Hello! Welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.
OK, I have received some feedback that the TomCasts sound a bit scripted. Well, they are, since I write what I am going to say before I say it so I can attempt to refrain from sounding like a blithering fool stammering and stumbling over words. I totally get it, however, and will give it a go to sound a bit more natural. Please continue to leave feedback, as it helps us improve these for you!
Today we are going to discuss Social Engineering for the third time. This time we are going to jump into other lesser-known social engineering methods like baiting, pretexting, tailgaiting, and quid pro quo.
Remember the Cambridge definition of social engineering? “attempts to trick people into giving secret or personal information, especially on the internet, and using it for harmful purposes”. Ok, keep that general definition in the back of your mind while we go through these types.
Let’s start with pretexting; pretexting is a kind of attack where the threat actor comes up with a story — or pretext — in order to trick the victim. The pretext generally casts the attacker in the role of someone in authority who has the right to access the information being sought, or who can use the information to help the victim. Pretexters can use any form of communication, including emails, texts, and voice phone calls, so this type is not limited to any specific technology used.
Next type to define would be Baiting. This type of social engineering preys on curiosity, amongst other things. Baiting is just as it sounds; the threat actor places the bait and waits for the victim to grab it. There are physical baits and logical baits; an example of physical baiting would be leaving a USB drive containing malware on a bench or chair and simply waiting for a victim to pick it up and eventually insert it into their machine. A logical example would be an enticing ad that the victim would click that would result in the installation of a trojan horse or other malware.
Tailgating (otherwise known as piggybacking) is a physical form of social engineering that can be intentional or accidental. This is a physical security breach where someone follows an individual closely through security mechanisms (RFID scanner, retinal scanner, mantrap, etc.) in an effort to avoid having to address the security mechanism. As an example, an employee comes into work, and another person is walking close behind them. The employee scans their badge at the entrance to unlock the door. The person following could be appearing to be carrying something bulky/heavy and requests the door be held open. The employee holds the door, the person then gains access. This may be another employee that was truly requesting assistance, or it could have been a threat actor gaining access to the facility posing as someone else. Either situation is a breach of security.
Quid pro quo, which is Latin for “this for that”, is a type of social engineering attack where the threat actor provides a service or product in exchange for information or access. Typically, the threat actor impersonates someone of importance in the organization in order to successfully pull off a quid pro quo attack.
So, to wrap up, each one of those methods of social engineering were attempts to trick people into giving secret or personal information. The methods vary widely and can be used together. Take pretexting, for example. A threat actor comes up with a convincing story, posing as a vendor for an organization that requires access but “wasn’t provided the right badge or code”, so they convince the target to allow them to tailgate past security mechanisms and gain access to the facility. Obviously, that is a very simplified combination of pretexting and tailgating, but hopefully it sparks some thought as to how threat actors take various methods and use them together in order to achieve their goals.
We here at GuardSight thank you for taking the time to listen to this TomCast. Please share this if you believe it would be of assistance to anyone in your contact list, and please provide us some feedback in the comments so we can continue to improve. Thanks!