The following is excerpted from "Heading Off Advanced Social Engineering Attacks," a new report posted this week on Dark Reading's Advanced Threats Tech Center.]

During the last few years, security researchers have uncovered malware that could have been developed only by incredibly well-resourced and skilled programmers. But creating an advanced program such as Stuxnet is only one phase of an attack.

To be of any use, the program or payload has to be installed on the victim's network or device. Those behind Stuxnet initially relied on USB drives to infect their intended targets.

However, more and more attacks are duping targeted individuals into inadvertently installing malware or providing confidential information by using sophisticated social engineering techniques -- often getting the victim to break security procedures or to ignore common sense.

Email and Web browsers are and will remain the attack vectors of choice for cybercriminals and foreign intelligence services. Everybody uses email and a browser, and a browser is also a gateway to many other exploitable technologies. These include Flash, ActiveX, JavaScript and plug-ins from a multitude of vendors.

However, unlike vulnerabilities that target services running on a machine, browser-based vulnerabilities require some form of user interaction to activate the malicious content. An attacker must therefore trick the victim into making a fatal mistake; it doesn't matter how clever the malware is, even if it contains a zeroday exploit and passes unrecognized by antimalware programs.

Social engineering -- or the art of psychological manipulation -- is commonly used to get somebody to follow a link to an infected website or open a booby-trapped email attachment. It usually exploits users' innate curiosity or natural desire to help. It can also try to appeal to vanity or authority and other psychological triggers such as greed, fear, anger or moral duty.

Recognizable attempts at phishing for personal and financial details appeared at the turn of the century, and by 2004 phishing had already become a global, fully industrialized criminal activity with new variants appearing all the time.

Spear phishing is commonly used in targeted attacks and is directed at a specific individual or organization. Spear phishing aimed at senior executives within an organization is termed a whaling attack.

Every aspect of a phishing campaign -- from email lists to sophisticated malware -- can be bought, with criminals specializing in different areas. Some products are free, such as Super Phisher, which provides a simple-to-use interface that allows a phisher to convincingly reproduce an existing website and capture login details entered at the fake site. The use of the same zero-day exploits by different groups within a short period of time also indicates that exploits are shared or sold by developers.

While drive-by exploits indiscriminately compromise as many users as they can, they're not truly targeted. Those preparing a spear-phishing campaign will research their victims in great detail to deliver a more focused attack. Attackers are using social networking sites and other sources of information to gather background information.

For details on the latest phishing and social engineering exploits -- and some recommendations on how you can mitigate them -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.