking about their kids, sports, and so on and so forth. They might ask to see some pictures. Where is their favorite spot to vacation, their favorite car, their pets’ names, and so forth? What type of dogs do they have? All of those things are typically used for people’s passwords.
Some mitigation to lessen the chance that you may be compromised, as we talked about, privacy screens are a good one. That prevents someone, unless they’re sitting directly in front of the monitor, from seeing what you’re typing in, user names, and so forth. So if they’re on an angle, they won’t be able to see what you’re actually typing in. We can also make sure that every single application and every single site we visit masks our passwords.
There are some technical controls that can be put in place as well. So cameras to monitor doors, sensitive areas, keycard access, and so forth, and if we have cameras monitoring certain common areas or certain kiosks and things, we can make sure that someone’s not shoulder surfing or someone’s not using some type of social engineering trick or some type of password gathering kind of reconnaissance mission to go out and gather information from unwary victims.
Okay, now, another term that you may or may not be familiar with is something referred to as pharming. So pharming is the redirecting of a user’s website traffic to a fake malicious website, and that can happen from two primary attack vectors. It could be from DNS cache poisoning, and DNS is the Domain Name System. But basically, we’re poisoning the DNS cache. So when that web address, or that URL, that a user puts in, when that gets resolved, instead of going to the appropriate website, it actually gets redirected to a malicious website.
The other would be something referred to as a host file injection. So on a user’s computer, there’s a text file referred to as a host file. That host file can include IP addresses mapped to web addresses and vice versa. So if you were to put in, let’s say, for instance, wordpress-753125–2540596.cloudwaysapps.com, if our computer was compromised, instead of going to the actual securitymaster website, it could be redirected to a malicious website.
This is one of the simplest types of social engineering techniques hackers use to hack the victims next, and something that’s overlooked quite often is something referred to as tailgating. So not the type of tailgating you may be familiar with or hoping we’re talking about, not the tailgate before the big game. Trust me. This one is nowhere near as much fun. However, it’s equally important. So from an IT security sense, we’re talking about following someone into a building through a gated area or a badged access area, basically following on their coattails, if you will. So one person badges in, but that person then allows another person or more persons behind them, could be several people behind them, to come in on their badge or their access.
So why does this happen? Well, basically, people want to be helpful, and the bad actors know this. The bad actors know that people will most likely hold the door for people who look like they belong. So if you’re carrying lots of items or you’re in a hurry, basically, if you look like you’re supposed to be there, that has an effect. People want to be helpful. They don’t want to turn around and be that guy or that girl who doesn’t hold the door for someone, slams the door in their face, in essence. Well, we don’t want to do that.
But from an IT perspective, from a business sense, that’s precisely what we need to do. Without being malicious, without looking like a bad person, we need just to make sure that we have adherence to corporate policy. So that’s where training and understanding of corporate policies are key. Everyone needs to understand that everyone needs to badge into the building. They need to use their access card just like everybody else. One of the primary reasons for that is. Obviously, we want to make sure that everyone that’s there is supposed to be there, has access, and has credentials. But then secondly, some access systems actually track who’s in the building in the event of an emergency. So everyone badges in, and let’s say a fire alarm gets pulled or some type of evacuation scenario takes place. Well, as people leave the building, they’re going to badge out. So we have X number of people that walked in. We now know that we have X number of people that walked out. And if we have any Delta there, we know that there are X number of people still left in that building. So that allows emergency responders, emergency personnel, and so forth to have more of a directed search or an idea of where to look for people trapped in a building or maybe not able to get out of a building in time. So it’s very, very important that we actually follow corporate policy, and training comes into play here. We should make sure that these types of things are understood by everyone throughout the corporation. Everyone must badge in everyone must badge out.
This is another common type of social engineering technique hackers use to hack victims. Hoax is a social engineering technique using the phone or voicemail to trick the target into providing sensitive information. So a hacker will act like a remote technician or an employee, perhaps maybe an interested party seeking employment, or perhaps an angry customer filing a complaint, something that will trigger kind of an immediate response without someone thinking that something might be awry; the person answering the phone, so in essence, again, playing on a person’s good nature.
So targeted attacks like phishing and spear-phishing, techniques we talked about aimed at “big fish” like company executives and whaling and so forth. Those types of things, phishing, vishing, and other various social engineering techniques are used to gather information. It can be an email, it can be a voicemail, it can be a phone call, but regardless of the campaign, these things are very specific, and they seem legitimate. So as we mentioned before, an example might be someone would call the front desk of a company and start asking around, gathering some information, doing some preliminary recon to get the lay of the land, if you will, to understand how things are situated, where buildings are located, perhaps where different parts of the company are located. They may ask a few questions and not really get very far, but they’ll hang up, and the next time they’ll call a different area.
But now they have the information they just learned about, so when they talk to the next person, they sound more legitimate, and that will continue over and over and over again, as we mentioned before. So as that profile starts to get built, that bad actor becomes more aware of how to talk the talk, the lingo, or the names of departments or people within the company, and it makes him seem more and more legitimate. A way to combat this type of thing is security awareness training. So we must ensure that employees know to never click on link sources from people they don’t know, don’t open attachments from an unknown origin, and then, as we talked about, if a phone call comes in or people start asking questions, they should just kind of hang up the phone, or say, give me a callback number and I’ll call you back as soon as we confirm your identity or confirm what company you’re with or so forth. Those types of things can go a long way to combating some of these things. So technical controls can also be put into place.
Prepending is basically adding mentions, the @username, whether it’s Twitter or some type of social media, to tweets or other social media posts to make them seem more personal. So what that does is it creates a higher engagement. It also can be automated to become almost as efficient as a manual spear‑phishing campaign. So, in essence, what’s happening here is hackers have gotten more sophisticated.
They’re using artificial intelligence, machine learning, and so forth to start publishing tweets, publishing social media posts with @username prepended into that tweet or into that post, so it makes it seem more personal. It makes it seem more legitimate, obviously, and they can actually even filter that in with manual or traditional posts so that some of it might be done manually.
This is one of the best-suited types of social engineering techniques hackers use to hack the victims. Impersonation can be done via a number of methods. We can have social engineering where we actually impersonate someone else, which would be an obvious use case. But we could also have stolen credentials or credential harvesting. But those stolen credentials or credential harvesting could allow us to impersonate someone else on the network. And then, we could also infiltrate a network and start capturing packets and replaying those packets on the network. So we’ll talk about things like man‑in‑the‑middle attacks and so forth in other modules. But capturing those packets and replaying them on the network would allow us to impersonate someone else on the network basically and then perhaps gain access to other systems within the network and then pivot, do additional reconnaissance, and so forth on the network.
So impersonation can take several forms. From a network perspective, we can do certain things like packet sequencing, ensuring that packets arrive in a specific order, timestamp them, have offsets to make sure that they’re not delayed, and then kind of injected back onto the network, and so forth..
9. Identity Fraud
Let’s talk about identity fraud. Now, identity fraud is something that is becoming more and more of a challenge across the board for both adults and also for children. Identity fraud is a massively growing area for children as well. So identity theft and identity fraud are typically interchangeable items, so that you may hear those terms used in place of each other. So malware, social engineering, and old‑school methods, i.e., dumpster diving, right? We’ve talked about that; all these things can be used to gather information. It can be receipted. It can be bills, personal identifiable information, right, or things that people throw away. It can also be done electronically through malware. We could have something downloaded to our computer without us even knowing it that can either scrape websites, take information off of our computer, or allow an attacker to access our computer remotely and exfiltrate data from that system or in a corporate environment, obviously from PCs and systems on the network. And also, as we talked about, social engineering can be very effective for identity fraud as well because people don’t necessarily realize they’re giving up crucial pieces of information that an attacker could use to log in, access websites, and so forth. So a victim’s identity is used to obtain credit. It could be used to steal money out of banking accounts or from corporate accounts or business accounts, assets, and so forth.
10. Invoice Scam
Along those same lines is something referred to as an invoice scam. Now an invoice scam is typically kind of associated with or goes hand in hand with a whaling technique, and we talked about whaling before. So a whaling technique is where bad actors will spoof executive email accounts. They will then contact a finance or an accounts payable or some type of accounting group and ask them to pay a fraudulent invoice. They might ask for a wire transfer, a company credit card, or even less frequently, cryptocurrency.
11. Credential Harvesting
So there are a couple of different ways we can do that. Phishing campaigns. We’ve talked about this to some degree. Phishing and smishing, SPAM, and SPIM, they can be used to gather credentials at scale. So this can be done or perpetrated against a broad audience at scale without a lot of user intervention or a lot of even hacker intervention.
These types of social engineering techniques, they use tools and techniques. They’ll use software, programs, scripts, and so forth, maybe infiltrate or infect a website or send out a massive amount of emails. And so they can do that in an automated process. So it doesn’t take a lot of effort once they push the go button, and they can harvest these credentials at a massive scale.
Next is malware. So malware can be used to target an individual victim or websites or entire networks, and then credentials are often harvested or sold, or pasted online. So these types of paste sites allow hackers and bad actors to post large amounts of compromised accounts and information, as well as access other breach information.
12. Watering Hole Attack
A watering hole attack is a technique hackers use to compromise a specific group of end-users by infecting existing websites or creating a new one that would attract them. These are used to distribute malware onto the target’s devices, just like phishing activities are conducted. The malware used in this attack often collects the target’s sensitive information and sends it to the attacker’s server. In extreme cases, the attacker actively takes control of the infected systems.
However, watering hole attacks are not common but pose a significant threat. Since they are hard to detect and generally target highly secure organizations using their less security-conscious employees or business partners, as these attacks can breach multiple layers of security, they can be extremely devastating. A watering hole attack is a type of social engineering attack used to hack compromised websites.
13. Typo Squatting / URL Hijacking
So with typosquatting, basically, you type in something wrong, and hackers will know that you’re going to misspell a specific website ten different ways, and they’ll take all of those ten different misspellings, or 100 or 1000, whatever it is. They’ll register all those misspelled domain names, so setting up domain names that capitalize on the fact that users make typos, as you can see here, Facbook instead of Facebook, Goggle or Googel instead of Google. So all these different misspellings happen all the time. We mean, if you think about it, there are millions of people typing on Facebook or Google or whatever per hour, let alone per day. There’s going to be a good percentage of those that mistype. And when they do that, the hackers will set up other domains using the misspelled domain name, but they’ll make it look like you’re actually logging into the legitimate site. So it’s a perfect way for them to capture credentials, usernames, passwords, and so forth.
14. Hybrid Warfare
This is one of the latest types of social engineering techniques hackers use to hack victims. Hybrid warfare is a combination of traditional and irregular forces in the same military campaign. Now, as far as we’re concerned here, that can also step outside the bounds of a military quote-unquote campaign. But it basically blurs the lines between civil, military, friend, foe, and so on and so forth, right? It becomes tough to distinguish actual battle lines. So that can be achieved through the usage of guerrilla forces, insurgents, and proxy groups that actually act in place of or in lieu of some other group. So group A might actually illicit the services of group B and have group B carry out an attack. So that way, it removes attribution from group A. So you kind of fight through someone else. It could also take place through terrorist organizations, and it can be state and also non‑state actors. So all of these things combined, they’re really all aimed at achieving a common political goal. So we have information operations, which is more on the technical side. We can create fake news. We can use bots and malware to shift public perception and push out fake news stories and so forth. Cyber activities are along the same lines. So we can go in and take companies offline or websites offline or propaganda and so forth to actually start to shift or change public opinion or blur the lines between what’s good and what’s bad. We can also, as we mentioned, use proxy organizations. So we elicit the services of these other groups and kind of fight through them, so it blurs the lines between covert and kind of out-in-the-open activities. It’s very nonlinear. It’s very unorthodox. You might want to use the term asymmetric approach. It can also be a force multiplier because it really gives the impression that things are maybe larger or there’s more of a force or more of an enemy than there actually is. So someone with a very small footprint can actually create a large amount of damage using these types of hybrid activities. So we can also exert economic influence. You take down the stock market, or you take down a specific industry, or you change public perception against a specific company; you can have an economic impact on that company or even an entire region. And then also clandestine measures. As we mentioned, we have gray hat hackers, black hat hackers, and, of course, white hats, which are doing things for typically good reasons, but there’s a line that gets blurred between what’s necessarily offensive and defensive. And we can also do things behind the scenes in a very covert fashion. So all of these things now create this hybrid effect, which is no longer traditional. We have a lot of our forces lined up on a line on the battlefield, and we have two groups fighting each other, standing right in front of each other during their fighting, and so forth. And then, lastly, a lot of times, these things are done for political influence to influence the access to power or the political power within a specific region. It can topple entire governments. So hybrid warfare has become very, very effective. We can do things in the cyber realm, and with social media and everything else that’s out there nowadays, we can push out fake news and make things appear to be completely different than how they really are.
15. Social Media And Influence Campaigns
This is another new type of social engineering technique in which hackers use social media as a prime target for influence campaigns. So, as we mentioned, it can be extremely powerful in shaping public opinion, and that can be used to help or hurt a company’s image, stock price, consumer confidence, and so forth. So social media has the potential for a tremendous impact, and it can be done from relatively meager means. So you don’t necessarily have to have a lot of money or a giant force behind you. You can have a small group that can just amplify their voice on social media and makes things appear much bigger than they are. So public policy, elections, attitudes towards government, attitudes towards law enforcement, and so forth can be used to either bolster or boost up an area or a region, or it can completely debilitate and take that specific region down or that company or that group, as we said, government, law enforcement, and so forth. So the reason we say all this is to understand that social media can be a prime target for hackers, and for influence peddlers, and so forth who are trying to, perhaps, have a service for hire or a lot of these black hats or dark web folks that go out there and will basically go in and try to topple or push out information and just generally be hurtful in some capacity.
In this post, we covered a lot of good information. We talked about what social engineering is and why it is so effective. Why is it such an effective tool for hackers, bad actors, and so forth? We talked about 15 different types of social engineering techniques, such as phishing, smishing, vishing, shoulder surfing, dumpster diving, influence campaigns, and things like hybrid warfare. So we hope this post was informative for you, and we’d like to thank you very much for reading this.