Reverse social engineering describes a situation in which the target or targets make the initial approach and offer the hacker the information that they want. Such a scenario may seem unlikely, but figures of authority particularly technical or social authority often receive vital personal information, such as user IDs and passwords, because they are above suspicion. For example, no Help Desk support worker would ask for a user ID or password from a caller; they solve problems without this information. Many users who have IT problems will volunteer these vital security elements to expedite a solution. The hacker does not even have to ask. Social engineering attacks are not reactive, as this scenario suggests.
A social engineering attack creates a situation, advertises a solution, and provides assistance when requested, perhaps as simply as in the following scenario:
A coworker hacker renames or moves a file so that the target thinks that it no longer exists. The hacker speculates that they can get the file back. The target, keen to get on with their work, or concerned that the loss of the information could be their own fault, leaps at this offer. The hacker states that this could only be done if they were to log on as the target. He or she may even say company policy prohibits this. The target will beg the hacker to log on as them and try to reinstate the file. Grudgingly, the hacker agrees, reinstates the original file, and steals the target’s user ID and password. He or she has even embellished their reputation such that they receive requests to assist other coworkers. This approach can bypass the regular IT support channels and make it easier for the hacker to remain unnoticed.
It is not always necessary to be familiar or even meet a target to use reverse social engineering. Imitating problems or issues using dialog boxes can be effective in a non-specific, reverse social engineering attack. The dialog box announces that there is a problem or that an update is necessary to continue. The dialog box offers a download to solve the problem. When the download is complete, the engineered problem disappears, and the user continues working, oblivious to the fact that they have breached security and downloaded a malware program.
- Theft of identity Hacker receives user ID and password from authorized user.
- Theft of information Hacker uses authorized user ID and password to gain access to company files.
- Download malware Hacker tricks a user into clicking a hyperlink or opening an attachment, thus infecting the company network.
- Download hacker’s software Hacker tricks a user into clicking a hyperlink or opening an attachment, thus downloading a hacker program, such as a mail engine, that uses company network resources.