Social engineering means using deception and manipulation to obtain confidential information. It is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it.
In computer security, social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will gain him/her unauthorized access to a system and the information that resides on that system. Typical examples of social engineering are phishing emails or pharming sites.
One example of malware using social engineering tricks is Skype Defender that was discovered in October 2007. The malware poses as a security plug-in. Infected users are prompted to log into their Skype accounts. Cleverly the Trojan displays what looks like a Skype login screen and if a user enters his Skype username and password, the Trojan displays a message saying that the name and password are unrecognized. Behind the scenes, this information – as well as all usernames and passwords saved in Internet Explorer – is sent to a hacker-controlled Web site.
Another example is the Storm Worm that infected computers worldwide throughout 2007. According to a security study, the Storm Worm’s creators “released thousands of variants and changed coding techniques, infection methods and social engineering schemes far more than any other threat in history” and “created the largest peer-to-peer botnet ever.” Experts said that the Storm Worm’s creators had been very adept at crafting socially engineered messages persuasive enough or tempting enough to get people to launch files or click on links.
Experts warn that attacks are shifting from technology to social engineering. In the last half of 2007 phishing attacks increased around 500 percent and targeted Trojans increased by 150 percent.
“It shouldn’t come as any surprise that, as we improve the security of the operating systems and the infrastructure on the internet, the attacks are moving to applications and social engineering, including phishing scams,” said a Microsoft vice president speaking at a security conference in October 2007.