SOCIAL+ENGINEERING

=**Social engineering**=

is the act of [|manipulating] people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. While similar to a [|confidence trick] or simple [|fraud], the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. "Social engineering" as an act of psychological manipulation was popularized by hacker-turned-consultant [|Kevin Mitnick]. The term had previously been associated with the social sciences, but its usage has caught on among computer professionals.

Social engineering techniques and terms
All social engineering techniques are based on specific attributes of human decision-making known as [|cognitive biases].[|[][|2][|]] These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create attack techniques, some of which are listed here:

Pretexting
Pretexting is the act of creating and using an invented scenario (the [|pretext]) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances. It is more than a simple [|lie], as it most often involves some prior research or setup and the use of prior information for impersonation (//e.g.//, date of birth, [|Social Security Number], last bill amount) to [|establish legitimacy in the mind] of the target. This technique can be used to trick a business into disclosing customer information as well as by [|private investigators] to obtain telephone records, utility records, banking records and other information directly from junior company service representatives. The information can then be used to establish even greater legitimacy under tougher questioning with a manager, //e.g.//, to make account changes, get specific balances, etc. Pretexting has been an observed law enforcement technique, under the auspices of which, a law officer may leverage the threat of an alleged infraction to detain a suspect for questioning and conduct close inspection of a vehicle or premises.
 * Pretexting** can also be used to impersonate co-workers, police, bank, tax authorities, or insurance investigators — or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim. The pretexter must simply prepare answers to questions that might be asked by the victim. In some cases all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one's feet.

Diversion theft
Diversion theft, also known as the "Corner Game"[|[][|4][|]] or "Round the Corner Game", originated in the East End of London. In summary, diversion theft is a "con" exercised by professional thieves, normally against a transport or courier company. The objective is to persuade the persons responsible for a legitimate delivery that the consignment is requested elsewhere — hence, "round the corner". With a load/consignment redirected, the thieves persuade the driver to unload the consignment near to, or away from, the consignee's address, in the pretense that it is "going straight out" or "urgently required somewhere else". The "con" or deception has many different facets, which include social engineering techniques to persuade legitimate administrative or traffic personnel of a transport or courier company to issue instructions to the driver to redirect the consignment or load. Another variation of diversion theft is stationing a security van outside a bank on a Friday evening. Smartly dressed guards use the line "Night safe's out of order Sir". By this method shopkeepers etc. are gulled into depositing their takings into the van. They do of course obtain a receipt but later this turns out to be worthless. A similar technique was used many years ago to steal a Steinway grand piano from a radio studio in London "Come to overhaul the piano guv" was the chat line. Nowadays ID would probably be asked for but even that can be faked. The social engineering skills of these thieves are well rehearsed, and are extremely effective. Most companies do not prepare their staff for this type of deception.

Phishing
Main article: [|Phishing] Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business — a bank, or credit card company — requesting "verification" of information and warning of some [|dire consequence] if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate — with company logos and content — and has a form requesting everything from a home address to an [|ATM card]'s [|PIN]. For example, 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from [|eBay] claiming that the user's account was about to be suspended unless a link provided was clicked to update a credit card (information that the genuine eBay already had). Because it is relatively simple to make a Web site resemble a legitimate organization's site by mimicking the HTML code, the scam counted on people being tricked into thinking they were being contacted by eBay and subsequently, were going to eBay's site to update their account information. By [|spamming] large groups of people, the "phisher" counted on the e-mail being read by a percentage of people who already had listed credit card numbers with eBay legitimately, who might respond.

[[|edit]] IVR or phone phishing
Main article: [|Vishing] This technique uses a rogue [|Interactive voice response] (IVR) system to recreate a legitimate-sounding copy of a bank or other institution's IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the "bank" via a (ideally toll free) number provided in order to "verify" information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning. One could even record the typical commands ("Press one to change your password, press two to speak to customer service" ...) and play back the direction manually in real time, giving the appearance of being an IVR without the expense. Phone phishing is also called [|vishing].

[[|edit]] Baiting
Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim.[|[][|5][|]] In this attack, the attacker leaves a [|malware] infected [|floppy disk], [|CD ROM], or [|USB flash drive] in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device. For example, an attacker might create a disk featuring a [|corporate logo], readily available from the target's web site, and write "Executive Salary Summary Q2 2010" on the front. The attacker would then leave the disk on the floor of an elevator or somewhere in the lobby of the targeted company. An unknowing employee might find it and subsequently insert the disk into a computer to satisfy their curiosity, or a [|good samaritan] might find it and turn it in to the company. In either case as a consequence of merely inserting the disk into a computer to see the contents, the user would unknowingly install [|malware] on it, likely giving an attacker unfettered access to the victim's PC and perhaps, the targeted company's internal [|computer network]. Unless computer controls block the infection, PCs set to "auto-run" inserted media may be compromised as soon as a rogue disk is inserted.

Quid pro quo
Quid pro quo means //something for something//:
 * An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch [|malware].
 * In a 2003 [|information security] survey, 90% of office workers gave researchers what they claimed was their [|password] in answer to a survey question in exchange for a cheap [|pen].[|[][|6][|]] Similar surveys in later years obtained similar results using chocolates and other cheap lures, although they made no attempt to validate the passwords.[|[][|7][|]]

Other types
Common [|confidence tricksters] or [|fraudsters] also could be considered "social engineers" in the wider sense, in that they deliberately deceive and manipulate people, exploiting human weaknesses to obtain personal benefit. They may, for example, use social engineering techniques as part of an IT fraud. A very recent type of social engineering techniques include spoofing or hacking IDs of people having popular e-mail IDs such as [|Yahoo!], [|GMail], [|Hotmail], etc. Among the many motivations for deception are:
 * [|Phishing] credit-card account numbers and their passwords.
 * Hacking private e-mails and chat histories, and manipulating them by using common editing techniques before using them to extort money and creating distrust among individuals.
 * Hacking websites of companies or organizations and destroying their reputation.
 * Computer [|virus hoaxes]

Kevin Mitnick
Reformed computer criminal and later security consultant [|Kevin Mitnick] popularized the term "social engineering", pointing out that it is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system.[|[][|8][|]] He claims it was the single most effective method in his arsenal.

The Badir Brothers
Brothers Ramy, Muzher, and Shadde Badir—all of whom were blind from birth—managed to set up an extensive phone and computer fraud scheme in the village of Kafr Kassem outside [|Tel Aviv], [|Israel] in the 1990s using social engineering, voice impersonation, and [|Braille-display computers].[|[][|9][|]]

=Phishing=

In the field of [|computer security], **phishing** is the [|criminally] [|fraudulent] process of attempting to acquire sensitive information such as usernames, [|passwords] and credit card details by masquerading as a trustworthy entity in an [|electronic communication]. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by [|e-mail] or [|instant messaging],[|[][|1][|]] and it often directs users to enter details at a fake website whose [|look and feel] are almost identical to the legitimate one. Phishing is an example of [|social engineering] techniques used to fool users,[|[][|2][|]] and exploits the poor usability of current web security technologies.[|[][|3][|]] Attempts to deal with the growing number of reported phishing incidents include [|legislation], user training, public awareness, and technical security measures. A phishing technique was described in detail in 1987, and the first recorded use of the term "phishing" was made in 1996. The term is a variant of //fishing//,[|[][|4][|]] probably influenced by //[|phreaking]//,[|[][|5][|]][|[][|6][|]] and alludes to baits used to "catch" financial information and passwords.

Recent phishing attempts
A chart showing the increase in phishing reports from October 2004 to June 2005. Phishers are targeting the customers of banks and online payment services. E-mails, supposedly from the [|Internal Revenue Service], have been used to glean sensitive data from U.S. taxpayers.[|[][|16][|]] While the first such examples were sent indiscriminately in the expectation that some would be received by customers of a given bank or service, recent research has shown that phishers may in principle be able to determine which banks potential victims use, and target bogus e-mails accordingly.[|[][|17][|]] Targeted versions of phishing have been termed **spear phishing**.[|[][|18][|]] Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term **whaling** has been coined for these kinds of attacks.[|[][|19][|]] [|Social networking sites] are now a prime target of phishing, since the personal details in such sites can be used in [|identity theft];[|[][|20][|]] in late 2006 a [|computer worm] took over pages on [|MySpace] and altered links to direct surfers to websites designed to steal login details.[|[][|21][|]] Experiments show a success rate of over 70% for phishing attacks on social networks.[|[][|22][|]] The [|RapidShare] file sharing site has been targeted by phishing to obtain a premium account, which removes speed caps on downloads, auto-removal of uploads, waits on downloads, and cooldown times between downloads.[|[][|23][|]] Attackers who broke into [|TD Ameritrade]'s database (containing all 6.3 million customers' [|social security numbers], account numbers and email addresses as well as their names, addresses, dates of birth, phone numbers and trading activity) also wanted the account usernames and passwords, so they launched a follow-up spear phishing attack.[|[][|24][|]] Almost half of phishing thefts in 2006 were committed by groups operating through the //[|Russian Business Network]// based in [|St. Petersburg].[|[][|25][|]] Some people are being victimized by a Facebook Scam, the link being hosted by [|T35 Web Hosting] and people are losing their accounts.[|[][|26][|]] There are anti-phishing websites which publish exact messages that have been recently circulating the internet, such as [|FraudWatch International] and [|Millersmiles]. Such sites often provide specific details about the particular messages.[|[][|27][|]][|[][|28][|]]

Link manipulation
Most methods of phishing use some form of technical deception designed to make a [|link] in an e-mail (and the [|spoofed website] it leads to) appear to belong to the spoofed organization. Misspelled [|URLs] or the use of subdomains are common tricks used by phishers. In the following example URL,, it appears as though the URL will take you to the //example// section of the //yourbank// website; actually this URL points to the "//yourbank//" (i.e. phishing) section of the //example// website. Another common trick is to make the displayed text for a link (the text between the [| tags]) suggest a reliable destination, when the link actually goes to the phishers' site. The following example link,, appears to take you to an article entitled "Genuine"; clicking on it will in fact take you to the article entitled "Deception". In the lower left hand corner of most browsers you can preview and verify where the link is going to take you.[|[][|29][|]] An old method of spoofing used links containing the '//@//' symbol, originally intended as a way to include a username and password (contrary to the standard).[|[][|30][|]] For example, the link might deceive a casual observer into believing that it will open a page on, whereas it actually directs the browser to a page on , using a username of : the page opens normally, regardless of the username supplied. Such URLs were disabled in [|Internet Explorer],[|[][|31][|]] while [|Mozilla Firefox][|[][|32][|]] and [|Opera] present a warning message and give the option of continuing to the site or cancelling. A further problem with URLs has been found in the handling of [|Internationalized domain names] (IDN) in [|web browsers], that might allow visually identical web addresses to lead to different, possibly malicious, websites. Despite the publicity surrounding the flaw, known as [|IDN spoofing][|[][|33][|]] or [|homograph attack],[|[][|34][|]] phishers have taken advantage of a similar risk, using open [|URL redirectors] on the websites of trusted organizations to disguise malicious URLs with a trusted domain.[|[][|35][|]][|[][|36][|]][|[][|37][|]] Even digital certificates do not solve this problem because it is quite possible for a phisher to purchase a valid certificate and subsequently change content to spoof a genuine website.

Filter evasion
Phishers have used images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing e-mails.[|[][|38][|]]

Website forgery
Once a victim visits the phishing website the deception is not over. Some phishing scams use [|JavaScript] commands in order to alter the [|address bar].[|[][|39][|]] This is done either by placing a picture of a legitimate URL over the address bar, or by closing the original address bar and opening a new one with the legitimate URL.[|[][|40][|]] An attacker can even use flaws in a trusted website's own scripts against the victim.[|[][|41][|]] These types of attacks (known as [|cross-site scripting]) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the [|web address] to the [|security certificates] appears correct. In reality, the link to the website is crafted to carry out the attack, making it very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against [|PayPal].[|[][|42][|]] A Universal [|Man-in-the-middle] (MITM) Phishing Kit, discovered in 2007, provides a simple-to-use interface that allows a phisher to convincingly reproduce websites and capture log-in details entered at the fake site.[|[][|43][|]] To avoid anti-phishing techniques that scan websites for phishing-related text, phishers have begun to use [|Flash]-based websites. These look much like the real website, but hide the text in a multimedia object.[|[][|44][|]]

Phone phishing
Not all phishing attacks require a fake website. Messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts.[|[][|45][|]] Once the phone number (owned by the phisher, and provided by a [|Voice over IP] service) was dialed, prompts told users to enter their account numbers and PIN. [|Vishing] (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization.[|[][|46][|]]

Other techniques

 * Another attack used successfully is to forward the client to a bank's legitimate website, then to place a popup window requesting credentials on top of the website in a way that it appears the bank is requesting this sensitive information.[|[][|47][|]]
 * One of the latest phishing techniques is [|tabnabbing]. It takes advantage of the multiple tabs that users use and silently redirect a user to the affected site.

Damage caused by phishing
The damage caused by phishing ranges from denial of access to e-mail to substantial financial loss. It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the [|United States] suffered losses caused by phishing, totaling approximately US$929 million. United States businesses lose an estimated US$2 [|billion] per year as their clients become victims.[|[][|48][|]] In 2007, phishing attacks escalated. 3.6 million adults lost US$3.2 billion in the 12 months ending in August 2007.[|[][|49][|]] Microsoft claims these estimates are grossly exaggerated and puts the annual phishing loss in the US at US$60 million .[|[][|50][|]] In the [|United Kingdom] losses from web banking fraud—mostly from phishing—almost doubled to [|GB£]23.2m in 2005, from [|GB£]12.2m in 2004,[|[][|51][|]] while 1 in 20 computer users claimed to have lost out to phishing in 2005.[|[][|52][|]] The stance adopted by the UK banking body [|APACS] is that "customers must also take sensible precautions ... so that they are not vulnerable to the criminal."[|[][|53][|]] Similarly, when the first spate of phishing attacks hit the Irish Republic's banking sector in September 2006, the [|Bank of Ireland] initially refused to cover losses suffered by its customers (and it still insists that its policy is not to do so[|[][|54][|]]), although losses to the tune of [|€]11,300 were made good.[|[][|55][|]]


 * Anti-phishing software** consists of [|computer programs] that attempt to identify [|phishing] content contained in [|websites] and [|e-mail]. It is often integrated with [|web browsers] and [|email clients] as a toolbar that displays the real domain name for the website the viewer is visiting, in an attempt to prevent fraudulent websites from masquerading as other legitimate web sites. Anti-phishing functionality may also be included as a built-in capability of some web browsers.


 * [|Avira Premium Security Suite] -
 * [|Windows Internet Explorer 8]
 * [|Firefox 3.0.10]
 * [|Safari] 3.2
 * [|Opera] 9.2
 * [|Netscape] 8.1
 * [|Norton 360]
 * [|McAfee] [|SiteAdvisor]
 * [|Netcraft] Toolbar
 * [|Google] Safe Browsing (usable with [|Firefox])
 * [|Reasonable Software]'s [|Anti-phishing Software]
 * [|eBay] Toolbar
 * [|Earthlink] ScamBlocker (recently discontinued)
 * [|GeoTrust] TrustWatch
 * [|Phishtank] SiteChecker
 * [|CarrotMail]
 * [|Mozilla Thunderbird] - e-mail client which warns users of e-mails which may be part of an e-mail scam.
 * [|Windows Mail], an e-mail client that comes with [|Windows Vista]
 * [|Gralicwrap] free anti-phishing software tool
 * [|Kaspersky Internet Security]
 * [|ESET Smart Security]
 * [|PineApp] Mail-SeCure