Sei sulla pagina 1di 9

Human Based Vs Computer Based Social Engineering

Prerna Bhajbhuje
Prerna.bhajbhuje@adypu.edu.in

Abstract
We all either know or have heard about social engineering. And we have also read how an attacker can use
human mind and a computer system for capturing useful information about organisations or individuals. It make
available authorizations on how to protect against attackers using human based and computer based social
engineering methods. Social engineering is a non-technical method of intrusion hacker’s use that trusts greatly
on human interaction and often involves trapping people into breaking normal security procedure. There is no
hardware/software available to protect an enterprises or individual against social engineering. It is essential that
good practices be performed. Nowadays there are a number of security tools, such as firewalls and intrusion
detection systems which are used to protect System from being attacked. However, the human part is frequently
the weakest link of an information security chain. In this paper, we reveal that the human psychological
weaknesses result in the main vulnerabilities that can be misused of social engineering attacks.

Keywords:- Social Engineering, Human based, computer based, Intrusion, Attacks, Data Privacy, Hacking
Methods, Prevention.

Introduction
Data security and privacy are very important to personal resources, corporate data, and even state secrets,
which across the world are facing several hacking threats. People use various digital gadgets, such as cell
phones, laptops, tablet and desktop, connected by the Internet to communicate with each other and share
data. Cyber threats reveal vulnerabilities in an organization’s security set-up to gain valuable information, usually
for financial gain. Cyber attacks can cause system disturbance and reveal information such as credit card
numbers, passwords, and trademarked documents that can cost individuals and organizations from hundreds
to billions of dollars. Sometimes cyber attacks are motivated by a personal disputes or revenge. The Internet is
developing into a medium that is beyond just web search. Social networking, micro blogging, etc. are some of
the next generation services that have gained prominence. Users of these services have real time two-way
interaction. Human beings can be very easily manipulated into providing information or other details that may
be useful to an attacker. “Malicious social engineers aren’t necessarily very technical people but they’re cunning
and clever in the way they think” says chief operating officer of Social Engineer [1] . Today most business and
banks are trusting on technology like internet and smartphone. They are paying a lot of money for buying
security tools software and hardware, but at the same time an innocent employer can give all the information
the attacker need without going to the trouble of hacking the system. That is what social engineering all about
use the human factor which is the weakest factor in any institute or organization. Humans are easier to hack
than computer systems and networks. Most people are raised to be kind and helpful leading them to integrally
trust others. The concept of bad people taking advantage of the good and honest does not sit well with most
people.

Social engineering is the art of influencing people into performing actions or exposing confidential information.
The term typically applies to fraud or trickery for the purpose of information gathering, fraud, identity theft, or
computer system access. Social engineering attacks that include interpersonal interaction involve direct
communication (such as in person or by telephone) or interaction that is mediated through electronic means
(e.g., electronic media, email, and Internet). Social engineering is the act of gaining either unauthorized access
to a system or sensitive information, such as passwords, through the use of trust and relationship building with
those who have access to such information. A social engineer uses human psychology to misuse people for his
or her own use. The most common method for gaining unauthorized access into a company’s network is simply
by calling specific personnel within the company. This generally involves convincing people over the phone into
giving them information through persuasion with tools such as fear, imitation, and concern.

Social engineering is a non-technical method of intrusion hacker’s use that trusts seriously on human interaction
and often involves trapping people into breaking normal security procedures. Social engineering attacks are
more challenging to manage since they depend on human behaviour and involve taking advantage of vulnerable
employees. Businesses today must utilize a combination of technology solutions and user awareness to help
protect corporate data.

Classification

HUMAN BASED METHODS

In human based social engineering attacker wants interact to the person directly contact with another
person and then recovering the useful information. Attacker use human based social engineering in
different method. An invader might use the technique of impersonating an employee and then trying
different methods to gain access to important data. Attacker may give a false identity and ask for
sensitive personally identifiable information.
There is a well-known rule in social interaction that a favour creates a support, even if the original
favour is offered without a request from the recipient. This is known as interchange. Corporate
environments deal with reciprocation on a daily basis. Employees help each other, expecting a same
in return. Social engineers are skilful in taking advantage of this social trait via imitation.
Pretence as a legitimate User:
Personation is taken to a higher level by assuming the identity of an important employee in order to
add an element of intimidation. The reciprocation factor plays a very important role in this scenario.
The staff in the lower hierarchy helps their seniors, so that they can get a favour from them later and
this will help them in the corporate environment. Hence, an attacker pretends as an important
individual like a Vice President or a Director. Thus, he can easily manipulate an employee by
leveraging their power.
An example will clarify this situation better. A help desk employee is less likely to turn down a
request from a director who says he or she is in hurry and needs to get some important document /
information for a meeting.
Pretence as Technical Support staff:
Another technique normally followed is to pose as a Technical support staff. This method is followed
particularly when the victim is not skilful in technical areas. The attacker may pretend as technician,
hardware vendor or a computer related supplier when approaching the target. For ex: Hacker called up
one company without giving his credentials and asked them about connectivity issues in internet. He
checked whether net is working well? The confused employee replied that it was the modem that was
giving them trouble. Subsequently the attacker may ask employees to reveal their login information
including a password, in order to sort out a non-existent problem.
Technical Support Example:
Hacker calls a corporate help-desk and says he is forgotten his password. He pretends very anxious
and adds that if he misses the deadline on a very important project, his boss might fire him. The help
desk worker feels sorry for him and resets the password just to help him, innocently giving the hacker
clear authenticated entrance into the network of a company.

2. Human-Based Social Engineering Techniques:

The following are some more human-based social engineering techniques:


• Eavesdropping: It is about illegally listening to conversations of others or reading of important
messages. Eavesdropping includes interception of any form of communication, including audio,
video, written etc.
• Shoulder surfing: Shoulder surfing is the technique of looking over someone’s shoulder as he or
she enters information into a device. Identity thieves who use shoulder surfing to find out passwords,
personal identification numbers, account numbers and other information. They do this by simply
looking over a person’s shoulder or watching from particular distance through binoculars.
• Dumpster diving: Dumpster diving is mechanism of searching for sensitive information in a
company’s trash bins, or on or under desks. Hackers can collect the following information:
Phone bills
Contact information
Financial data
Operations-related information
Dumpster Diving Examples
The following are some examples of dumpster diving:
• A garbage collector collects dry garbage from a company. Many a times they found employee list
and their phone numbers, product information from a marketing department and financial costs of
company etc. This type of information is definitely sufficient for hacker to launch a social engineering
attack.

In-Person Attack
Attackers might actually visit a target site and prefer to survey it personally to get important
information. A great deal of information can be gathered from the desks, recycle bin, or even phone
directories and nameplates. Hackers may disguise themselves as courier delivery person or janitors.
They have been known to hang out as visitors in the lobby. Hackers can pose as businessmen, clients,
or technicians. Once inside, attackers can look for passwords stuck on monitors or important
documents lying on desks, or they may even eavesdrop confidential conversations.
Tailgating
Tailgating is a technique in which an unauthorized person closely follows an authorized person into a
secured area. The authorized person is not aware of having provided an unauthorized person access to
the secured area.
For example, an unauthorized person, wearing a fake ID, enters a secured area by just closely
following an authorized person through a door requiring key access or authentication.
Piggybacking
Piggybacking is a technique in which an unauthorized person convinces an authorized person to allow
him or her into a secured area. For example, the unauthorized person could pretend that she forgot her
ID badge that day, so the authorized person offers to hold the door to the secured area open for her.
Computer Based Social Engineering:-
Here we look at the following real life scenario involving a computer-based social engineering
incident that took place in a large e-business enterprise. An employee was asked to send his
photograph through e-mail. Since he didn’t have an email then, he requested another person to send
his snapshot. In the attachment (JPEG) file received from the other party, there wasn’t a photo.
Instead, upon accessing the attachment, the hard drive began to spin.
Fortunately, the employee was sophisticated enough to understand the danger of a Trojan horse and
immediately alerted the IT department, who terminated the Internet connection. As you know Trojan
horse is a piece of malware that appears to be a normal, non-destructive program, but contains a virus
hidden inside.
Later investigations revealed that the computer was infected with SubSeven, a most powerful
backdoor. A backdoor is a method of bypassing the usual authentication methods on a system,
potentially allowing remote administration of the system. Eventually, the company reloaded the
computer, rolled back to the day before with a backup tape and stayed offline for three full days
overall.
Computer-based social engineering uses software to retrieve information. The following sections
describe some of the techniques attackers use.
Pop-Up Windows
In this type of social engineering, a window appears on the screen informing the user that he or she
has lost his or her network connection and needs to re-enter his or her username and password. A
program that the intruder had previously installed will then e-mail the information to a remote site.
Mail Attachments
This strategy involves using attachments bearing a title suggestive of a current love affair. There are
two common forms that may be used. The first involves malicious code. This code is usually hidden
within a file attached to an e-mail message. Here the expectation is that an unsuspecting user opens
the file, allowing the virus code to replicate itself. Examples are the “I Love You” and “Anna
Kournikova” worms. The latter is also an example of how social engineers try to hide the file
extension by giving the attachment a long file name. In this case, the attachment is named
AnnaKournikova.jpg.vbs. If the name is truncated, it will look like a jpeg file and the user may not
notice the .vbs extension. Another more recent example is the Vote. An e-mail worm.
The second, equally effective approach involves sending a hoax e-mail asking users to delete
legitimate files (usually system files such as jdbgmgr.exe). Another method is clogging e-mail
systems by sending false warning e-mail regarding a virus and asking targeted users to forward the
mail messages to friends and acquaintances. Such an attempt can be dangerous to the e-mail system of
an organization.
Web Sites
Attackers can use Web sites to perform social engineering. This involves a ruse to get an unwitting
user to disclose close potentially sensitive data, such as a password used at work. Some methods
include using advertisements that display messages offering free gifts and holiday trips and then
asking for a respondent’s contact e-mail address, as well as asking the person to create a password.
This password may be one that is similar to, if not the same as, the one that the target user utilizes at
work. Many employees enter the same password that they use at work, so the social engineer now has
a valid username and password to enter into an organization’s network.
Instant Messenger
Using this method, an attacker chats with a targeted online user to gather personal information such as
birth dates and maiden names. The attacker then uses the acquired data to crack the user’s accounts.
Phishing
Phishing is a technique in which an attacker sends an e-mail or provides a link falsely claiming to be
from a legitimate site in an attempt to acquire a user’s personal or account information. It shows the
same technique being used on a Web page.
Case Example
The Revenue department annually processes millions of tax returns. The returns are then converted
into electronic records. The information contained in these records is protected by law and considered
sensitive. Maintaining this type of information could make the Revenue department target for
computer hackers, these are individuals who attempt to gain unauthorised access to computers or
computer networks.
The Revenue department has made significant efforts to secure the perimeters of its computer network
from external cyber threats. Because hackers cannot gain direct access to the revenue department
through these Internet gateways, they are likely to seek other methods. (A gateway is a node (router)
in a computer network, a key stopping point for data on its way to or from other networks. Thanks to
gateways, we are able to communicate and send data back and forth.)
One such method is social engineering, which is the process of gaining information from people,
often through deception, for the purpose of finding out about an organisation and computer resources.
One of the most common strategy is to convince an employees of that organisation to reveal their
passwords.
In order to test their employees, with the assistance of a contractor, the Revenue department
conducted social engineering tests on employees. The specially designated team for this purpose
placed calls to 100 employees and asked them to change their passwords as per department’s
suggestion. Of those employees called, 70 were willing to accommodate the team’s request.

The employees gave the following reasons behind the acceptance of request:
• They were unaware of social engineering techniques or the security requirements to protect their
passwords.

• They want to assist in any possible way once the team members identified themselves as the IT help
desk personnel.

• They were having network problems and the call appeared legitimate.

• Although they questioned the identity of a caller and could not identify the caller’s name, which was
false, in the global e-mail address book, still they changed their passwords anyway.

• They were cautious, but their managers gave them approval to assist the team.

Prevention

Nowadays several Tools and techniques have been designed to prevent social engineering attack. Using these
tools make the organizations less vulnerable [1]. According to Douglas Twitchell, there are currently three ways
commonly suggested to defend against social engineering attacks: education, training and awareness; policies;
and enforcement through auditing.
• Organization’s employees or individuals can be educated through training and awareness which can make
them more reluctant to disclose personal information. In depth security training of the employees should be
conducted. This reduces the risk of social engineering attack and makes the organization less vulnerable.
• Policies should be made which provides instructions to the employees on proper handling of company’s or
personnel information and user data.
• Audits must be conducted in order to ensure that the employees of the organization are following the policies
and procedures.
• Hard copies of organizational data, records, or personal information must be destroyed before being
discarded. Common effective methods for destroying hard copy information include shredders and fireboxes.
• Employees or individuals should be trained to question the credentials of the person who is calling himself to
be in authoritative position in that organization.
• Organizations should be careful about what they are posting on their company’s website. Company’s details
like names of people on authority and contact numbers should be escaped. The most important thing that we
can do to prevent being a victim of an attacker is to be aware of common tricks like those I have mention in this
paper. Never give out any confidential information or even seemingly non confidential information about you
or your company-whether it’s over the phone, online, or in person, unless you can first verify the identity of the
person asking and the need for that person to have that information. You get a call from your credit card
company saying your card has been compromised? Say okay, you’ll call them back, and call the number on your
credit card rather than speaking to whoever called you. Always remember that real IT departments and your
financial services will never ask for your password or other confidential information over the phone. Also, make
good use of your shredder and dispose of your digital data properly. You can protect yourself from phishers
scammers, and identity thieves, but there’s only so much you can do if a service you use is compromised or
someone manages to convince a company they’re you. You can, however, take a couple of preventive measures
yourself.
• Use different logins for each service and secure your passwords: Always use the different password for all
services. And make sure your passwords are strong and complex so they’re difficult to guess.
• Use two-factor authentication: This makes it harder for thieves to get into your account, even if your
username and password are compromised.
• Get creative with security questions: The additional security questions websites ask you to fill in are supposed
to be another line of defence, but often these questions are easily guessed or discoverable (e.g. where you were
born).
• Use credit cards wisely: Credit cards are the safest way to pay online (better than debit cards or online
payment systems like Paytm, PhonePe) because of their strong protections. If you use a debit card and a hacker
gets access to the number, your entire bank account could be exhausted. You can other secure your credit card
by not storing card numbers on websites or using disposable or virtual card numbers.
• Frequently monitor your accounts and personal data: To be on the lookout for both identity theft and credit
card fraud, check in with your account balances and credit score regularly. Several services offer free ID theft
monitoring, credit monitoring, and questionable credit charges. You can even use Goggle Alerts as an identity
theft watchdog.
• Remove your info from public information databases: Sites like Google, Yahoo and People Finders publish our
private information (like address and date of birth) online for all to see. Remove yourself from these lists with
this resource. These steps won’t prevent your account from being compromised if a service provider falls for a
social engineering hack and hands your account over to the attacker, but they may at least minimize the damage
possible and also give you more peace of mind that you’re doing as much as you can to protect yourself. Since
there is neither hardware nor software available to protect an enterprise or individual against social engineering,
it is essential that good practices be implemented. Some of those practices might include:
• Require anyone there to perform service to show proper identification. Make certain that the reception area
has been trained to verify all service personnel and that there are procedures in place for the receptionist to
summon assistance quickly.
• Establish a standard that passwords are never to be spoken over the phone. When contacting the help desk
to have a password reset, the organization should establish a set of phrases or words known only by the user.
The help desk can then reset the password to one of those words.
• Implement a standard that prevents passwords from being left lying about. Because employees now average
around eight access accounts and passwords (information technology employees average twenty accounts), it
is no longer possible to prevent the writing down of accounts and passwords. The new requirement should place
the importance on the classification of passwords and confidential information and require the employees to
treat them accordingly.
• Implement caller ID technology for the Help Desk and other support functions. Many facilities have different
ring tones based on inter-office phone calls as opposed to calls that originate from outside. Employees need to
be trained to not forward outside calls. Take down the name and number of the call and forward the message
on to the proper person.
• Invest in shredders and have atleast one shredder in individual Organisation. The size of the shredder should
be based on how much confidential information is present in the office area. Eliminate confidential information
collection bins. Require shredding, not storing. Policies, procedures and standards are an important part of an
overall anti-social engineering campaign.
To be effective a policy should be:
• It should not contain standards or directives that may not be attainable. When creating standards work with
the user community to establish what can be accomplished immediately. Once these actions have been
implemented, then every six months assess the process and act accordingly.
• They should burden what can be done and stay away from isn't allowed as much as possible. Enumerate to
the employees what they can and should do.
• They should be brief and transitory. Our employees don't have a lot of spare time. Tell them what is required
and leave the validations to the security awareness program.
• The need to be reviewed on a regular basis and kept current. Nothing lasts forever. As other discussed in their
research paper every six months assess the process and make adjustments as required.
• The message and standards should be easily possible by the employees and available through the company
intranet. Keep the user base informed. Use an internal web site to answer questions and give advice. Employee
Education Is the Key to be effective, policies, procedures and standards must be taught and reinforced to the
employees. This process must be ongoing and must not exceed three months between reinforcement times. It
is not enough to just publish policies and expect them to read, understand and implement what is required.
They need to be taught to emphasize what is important and how it will help them do their job. This training
should begin at new employee orientation and continue through employment. When a person becomes an ex-
employee, a final time of support should be done during the exit interview process. Another method to keep
employees informed and educated is to have a web page dedicated to security. It should be updated regularly.
These signs might include such behaviours as: Reject to give contact information, hiss the process, Name-
dropping, Intimidation, Small mistakes, Requesting forbidden information or accesses etc. As part of this training
or education process, reinforce a good catch. When an employee does the right thing, make sure they receive
proper recognition. Train the employees on who to call if they suspect they are being social engineered. Apply
technology where you can. Consider implementing trace calls if possible or at least caller ID where available.
Control overseas long distance services to most phones. Ensure that physical security for the building and
sensitive areas are effective.

2016: United States Department of Justice


In 2016, the United States Department of Justice fell for a social engineering attack that resulted in the leak of
personal details of 20,000 FBI and 9,000 DHS employees. The hacker claimed that he downloaded 200 GB of
sensitive government files out of a terabyte of the data to which he had access.[6]
The attack began with the hacker gaining access to the email account of a DOJ employee through unknown
means. After this, he attempted to access a web portal which required an access code that he didn’t have. Rather
than give up, the attacker called the department’s number and, claiming to be a new employee, asked for help,
resulting in them giving him their access code to use. With this code, he was able to access the DOJ intranet
using his stolen email credentials, giving him full access to three different computers on the DOJ network as well
as databases containing military emails and credit card information. He leaked internal DOJ contact information
as proof of the hack, but it is unknown what else he had access to and might have stolen off of the DOJ Intranet.

RESULTS
A fundamental question is: how much privacy is enough? Social media companies have to balance the
need for user privacy with law implementation needs. Facebook, in its 2010 policy guide states that
falsifying profile information will lead to disabling of the user account. But, checking the reliability of
the profile information for each of the several hundred million users is an impossible task. Craigslist
allows its users to flag a posting into one of several categories, if they choose to. While policies and
practices have been defined in India, U.S. and many other countries, this is not true globally. This may
be because of low Internet penetration, blocking of all or many social media sites, close government
monitoring of Internet user activities, etc. But with the growth of cellular networks Internet access is
becoming more prevalent and cheaper in many countries. This means that in a few years countries
that do not have well defined social media security policies have to rethink this issue to fill the policy
gap. Even although people had participated in some form of training, many were still willing to share
their passwords. Unfortunately, our other options for improving security are limited. Password
strength may be improved through technical means and system requirements. However people are
people and are often the weakest link in the security process.

CONCLUSION

As compare human based vs computer based social engineering I think Computer based social
engineering is good. Because sometimes users are not update every personal information about the
user but If you see in human based social engineering attackers can easily get desirable information
from user. It means it is very easy for a good attacker to gather information about that organization
just by gaining trust and being friendly with the user. technique of capturing information is being used
since long time but it came into notice just some time before. Before people and organizations were
not much aware of these security breach practices and techniques for securing information but
nowadays information security is the main concern of the corporate world. A key mechanism for
combating social engineering must be the education of potential victims, in order to raise their
awareness of the techniques and how to spot them. To protect the Social Engineering, employee or
individual education, training & awareness is the key. Policies, procedures and standards are an
important part of an overall anti-social engineering campaign.
References

1. Kumar, A., Chaudhary, M. and Kumar, N., 2015. Social engineering threats and awareness: a
Survey. European Journal of Advances in Engineering and Technology, 2(11), pp.15-19.

2. https://www.researchgate.net%2Fpublication%2F312020665_Social_Engineering_I-
E_based_Model_of_Human_Weakness_for_Attack_and_Defense_Investigations&btnG=
3. https://www.scirp.org/Journal/PaperInformation.aspx?PaperID=87360
4. Greitzer, F.L., Strozer, J.R., Cohen, S., Moore, A.P., Mundie, D. and Cowley, J., 2014, May.
Analysis of unintentional insider threats deriving from social engineering exploits. In 2014 IEEE
Security and Privacy Workshops (pp. 236-250). IEEE.
5. Janczewski, L.J. and Fu, L., 2010, October. Social engineering-based attacks: Model and New
Zealand perspective. In Proceedings of the International Multiconference on Computer Science
and Information Technology (pp. 847-853). IEEE.
6. https://resources.infosecinstitute.com/the-top-ten-most-famous-social-engineering-
attacks/#gref