Social Engineering is one of the most tricky attack techniques to combat. You can’t use technology to prevent it but you have to rely on end users training and users’ awareness which can be part of an ongoing education program. Social engineering is not just Kevin Mitnick’s type where a hacker calls the IT staff and manages to act like a normal employee or even worse, as the CEO assistant to obtain sensitive information. Today, social engineering is also virtual and is mostly executed through unsolicited email messages and social networking.
For instance, a user receives an email message that looks as if it came from the user’s bank. The message is crafted in a way that looks legitimate. However, the message main objective is to direct the user to a malicious website. The link directs the user to a rogue website which has the look and feel of the actual banking site but any data the user would provide will go to a criminal and not to the user’s real bank. With the user’s name and password an attacker could go to the real banking site, access the victim’s account and steal money. The criminal can also try the user’s login credentials on many other sites related to the user and perform other monetary and identity thefts.
This is a typical Social Engineering attack executed through phishing email but other means exist especially in the Social Networking arena. Social Networking has become an ideal platform where cyber criminals can develop new Social Engineering attacks!