4
because a target individual who gets help from an attacker will be more willing to
help the attacker in return. When creating a situation for reverse social
engineering, an attacker will generally pose as someone whom the attacked will
recognize as an individual who can both solve their problem and receive
privileged information. The attacker will try and choose an individual that he or
she believes has information to help them. An attacker may make up a situation
where nothing even goes wrong to effectively use the reverse approach. An
attacker posing as an IT employee, for example, could call and warn the target
individual of an outage that may affect their network connectivity. After the false
outage window expires, the attacker will follow up with the target to verify they
are not having any problems, knowing that the target will not. After creating such
a situation, the attacker has established a level of trust that can be used to ask
for help in gaining information in the future. This is also a good way for a social
engineer to install malicious software on a targets machine. The social engineer
posing as an IT employee or software vendor may ask the target to go to a
website or open an email attachment sent to the target that may contain a virus
or other malicious software. In this situation the social engineer may say, for
example, that the software is required to be installed as part of an upgrade.
Easily Attainable Information
Unfortunately, social engineers thrive on easily attainable information such as
phone numbers. Social engineers planning to pose as an internal employee will
first need to identify someone to masquerade as. Corporate directories are often
easy to come by, and not viewed by internal employees as containing sensitive
information. Many individuals may think that sharing names, positions and
phone numbers is harmless. Cold calling sales people often gain contact
information on the people they want to sell their products to from other individuals
employed by the same company. Social engineers do this to gain the contact
information of the people they want to take advantage of. A call to a corporate
receptionist to learn the name and number of a manager, or anyone in a certain
position, for that matter, can be quite simple. Social engineers may call the
human resources department to learn the names of the employee's they want to
target. The attacker may also gather easily attainable information by browsing
corporate web sites.
Knowledge of Internal Processes
An attacker can have much success by knowing both internal lingual and
business processes. By displaying knowledge of an internal process or
procedure or by using internal jargon, a social engineer can trick a target into
thinking that he or she is indeed a company employee. For example, knowing
the method a helpdesk uses to verify identities and responding as expected will
increase the believability of a call to the helpdesk from a social engineer posing
as an employee who forgot his or her password. The attacker may already have
a good deal of information about the target. A distraught ex-employee wanting to