Teknik Social Engineering: Phishing, Pretexting, Baiting (en)
Social engineering is a psychological manipulation technique to obtain sensitive information from individuals. In the context of ethical hacking, this technique is used to identify human security weaknesses in an organization. Here is a more detailed explanation of phishing, pretexting, and baiting techniques:
Phishing
Phishing is the most common technique used in social engineering. The perpetrator sends an email, text message, or link that appears to come from a trusted source (such as a bank, company, or government) to manipulate victims into providing personal or financial information.
- How It Works:
- Email Phishing: The perpetrator creates an email that looks very similar to an official email from an organization. This email usually contains a link that leads to a fake website designed to steal login information or credit card data.
- SMS Phishing (Smishing): A phishing attack via text message, usually containing an urgent message asking the victim to click on a link or call a specific number. ** Voice Phishing (Vishing): A phishing attack via phone call, where the perpetrator impersonates an authorized person (such as a bank employee) to obtain sensitive information. Another scenario is where the perpetrator impersonates an authorized person to inform you that your relative has been in an accident (or, in extreme cases, arrested for drugs) and asks for funds to help.
- Example:
- An email asking you to click on a link to verify your bank account.
- A text message informing you that you have won a prize and asking you to provide personal information.
Pretexting
Pretexting is a technique where the perpetrator creates a fake scenario to gain the victim's trust. The perpetrator will impersonate someone with certain authority or knowledge to manipulate the victim into providing the information they need.
- How It Works:
- The perpetrator will contact the victim by impersonating an IT officer, technician, or employee of the same company.
- The perpetrator will create a convincing story to gain access to the victim's system or information.
- Example:
- A scammer calls an employee and claims to be an IT technician performing system maintenance. The scammer then asks the employee to provide their account password.
Baiting
Baiting is a technique that involves placing an attractive physical or digital object to attract the victim's attention. The victim will then inadvertently provide information or access to the system.
- How It Works:
- The perpetrator leaves a storage device (such as a flash drive) infected with malware in a public place.
- The perpetrator offers a prize or attractive discount via email or text message, but the victim must provide personal information first.
- Example:
- A flash drive found in a parking lot labeled "Important Information".
- A prize draw that asks participants to fill out a form with personal data.
The Purpose of Ethical Hacking Using Social Engineering Techniques:
- Identifying Weaknesses: Identifying human vulnerabilities in an organization.
- Raising Awareness: Raising employee awareness of social engineering threats.
- Improving Security Procedures: Develop better security procedures to prevent social engineering attacks.
Important Things to Remember:
- Ethical Hacking: Always test with permission and approval from authorized parties.
- Legal: Do not misuse social engineering techniques for unlawful purposes.
- Ethics: Respect the privacy and security of other people's data.
By understanding social engineering techniques, you can better protect yourself and your organization from cyberattacks.