Social Engineering and Malicious Code


Social engineering is the art of manipulating people so they give up confidential information!

There are lots of different forms of social engineering. You need to know about four in particular.

Blagging or pretexting is the act of creating and using an invented scenario, to engage a targeted victim in a manner that increases the chance the victim will divulge information, or perform actions, that would be unlikely in ordinary circumstances.

For example, a blagger might find some information about you using social media, and use this to create a fake scenario. Say you wrote a post on Twitter complaining about the service in your local bank branch; the blaggers could then phone you up pretending to be from your bank saying that there has been some unusual activity on the account, and they need to confirm the details before they are able to unfreeze it. They have your name, location and date of birth from social media already so it’s easy to believe them, but all it now takes is for you to ‘confirm’ your address, bank account and sort code, and they have all your banking details.

To try and prevent being a victim of blagging, it’s important not to give out personal information - particularly in a public place. If a company contacts you, they should be the ones confirming details to you so you can prove who they are. If they can’t, or you aren’t sure, then you should contact the company directly yourself to check they are who they say they are.


Pharming is a cyber attack intended to redirect a website’s traffic to another, fake site. This is done by either changing the host files on the victim’s computer, or by affecting the _DNS __system which redirects _web-traffic.

Unlike with phishing and blagging, you may never actually receive information from the cyber criminals, but instead, you try to do the sensible thing by going to the website directly, so you type in the address www…, hit enter and a page loads. However, this isn’t actually what you are meant to be on, and instead you have been sent to the wrong place without knowing it.

To try and avoid becoming a victim to pharming, there are a few things you can do. For example, make sure that you use a trusted Internet Service Provider who works to remove ‘pharmed’ websites. Also, double check all spelling - particularly of the URL. Common errors might be a triple letter instead of a double, or even a vs a .com. However, the easiest way to check is that the website displays a padlock in the web browser address bar, and makes use of the HTTPS protocol whenever you are asked to enter personal information. No padlock or HTTPS, then it’s likely to be a pharmed website (or one with poor security that you shouldn’t be trusting anyway!).


Shouldering or shoulder-surfing__ is observing a person’s private information over their shoulder eg cashpoint machine __PIN numbers. This may be done in-person or via a small camera hidden nearby.

To avoid being a victim of this, try and avoid entering personal information into any devices in public - particularly bank details. Also make use of privacy screens which restrict the range of view of the screen. Shielding the PIN or information is also important, and just generally looking around to see if there is anything suspicious.


Phishing is a technique of fraudulently obtaining private information, often using email or SMS. The key difference between phishing and blagging, is that blagging is targeted towards one individual, whilst phishing is broader and hopes to get someone to bite.

The classic phishing scam is that of the foreign prince who is willing to transfer you millions of dollars if you simply hand over your bank details to him. Many people now are surprised that anyone falls for it, but phishing scams are becoming more and more sophisticated, making use of specific companies such as Amazon, and mimicking their branding. A common phishing scam currently is the use of order or payment confirmations, where a fake email is sent looking like it is from a real company. They then ask you to click on a link which takes you to a real-looking website where you need to enter your username and password.

When trying to avoid the bait, you should make sure that you use common sense when responding to emails. Phishing emails may contain spelling errors or vague/unfamiliar information. Many will also make use of fake addresses masquerading at the real thing. So always check who sent the email, and if in doubt search for the address online. The same goes for any URLs that you are asked to use. Once you click on the link, double check the address bar does take you to the site you expect, or even go directly to the site yourself and log in there. Never click on attachments or links from strange addresses either, and as with blagging, if in doubt, contact the company directly. Many companies now have a way of reporting phishing scams too.

Social Engineering and Malicious Code, figure 1

Malicious Code

Malware (short for malicious software) is an umbrella term used to refer to a variety of forms of hostile or intrusive software.

There are several different types of malware that you need to be able to describe:

  1. Virus - A virus is a piece of self-replicating piece of code that attaches itself to a file and when executed, is able to replicate itself without the user’s consent. They usually perform a harmful activity on the computer such as using hard disk space, corrupting data or even turning the computer into a zombie.
  2. Trojan - A trojan is malware disguised as a piece of legitimate software, trojans sit on the computer and allow the cyber-thieves to have access to your system. Typical things that a trojan might do include creating a backdoor into the system, modifying or deleting data or just disrupting the performance of the computer. Unlike viruses, they cannot self-replicate, but are often used in phishing scams.
  3. Spyware - These are programs that secretly record what you do on the computer. They could be used for legitimate purposes, but are often used to steal personal data. One form of spyware is a key logger which monitors all keyboard presses, and uses these to steal passwords.
  4. Adware - There are two definitions for adware. One is software that contains advertisements, such as freeware games. These are often legitimate programs which make use of advertising revenue to provide free/cheap games to customers. The other definition is a form of spyware that is used to provide targeted adverts. For example, when using a web browser, you may decide to start looking up flights to the USA on Google, and suddenly all the adverts provided on social media are about things to do in the USA, and cheap flight companies.

For each of the statements below, write the name of activity described:

A self-replicating piece of code.
Using information already known about an individual to gain credibility and trust to get them to divulge sensitive information.
Your answer should include: blagging / pretexting
A program masquerading as something useful, but often instead creates a backdoor into the computer.
Posing as a trustworthy entity in electronic communication.
Stealing information through direct observation.
Your answer should include: shouldering / shoulder-surfing
Redirecting a user to a fake website.
Using targeted adverts based on previous browsing habits, or legitimate advertising used to create a revenue stream for free games.
Software that observes what you do on the computer, such as a key logger which records key strokes.