or "just a temp".
Another strategy used in systematic social engineering is to build a long-term relationship
with the victim. By making numerous trivial telephone calls in advance, the attacker is able to
collect information and build trust, which they can then exploit later.
Such attacks can also be conducted in several stages by using the knowledge and techniques
gained in the previous stages.
Many users know that they are not allowed to give their passwords to anyone else. Social
engineers are aware of this and therefore need to find other ways to reach their goals. Consider
the following examples:
• An attacker may ask the victim to execute commands or run programs with which the
victim is not familiar, for example to help solve an alleged problem with the IT.
However, the request could contain disguised commands for changing the data access
rights. The attacker may then be able to gain access to sensitive information.
• Many users use a strong password, but then use the same password for several different
accounts. If an attacker is running a useful network service (such as an e-mail address
system) that the users need to provide authentication for, then the attacker could
obtain the desired passwords and login information. Many users will use the login data
for this service for other services as well.
If attackers obtain passwords or other authentication features in an unauthorised manner, for
example by means of social engineering, this attack is often also referred to as "phishing"
(combination of the words "password" and "fishing").
When conducting a social engineering attack, the attacker will not always be visible. In many
cases, the victims never even find out that they have been exploited. If this is the case, the
attacker does not even have to worry about criminal prosecution and also has a source for
obtaining additional information later. " />
Social engineering is a method used to gain unauthorised access to information or IT systems
by social action. Social engineering exploits human characteristics such as the willingness to
help others, trust, fear, or respect for authority. It can be used to manipulate employees into
performing unauthorised tasks. Typical examples of attacks carried out using social
engineering include the manipulation of employees by calling them on the telephone and
masquerading as one of the following persons:
• A receptionist whose supervisor wants to do something quickly but has forgotten their
password and needs it urgently now.
• An administrator who calls because of a system error, since they need the user's
password to eliminate the error.
If asked critical questions, the enquiring caller may say that they are is somebody "important"
or "just a temp".
Another strategy used in systematic social engineering is to build a long-term relationship
with the victim. By making numerous trivial telephone calls in advance, the attacker is able to
collect information and build trust, which they can then exploit later.
Such attacks can also be conducted in several stages by using the knowledge and techniques
gained in the previous stages.
Many users know that they are not allowed to give their passwords to anyone else. Social
engineers are aware of this and therefore need to find other ways to reach their goals. Consider
the following examples:
• An attacker may ask the victim to execute commands or run programs with which the
victim is not familiar, for example to help solve an alleged problem with the IT.
However, the request could contain disguised commands for changing the data access
rights. The attacker may then be able to gain access to sensitive information.
• Many users use a strong password, but then use the same password for several different
accounts. If an attacker is running a useful network service (such as an e-mail address
system) that the users need to provide authentication for, then the attacker could
obtain the desired passwords and login information. Many users will use the login data
for this service for other services as well.
If attackers obtain passwords or other authentication features in an unauthorised manner, for
example by means of social engineering, this attack is often also referred to as "phishing"
(combination of the words "password" and "fishing").
When conducting a social engineering attack, the attacker will not always be visible. In many
cases, the victims never even find out that they have been exploited. If this is the case, the
attacker does not even have to worry about criminal prosecution and also has a source for
obtaining additional information later.
Impressum