Social engineering, especially when combined with physical access to the target system, is the single most successful attack vector used for penetration testing or an actual attack.
As an attack route supporting the kill chain, social engineering focuses on the nontechnical aspects of an attack that take advantage of a person trust and innate helpfulness to deceive and manipulate them into compromising a network and its resources.
The success of social engineering attacks relies on two key factors:
- The knowledge that is gained during the reconnaissance phase. The attacker must know the names and usernames associated with the target; more importantly, the attacker must understand the concerns of the users on the network.
- Understanding how to apply this knowledge to convince potential targets to activate the attack by clicking on a link, or executing a program. For example, if the target company has just merged with a former competitor...