CompTIA Security SY0-601 Exam: Basic Social Engineering Techniques

This guide covers the following CompTIA Security+ exam objective:

- Compare and contrast different types of social engineering techniques.

Essential Terms and Components
- social engineering
- phishing
- smishing
- vishing
- spam
- spam over Internet messaging (SPIM)
- spear phishing
- Dumpster diving
- shoulder surfing
- pharming
- tailgating
- eliciting information
- whaling
- prepending
- identity fraud
- invoice scam
- credential harvesting
- reconnaissance
- hoax
- impersonation
- watering hole attack
- typo squatting
- influence campaign
- principles (reasons for effectiveness)

Social engineering has been around as long as humans. Many people are familiar with face-to-face interactions in which one individual fishes for information in a deceptive way. Social engineering is the process by which an attacker seeks to extract useful information from users, often by just tricking them into helping the attacker. In many circumstances, social engineering is the precursor to more advanced attacks. Social engineering is extremely successful because it relies on human emotions. Common examples include the following:
- An attacker calls a valid user and impersonates a guest, temp agent, or new user, asking for assistance in accessing the network or requesting details on the business processes of the organization.
- An attacker contacts a legitimate user and poses as a technical aide, attempting to update some type of information. The attacker asks for identifying user details that can then be used to gain access.
- An attacker poses as a network administrator, directing the legitimate user to reset the password to a specific value so that an imaginary update can be applied.
- An attacker provides the user with a “helpful” program or agent through email, a website, or some other means of distribution. This program might require the user to enter login details or personal information that is useful to the attacker, or it might install other programs that compromise the system’s security.

The Social Engineer
In the preceding examples, the attacker is using impersonation, a core tactic of social engineers, which simply means someone assumes the character or appearance of someone else. The attacker pretends to be something he or she is not. Impersonation is often used in conjunction with a pretext or an invented scenario. Images of private detectives might come to mind here. In many great movies, such as Catch Me If You Can and Beverly Hills Cop, the drama or humor unfolds as a result of impersonation and pretexting. While social engineering is often used to gain information, usually the attacker uses public information sources to first do reconnaissance of the target. For example, LinkedIn or an organization’s website may be used to identify personnel and their roles and responsibilities within the organization. And while this might seem like just fun and games, in many cases fraud is involved. For example, with identity fraud, a person’s personal information is used without authorization to deceive or commit a crime. In fact, online impersonation is usually a crime. Even just posing online as someone else without that person’s consent is against the law.

ExamTip:
Social engineering often involves impersonation of some sort. Attackers often use impersonation tactics, which are not easily countered via technology. It is important to understand that the best defense against social engineering is ongoing user awareness and education.

Tailgating
Tailgating is a simple yet effective technique in a social engineer’s arsenal. It involves piggybacking or following closely behind someone who has authorized physical access in an environment. Tailgating involves appearing to be part of an authorized group or capitalizing on people’s desire to be polite. A common example is an attacker following an authorized person and working to get the person to hold open a secure door to grant access. Many high-security facilities employ mantraps (airlock-like mechanisms that allow only one person to pass at a time) to provide entrance control and prevent tailgating.

Dumpster Diving
As humans, we naturally seek the path of least resistance. Instead of shredding documents or walking them to the recycle bin, employees often throw them into the wastebasket. Workers also might put discarded equipment into the garbage if city laws do not require special disposal. Intruders know this and scavenge for discarded equipment and documents in an act called Dumpster diving. They can extract sensitive information from the garbage without ever contacting anyone in the organization.
In any organization, the potential risk of an intruder gaining access to this type of information is huge. What happens when employees leave the organization? They clean out their desks. Depending on how long the employees have been there, the material that ends up in the garbage can be a gold mine for an intruder.

Other potential sources of discarded information include the following:
- Organizational directories
- Employee manuals
- Hard drives and other media
- Printed emails
Proper disposal of data and equipment should be part of the organization’s security policy. Companies should have a policy in place that requires shredding of all physical documents and secure erasure of all types of storage media before they may be discarded. Secure erasure is often performed via the use of disk-wiping software, which can delete the data according to different standards.

Shoulder Surfing
Shoulder surfing involves looking over someone’s shoulder to obtain information. It may occur while someone is entering a personal identification number (PIN) at an automated teller machine (ATM) or typing in a password at a computer system. More broadly, however, shoulder surfing includes any method of direct observation and could include, for example, locating a camera nearby or even using binoculars from a distance. With many of these types of methods, user awareness and training are key to prevention. In addition, some tools can also assist here. For example, many ATMs now include mirrors so users can see who might be behind them and better-designed keypads to help conceal keypad entry. Special screen overlays are available for laptop computers to prevent someone from seeing the screen at an angle.
The consequences of getting caught shoulder surfing are low. Simply peering over someone’s shoulder to learn the combination is less risky than, say, breaking open a safe or attempting to open the safe when unauthorized. In fact, a shoulder surfer might not actually be the one to initiate a subsequent attack. Information security attacks have evolved into an ecosystem. The shoulder surfer’s job might be complete after he or she provides or sells the information gleaned to someone else who has more nefarious goals.

Phishing and Related Attacks
In this section, we discuss various attacks—such as phishing, whaling, and vishing—that can also be classified as social engineering but that rely on technical methods to accomplish the goals. Such attacks are attacks on humans and take advantage of human psychology. People tend to trust others. People tend to want to be helpful to those in need. Because of these tendencies, adequate and ongoing training is required to counteract potential attacks.
These techniques by themselves are first and foremost about eliciting information that can directly or indirectly lead to sensitive data loss or other compromise. The information acquired might not have immediate consequences, but the cumulative effect of these techniques combined with other social engineering and technical attacks could have dire consequences for either the individuals or their organization.
Increasingly, social engineering attacks are being conducted electronically. Social engineering conducted via computer systems has different names depending on the target and the method. Such attempts are often classified as spam by electronic communication security systems and never reach the target. Attackers continue to evolve their channels and techniques. Spam over Internet messaging (SPIM), the delivery of spam through the use of instant messaging (IM) instead of through email, is one example that has increased.
One common method of social engineering via electronic communications is phishing. Phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via electronic communication (usually email). Phishing attacks rely on a mix of technical deceit and social engineering practices. In most cases, the phisher must persuade the victim to intentionally perform a series of actions that provides access to confidential information. As scam artists become more sophisticated, so do their phishing email messages. The messages often include official-looking logos from real organizations and other identifying information taken directly from legitimate websites. For best protection, you must deploy proper security technologies and techniques at the client side, the server side, and the enterprise level. Many organizations now prepend to the subject line some sort of notification if the email is external; this practice is known as prepending. Ideally, users should not be able to directly access email attachments from within the email application. However, the best defense is user education.

Related social engineering methods with slight differences from basic phishing include the following:
- Spear phishing: This is a targeted version of phishing. Whereas phishing often involves mass emailing, spear phishing goes after a specific individual.
- Whaling: Whaling is identical to spear phishing, except for the size of the fish. Whaling employs spear phishing tactics but goes after high-profile targets, such as an executive within a company.
- Vishing: Also known as voice phishing, vishing is the use of fake caller ID to appear as a trusted organization and attempts to get an individual to enter account details via the phone.
- Smishing: Also known as SMS phishing, smishing is the use of phishing methods through text messaging.
- Pharming: This term is a combination of farming and phishing. Pharming does not require the user to be tricked into clicking a link. Instead, pharming redirects victims from a legitimate site to a bogus website. To accomplish this, the attacker employs another attack, such as DNS cache poisoning.
Phishing combines technical deceit with the elements of traditional social engineering. Be sure to know the variants of phishing attacks. For the SY0-601 exam, know the differences between spear phishing, whaling, vishing, smishing, and pharming.
In many instances, sensitive information is acquired for a downstream purpose, such as to simply sell the information to someone else, or to use the information to perpetrate a deeper attack within an organization. Credential harvesting is a common goal of phishing campaigns that involves capturing usernames and passwords. A credential harvesting attempt might be in the form of a bogus email designed to get you to log in to your bank. However, the links in the email wouldn’t actually go to your bank’s website but would go to the attacker’s website, which would be designed to look exactly like your bank’s site. From there, the attacker’s goal would be to get you to input and submit your username and password. After that, the site might just return a server error, but it would have captured your credentials. Typically, all of the credentials gathered through such a campaign would be aggregated and subsequently monetized.
Often an initial phishing attempt could be a means to commit fraud. The advance-fee scam is one example. In this scam, a large sum of money is promised, but the target is asked to make a small payment first in order to complete the transaction. Of course, the victim never sees the large return. Invoice scams are another example. In such an attack, the threat actor may use well researched and carefully crafted emails requesting payment. The hope is that the victim will follow standard processes for paying out invoices, without giving much thought to the details of this particular payment.

Watering Hole Attacks
In many ways, a watering hole attack is like spear phishing, discussed earlier. However, instead of using email, the attacker attacks a site that the target frequently visits. The goal is often to compromise the larger environment—for example, the company the target works for.
Just as a lion waits hidden near a watering hole that zebras frequent, a watering hole attacker waits at the sites you frequent. In a typical scenario, the attacker first profiles and understands the victim—such as what websites the victim visits and with what type of computer and web browser. Next, the attacker looks for opportunities to compromise any of these sites based on existing vulnerabilities. Understanding more about the victim (for example, type of browser used and activities) helps the attacker compromise the site with the greatest chance of then exploiting the victim. A watering hole attack is commonly used in conjunction with a zero-day exploit—an attack against a vulnerability that is unknown to software and security vendors. By taking advantage of a Cross-site Scripting vulnerability on the visited site, which allows the attacker to execute scripts in the victim’s web browser, the attacker can ensure that the trusted site helps deliver an exploit to the victim’s machine.

Typo Squatting
Typo squatting, also known as URL hijacking, is a simple method used frequently for benign purposes but it is also easily used for more malicious attacks. Typo squatting most commonly relies on typographic errors users make on the Internet. It can be as simple as accidentally typing www.gooogle.com instead of www.google.com. Fortunately, in this example, Google owns both domain names and redirects the user who mistyped the domain name to the correct domain. However, a misspelled URL of a travel website might take a user to a competing website. Certainly, any domain name can be slightly misspelled, but some typos are more common than others.
Imagine that you unknowingly and mistakenly type in the wrong URL for your bank; perhaps you just accidentally transpose a couple letters. Instead of being presented with a generic parked domain for a domain registrar (an immediate tip-off that you are in the wrong place), you are presented with a site that looks just like your bank’s. Attackers’ variations and motives can vary, but the simplest attack is to simply record your login information. Perhaps after you try to log in, you see a message saying that your bank is undergoing website maintenance and will be back up in 24 hours. What you probably won’t realize is that the attacker has access to your credentials and knows which site they can be used on.

Hoaxes and Influence Campaigns
Hoaxes are interesting because although a hoax presents a threat, the threat does not actually exist at face value. Instead, the actions people take in response to the perceived threat create the actual threats. For example, a hoax virus email can consume resources as it is forwarded on. In fact, a widely distributed and believed hoax about a computer virus can result in consequences as significant as an actual virus. Such hoaxes, particularly as they manifest themselves in the physical world, can create unnecessary fear and irrational behaviors. Most hoaxes are passed around not just via email but also on social networks and by word of mouth. Hoaxes often find ways to make the rounds again even years later, perhaps altered only slightly. Snopes.com is a well-known resource that has been around since the mid-1990s. If you are ever in doubt or need help in debunking hoaxes, make this site part of your trusted arsenal.
While most hoaxes may appear benign, they have a more sophisticated counterpart: influence campaigns. While influence campaigns are nothing new, the web, advertising, and social media have recently given influence campaigns greater visibility and awareness. Broadly, an influence campaign involves coordinated actions that seek to affect the development, actions, and behavior of the targeted population. And while there are campaigns that are perfectly legitimate and ethically run by businesses and organizations, influence campaigns have recently come to include hybrid warfare. Conventional warfare is understood to be confrontational and use infantry and weaponry, but cyberwarfare has recently become common among nations.
While influence campaigns, propaganda, and disinformation have been around for many centuries, their use has expanded largely due to the Internet and, specifically, social media. The Internet has provided an opportunity to widely disseminate information, and social media has provided an opportunity for it to spread. Hybrid warfare can and often does include a combination of these methods, but the psychological, economic, and political influence aspects go beyond just distraction to achieving greater goals, such as dividing public opinion by exploiting societal vulnerabilities.

Principles of Influence (Reasons for Effectiveness)

As stated earlier, social engineering relies on human psychology. In particular, a social engineer is looking to influence another person to gain something, which is most often not in the target’s best interest. In many cases, social engineering combines influence with manipulation. Given this, let’s look at the various principles of influence. The following topics are largely based on the work of Robert Cialdini, Regents Professor Emeritus of Psychology and Marketing at Arizona State University. The key challenge for the various principles of influence is that even though people might recognize a specific principle, they may not easily notice when it is being used against them for nefarious purposes.

The following points summarize key principles of influence and highlight why they are effective:
- Authority: Job titles, uniforms, symbols, badges, and even specific expertise are all elements we often equate with authority. With such proclaimed and believed authority, we naturally feel an obligation to comply. For example, flashing red lights would likely prompt you to pull over, and the specific expertise of the IT security administrator or chief information security officer would probably compel you to divulge your password to aid in troubleshooting. In addition to feeling a sense of obligation, we tend to trust authoritative symbols (many of which are easily forged).
- Intimidation: Authority plays to our sense of duty, and people with authority or power above us are in a position to abuse that power. We might feel that not complying would have a negative impact. Intimidation does not need to necessarily be so severe that one fears physical harm. A social engineer would more likely use intimidation to play on a fear of getting in trouble or getting fired, for example.
- Consensus/social proof: Because people tend to trust like-minded people such as friends and family members, they often believe what others around them believe. Think of the cliché “safety in numbers.” We are more likely to put a tip in a tip jar when it is not empty, for example, and we might hesitate to eat at a restaurant that is empty. A social engineer might mention friends and colleagues to take advantage of this principle; the attacker might say that these trusted people mentioned you, or that they have already complied with whatever you are being asked for. Ambiguous requests or situations are more likely to be acted on with the belief that others are doing the same thing or bought into the same situation.
- Scarcity and urgency: Scarcity is commonly used as a marketing ploy (sometimes more effectively than in other cases). You have certainly heard a pitch about special pricing available to only the first 50 callers. Or perhaps you have heard tales of companies unable to keep up with demand (either real or illusory). We tend to want or value something more if we believe it is less available. We are likely to be more impulsive if we believe something is the last one. A social engineer might use the principle of scarcity to spur someone to quickly act on a request before giving the request more thought. Scarcity tends to work when the victim desires something and, in turn, will act with a sense of urgency. Likewise, a social engineer can use urgency to gain support, perhaps saying that dreadful consequences will occur unless action takes place immediately.
- Familiarity/liking: People tend to comply with requests from those whom they like or have common ground with. Liking often leads to trust. A social engineer might use humor or try to connect more personally through shared interests or common past events and institutions. This can be effective because of our fundamental desire to establish and maintain social relationships with others. Social engineers who can get you to like them often find that you will be helpful because you, too, want to be liked.
- Trust: Trust plays a large role in all of these principles. We trust those with assigned authority. We trust those with specific expertise regarding their subject. Trust typically follows liking. We trust the consensus. Trust further is established and plays out in the idea of reciprocation. We are taught from an early age the Golden Rule: Do unto others as you would have them do unto you. As a result, a social norm is established to create equity in social situations—to return favors and not feel indebted to anyone. The reciprocation that occurs and the equity that is established help build trust.
Be sure to understand how social engineers can use these principles for gain and why these strategies are effective.

Quiz
Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this guide again until you can.
1. Many employees fell for a phishing email that appeared to be from a department head and demanded that employees click on a link and complete an online survey by the end of the day. Which one of the following principles of influence did these employees succumb to? A. Authority B. Scarcity C. Whaling D. Social proof
2. At your place of employment, you are rushing to the door with your arms full of bags. As you approach, the woman before you scans her badge to gain entrance while holding the door for you, but she asks to see your badge first. What has she just prevented? A. Phishing B. Whaling C. Tailgating D. Intimidation principle
3. Which of the following is an effective way to get information in crowded places such as airports, conventions, or supermarkets? A. Vishing B. Shoulder surfing C. Typo squatting D. Phishing
4. An attacker wishes to infect a website that employees at your company often visit in order to infect them with malware. What type of computer attack strategy is the attacker setting up? A. Zero-day B. Credential harvesting C. Identity fraud D. Watering hole attack
5. Which of the following is the best defense against social engineering? A. Cross-site Scripting B. Intimidation C. Awareness and education D. Influence campaign

Quiz Answers
Answer 1: A. Employees likely felt obligated to quickly comply based on the perceived authority of the email. Often such an email would attempt to replicate the status of the department head by using the appropriate formatting and signature line. Answer C is incorrect. Whaling is a specific phishing attack against an important specific target. Answers B and D describe other principles of influence but are incorrect. Scarcity relies on a sense of urgency due to limited availability. Social proof involves consensus around the trust of like-minded people.
Answer 2: C. Tailgating involves piggybacking, or following closely behind someone who has authorized physical access. Answers A and B are incorrect as they describe attempts to acquire sensitive information. Answer D is one of the principles of influence and is incorrect.
Answer 3: B. Shoulder surfing involves using direct observation techniques. It gets its name from the tactic of looking over someone’s shoulder to obtain information. Answer A is incorrect because vishing involves using a phone to obtain information. Answer C is incorrect because typo squatting relies on typographic errors users make on the Internet. Answer D is incorrect because phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic communication, usually an email.
Answer 4: D. In a watering hole attack, the attacker attacks a site that the target frequently visits. The goal is often to compromise the larger environment—for example, the company the target works for. Answer A is incorrect. A zero-day attack is a cyberattack targeting a software vulnerability that is unknown to the software vendor or to antivirus vendors. Answer B is incorrect. Credential harvesting is a common purpose of phishing campaigns to capture usernames and passwords. Answer C is incorrect. Identity fraud is the use of a person’s personal information, without authorization, to deceive or commit a crime.
Answer 5: C. It is important to understand that the best defense against social engineering is ongoing user awareness and education. Cross-site Scripting (XSS) is a client-side code injection attack, so answer A is incorrect. Answer B is incorrect because a social engineer may use the principle of intimidation to play on one’s fear of getting in trouble or getting fired. Answer D is incorrect. An influence campaign involves coordinated actions that seek to affect the development, actions, and behavior of the targeted population.