Reverse social engineering describes a situation in which the target or targets make the initial approach and offer the hacker the information that they want. Such a scenario may seem unlikely, but figures of authority particularly technical or social authority often receive vital personal information, such as user IDs and passwords, because they are above suspicion. For example, no Help Desk support worker would ask for a user ID or password from a caller; they solve problems without this information. Many users who have IT problems will volunteer these vital security elements to expedite a solution. The hacker does not even have to ask. Social engineering attacks are not reactive, as this scenario suggests.
A social engineering attack creates a situation, advertises a solution, and provides assistance when requested, perhaps as simply as in the following scenario:
A coworker hacker renames or moves a file so that the target thinks that it no longer exists. The hacker speculates that they can get the file back. The target, keen to get on with their work, or concerned that the loss of the information could be their own fault, leaps at this offer. The hacker states that this could only be done if they were to log on as the target. He or she may even say company policy prohibits this. The target will beg the hacker to log on as them and try to reinstate the file. Grudgingly, the hacker agrees, reinstates the original file, and steals the target’s user ID and password. He or she has even embellished their reputation such that they receive requests to assist other coworkers. This approach can bypass the regular IT support channels and make it easier for the hacker to remain unnoticed.
It is not always necessary to be familiar or even meet a target to use reverse social engineering. Imitating problems or issues using dialog boxes can be effective in a non-specific, reverse social engineering attack. The dialog box announces that there is a problem or that an update is necessary to continue. The dialog box offers a download to solve the problem. When the download is complete, the engineered problem disappears, and the user continues working, oblivious to the fact that they have breached security and downloaded a malware program.
ATTACK GOALS
- Theft of identity Hacker receives user ID and password from authorized user.
- Theft of information Hacker uses authorized user ID and password to gain access to company files.
- Download malware Hacker tricks a user into clicking a hyperlink or opening an attachment, thus infecting the company network.
- Download hacker’s software Hacker tricks a user into clicking a hyperlink or opening an attachment, thus downloading a hacker program, such as a mail engine, that uses company network resources.
Comments
Why do people fall for social
Why do people fall for social engineering techniques?
People are fooled every day by Social Engineers because they haven’t been adequately warned about them. Human behavior is always the weakest link in any security program. And who can blame them? Without the proper education, most people won’t recognize a social engineer’s tricks because they are often very sophisticated.
This is why i love to learn
This is why i love to learn more about mankind.
What are our weaknesses? do we trust too fast ? are we to blame for these weaknesses?
Because an social engineer knows these weak spots and exploits them.
I loved the movie Matchstick men. In this movie an "scammer" gets " scammed" by his own student.