Tuesday, June 20, 2006

Infosec Series: Social Engineering 101

Social Engineering has become a buzzword in the I.T. underground a couple of years ago.  This is basically the “art” and “science” of deceiving people in order to get what they want.  The term is used loosely to describe different way of extracting information in order to have access to more information.  If I will summarize the meaning of Social Engineering in one word, that word would definitely be SCAM.


Here are some examples of social engineering:
  • Shoulder Surfing – this is a passive social engineering method.  Basically a “shoulder surfer” simply unobtrusively looks on as a person enters a password or PIN to gain access to a system.  People who do shoulder surfing usually have a sharp memory in order to immediately memorize passwords or PINs.
  • “Dugo-Dugo” – this is a uniquely Filipino social engineering method.  People with malicious intent usually calls a potential victim’s home when all the people at that home is out except for their maid or domestic helper.  The “dugo-dugo” gang then tells the maid that their employer has met and accident and directs the maid to gather expensive belongings inside the house and deliver it to them to pay for their employers’ hospitalization.  Gullible maids will follow the gang members’ directions and virtually robs the home where they are serving and delivers the loot to the gang.
  • Phishing – this method of social engineering sends an email to unsuspecting victim, saying their accounts on an online site has been compromised and asks them to follow an internet link to change their password.  The internet link will look like a genuine website and as a potential victim enters their user id and password, it is actually saving it to a file where the phisher (the person who masterminds the phishing activity) can then harvest the user ids and passwords so they can use them.  Usual victims of these types of social engineering are users of online banking, online auction sites and even social networking sites.
  • Impersonation – this is a more direct way of social engineering.  Some will impersonate a department store personnel and will “help” customers in paying for things that they bought, only to run away with the customers’ cash.  Some will copy credit card information so they can use it to transact using the telephone or the web.
  • SMS Scams – this method is quite rampant locally (at least in the Philippines).  An SMS will announce that a person won a raffle.  It will then direct the “winner” to call a certain number so the prize can be collected.  The person (or the social engineer/scammer) will then ask the winner to deposit a certain amount of money to pay for the tax and processing fees.  Once the money is deposited, the account where it has been deposited will be immediately closed, the money withdrawn and the “winner” left out on the cold.
  • Dumpster Diving – this is where the "social engineer" literally get their hands dirty by going through the trash of an intended victim.  They will look at every bit of paper thrown out for possible passwords, account numbers, PINS, and other confidential information.  Then, using whatever bits of information that they gather through going through the trash, these "social engineer" then uses these to do further social engineering activities.
  • Nigerian Email Scams – another popular social engineering method that usually originates from Nigeria.  A potential victim will receive an email from the “solicitor” of an ousted African/South American/Filipino dictator asking for help.  They will ask for an account where they can deposit hundreds of millions of dollars and a certain percent of the deposited amount will be given to the “victim” as a reward for the help.  However,  before the hundreds of millions of dollars can be deposited, they will ask for a certain amount of money in order to process the transaction.  Once the “transaction fees” has changed hands, the “solicitor” disappears and the victim is, as usual, left out with less money on their own accounts.
The list enumerated above is not by any means a complete list of social engineering scams that happens both online and in real life.  Awareness is the key to avoiding these social engineering scams and knowing these methods may save people thousands of pesos, even dollars, to crooks and misguided elements.


technorati tags:, ,

Blogged with Flock

1 comment:

Señor Enrique said...

Perhaps, the following may be considered Social Engineering as well:

Hiding anonymously behind an affordable SIM card, the culprit will send a lengthy text message mostly of a "character assasination nature," or to enrage someone enough with malicious lies about the recipient supposedly being spread around by someone this culprit hates. The intention is to make the recipient also harbor intense animosity against this person whom the culprit despises. Sickening, huh? But my sister has become a victim of such.