Social Engineering is a technique used to deceive a targeted end user into giving up sensitive information that can be used in infrastructure recognizance, criminal activity or to gain access to sensitive institutional data containing personally-identifiable information commonly referred to as PII. Most often, the targeted information is credit card and banking information, followed by social security numbers, usernames and passwords. The social engineer may use e-mails, voice messages, phone calls or even in-person visits masquerading as a legitimate trusted source such as a parent, end user, vendor or student.
The language used when contacted by the social engineer is often persuasively urgent in context such as: "please enter your password before your account expires" or "to increase your quota, please log into your account now” The social engineer may also use “verification of configuration” language during a phone call or in-person visit to the targeted location or individual that appears legitimate and official in nature. The specific details of social engineering attacks are defined in more detail below.
Phishing scams are probably the most common types of social engineering attacks used today. Most phishing scams, done by email, demonstrate the following common characteristics.
- The one and only goal is to get the personal information they wish to obtain such as names, Social Security numbers, addresses and other forms of personally-identifiable information (PII) that can be used to create a profile of an of an individual that is then used for cybercrimes or identity theft.
- Most, if not all phishing scams, create a sense of fear or urgency that is used in an attempt to trick the user into supplying the requested information.
- Phishing emails or scams tend to use hyperlinks that when hovered over with the mouse pointer reveal a link that is not legitimate. For example, hovering over this link, which is supposed to be directing you to the Pace email system will reveal that is in fact redirecting you to a site other than the intended website.
- They commonly use a format such as text, logos, images and webpage styles that is used on the legitimate websites to make it look genuine. The emails use similar wordings or tone of prior messages sent by system administrators or system notification communications adding another layer or level of legitimacy.
- They normally use a spoofed or forged sender’s email address from within the organization making this email appear that it comes from within the organization itself.
Some phishing emails are poorly crafted with grammatical and spelling errors making them easier to detect but most seem to be legitimate in content and design so our user community needs to err on the side of caution when interacting via email. For more information on phishing email please visit our information page.
Tailgating, Piggybacking, or Hovering
Tailgating, piggybacking or hovering present a different type of social engineering attack, these type of attacks are orchestrated by someone who lacks the proper access to an area or critical system and attempts to gain the access using an employee who does have access to that area or system as a cover or key.
Tailgating or piggybacking is commonly done by waiting around the targeted area’s gate or a door. The attacker typically targets a distracted user and follows them through the gate or door thereby gaining access to a restricted area. In mid-level institutions such as our University, conversations can be struck up with an unsuspecting user and continued as access is gained by following the user into a restricted area such as Finance or the Office of the Registrar. Users should be aware of your surroundings at all times and ensure that the credentials of unfamiliar faces are verified before gaining access to these areas.
Hovering is typically done without the user’s knowledge. This type of attack is very common and easily performed by standing over a user’s shoulder as he or she accesses and enters their credentials into a critical system portal. The attacker attains login information by observing the keystrokes of the end user and then using the disclosed username and password to access that system at a later point in time. If your workstation environment exists in a publicly accessible area, you should be diligent in identifying a potential “hoverer” and preventing the disclosure of your access credentials and login information.
Baiting is very similar to phishing attacks but what distinguishes them from other types of social engineering is the promise of goods, services or monetary compensation that is used by the hacker to attract the victim. A good example of this type of attack is the unsuspecting victim “finding” some type of removable media such as a USB thumb drive or floppy disk. The end user feels this is a lucky day and takes the removable media and inserts it into their workstation or home computer unknowingly becoming infected by the malware or virus the attacker has placed on the device. Never trust a removable media device that is found or left in a public location. These are more than likely deliberately placed devices whose sole purpose is to infect the unsuspecting recipient’s machines! Always be wary of emails or phone calls offering compensation for access or information.
Pretexting is another type of social engineering attack where the hacker focuses on creating a fabricated scenario or situation that they can try and use to steal their victims personal information. Pretexting most often involves a scam where the hacker pretends to need certain information in order to confirm or verify the identity of the person he or she is communicating with. Once a level of trust is established with target user, the attacker will ask a series of questions that are designed to gather key identifiers from the end users such as a Social Security number, your mother’s maiden name, place of birth or your favorite pet’s name. This information is commonly used by systems as answers to security questions and, if obtained, can lead to a compromised account. It is important to remember that this type of information should be closely guarded and never disclosed.
Quid Pro Quo
Quid pro quo by definition means something for nothing. In a typical attack, a hacker will call random numbers within a company claiming to be the technical support technician or the system administrator attempting to fix the technical issue. If enough calls are placed without detection, the hacker will eventually contact an end user with a legitimate problem. While attempting to fix the problem, the hacker will have the user typed DOS commands or divulge information about other systems in the department allowing a hacker to access critical network infrastructure or systems. All Pace University end users should be aware of this type of attack as it happens at the busiest times of the year within all departments of the University. Verify who you are speaking with before you divulge critical information that could lead to compromising University-owned systems, information or PII. Questions like “what is your extension and I will call you right back?” or “what helpdesk ticket number is this in reference to?” will quickly determine if this is a legitimate call or an attack.
NOTE: Information Technology Services does not request account verification or network configuration information (such as your password or IP address) by email or phone unless you have initiated the contact through a helpdesk ticket or phone call. If you receive an email or phone request for this information, it is a targeted phishing attack. Please contact the ITS helpdesk at (914) 773-3333 externally or ext. 33333 internally to report this incident immediately.