History

An early form of social engineering was practiced in the 1980s with phreaking . Phreakers called telephone companies , pretended to be system administrators , and asked for new passwords, which they eventually used to make free modem connections.

Basic Patern

The basic pattern of social engineering can be seen in bogus phone calls: The social engineer calls employees of a company and pretends to be a technician who needs confidential access data to complete important work. In advance, he collected small bits of information from publicly available sources or previous phone calls about procedures, daily office talk and corporate hierarchy, which help him manipulate people to pretend to be an insider of the company. In addition, he confuses his technically uneducated victim with technical jargon and builds with small talkThey gain sympathy through seemingly common colleagues and exploit respect for authority by threatening to disturb their superiors if the victim fails to cooperate. Under certain circumstances, the social engineer has already collected information in advance that a certain employee has actually requested technical help and is actually expecting such a call.

Despite its seeming banality , the method repeatedly succeeds in spectacular data thefts . In 2015, for example, an American student managed to open the private e-mail account of the then CIA director Brennan and access it for three days.

In automated social engineering, also known as scareware, special malicious programs are used that frighten the user and thus induce them to take certain actions.

Phising (Another Form)

A well-known variant of social engineering is phishing . This impersonal variant uses bogus emailssent to the potential victims with a trustworthy presentation. The content of these messages can be, for example, that a certain service that you are using has a new URL and that you should log in to this from now on if you want to use it. This bogus page is, in terms of layout and presentation, a copy of the original website of the service provider. This is to help keep the victim safe. If you fall for it, criminals get hold of your login name and password. Another possibility is that the victim is asked by an alleged administrator to send the login data back as a response, because there are supposedly technical problems. The basic pattern is similar to the bogus phone call, because here, too, the social engineer usually poses as a technical employee who needs the secret information to check or restore data. Unlike there, the attacker usually has little more than the recipient's email address, which makes the attack less personal and therefore less effective.

Spear phishing (derived from the English translation of the term spear ), which means a targeted attack, is more efficient . Here the attacker procures z. B. the e-mail addresses of the students enrolled there via the student council of a university in order to send them a targeted phishing e-mail from a local bank or savings bank. The “hit rate” of this type of phishing attack is higher than that of normal attacks, as the probability that a student will keep his bank account with this institute is very high.