What is Social Engineering?
Social engineering is one of the most important hacks that can be performed in order to breach through
security protocols. However, it is not a hack that is performed against a computer system itself; instead, it is a hack that is performed against people, which can be the weakest link in a chain of security measures.
Also known as “people hacking,” social engineering is one of the most difficult hacks to pull because it is
not common for people to give classified information to a complete stranger. However, it is possible for
an experienced hacker to pretend to be someone that you can trust in order to gain access to important
documents and passwords.
All that it takes for an experienced criminal hacker to pull off a social engineering tactic is to get the right information about you.
Social Engineering as Art and Science
The logic behind social engineering is simple – it can be easy to get all the information and access that one needs from any person as long as you know how to trick a person into giving you the data you need with the least resistance possible. By being able to pull off a social engineering trick, you will be able to get your hands on to a device, account, or application that you need to access in order to perform bigger hacks or hijack an identity altogether.
That means that if you are capable of pulling off a social engineering tactic before attempting to go through all other hijacking tactics up your sleeve, you do not need to make additional effort to penetrate a system. To put this entire concept into simpler terms, social engineering is a form of hacking that deals with the manipulation of victims through social interaction, instead of having to
break right away into a computer system.
What makes social engineering difficult is that it is largely based on being able to secure trust, which is only possible by getting someone’s trust. For this reason, the most successful hackers are capable of reading possible responses from a person whenever they are triggered to perform any action in relation to their security system.
Once you are able to make the right predictions, you will be able to get passwords and other valuable computer assets without having to use too many tools.
Since social engineering is mostly about psychology, you can consider this tactic as both an art and a science. This tactic involves a great deal of creativity and the ability to decipher the nonverbal language of a device or account owner.
Social engineering experts are able to compile tactics that seem to work against computer users all the time. Together with other types of hacks available, you will realize that social engineering is that part of the most successful attacks, and that attacks mostly work because of some form of mental trickery performed by a hacker.
Social engineering makes it possible for a person to simply log in personal information on any form
he sees, or free open an attachment that has embedded malware. Because social engineering’s goal is to dupe someone into providing information that will allow access to more valuable data, this hacking tactic will allow you to get most anything from a targeted system.
What makes it a good tactic is that you can phish for a gateway to the information that you want to hack from mostly anyone that has access to the system that you are targeting, from receptionists to IT personnel, with these steps:
- Creation of trust
- The exploitation of relationship by communicating with targeted individual
- Using information leaked for malicious gain
The art and science behind social engineering are created because of a single truth about information
security – security ends and begins with a user’s knowledge on how a system should be protected. No
matter how updated your security system is, you will never be able to protect your network and your
devices if there is a user on your end that is not capable of keeping vital information from potential
attackers. With this thought comes the idea that once a social engineer becomes more aware of who
should be targeted within the organization for critical information needed to penetrate the system, the
more vulnerable an organization’s valuable information is.
How Social Engineering Happens
If you are going to think like a social engineer, you will get the idea that the most vulnerable people within any organization are those that are very likely to give away information with the least possible resistance. With that thought, you can easily zero in on receptionists, call center agents, and others that are trained to divulge information to anyone who asks for them.
It’s safe to assume that next in line are end-users who are naïve enough to think that they can provide personal information to those who pretend to be technical support personnel, supervisors, or people who can provide them a reward for merely answering a question that may leak out the answer to a privacy question.
Since social engineering highly rests on the behavior of users towards information security, people who are most susceptible to attacks are the following:
- People who divulge too much information about their personal lives
- People who create passwords using their own names, birthdays, or pet’s name
- People who divulge information about the devices that they are using
- People who use the same passwords for almost every account
- People who do not physically secure their own devices or any documents that may point out
details about information security protocols
As long as you can gain access to these types of people, then you can easily pry on any information that
you want to gain without having to spend too much effort. By being able to locate these types of users in
any organization, you will be able to get as much valuable data as you can as if you have had access to all
Types of Social Engineering Attacks
Here are some of the most common attacks used by social engineers to get the information that they want from users:
Once a social engineer defines the type of information that he wants to get out of a user, he begins
to gather as much information about a target as much as he can without raising the alarm. For
For example, if a social engineer wants to penetrate an organization’s security system,
He will most likely need to have a list of employees working there, some phone numbers used internally, or a calendar of activities used by the company. Using all this information, he can launch an attack on
the day where the least security personnel are present, do a social engineer attack against key
personnel through a communication line that is least suspicious.
There are plenty of ways on how a phishing attack can be done. One can use a fake email account
or a phone number and pretend to be a supervisor requesting for official contact list. One can also
look at social media accounts of a targeted organization and find who is likely to be responsible for
organizing company schedules.
If a social engineer prefers to spend less time on his research, he can simply opt to pay for a comprehensive background check on targeted individuals online. Once the needed information is received, a social engineer can launch a more comprehensive phishing attack One of the most effective social engineering tactics used by hackers is to reach out to a target and pretend that a victim’s account has been compromised.
By creating a sense of urgency, and social engineer may pretend to be offering assistance by asking for vital information such as mother’s maiden name, date of birth, account recovery protocols, and the last password used. An unassuming target may provide all this data without even verifying who he is talking to, or if his account has really been breached.
While this method can be a bit messy and risky, searching through discarded company materials
can be a very effective way to get highly confidential information. As the name implies, this often
involves rummaging through trash bins of an organization, with the hopes of finding key documents
in the trash.
This method is very effective because most people believe that the things that they throw in the
trash is safe, and that includes documents that point towards their home addresses, personal
phone numbers, and confidential paperwork. People simply do not think that there is a wealth of
the information available in the documents that they throw away after they are done with it. For this
the reason, one can easily find the following in the trash bin:
- Organizational charts
- List of passwords
- Email printouts
- Employee handbooks
- Internal security policies
- Phone numbers
- Network diagrams
- Meeting notes
Keep in mind that there are several dedicated social engineers that still find value in shredded documents since they recognize that shredded paperwork contains information that an organization does not want anyone to find out. Given enough time and tape, any hacker will be able to piece back together with a carelessly shredded document.
This is a tactic used by social engineers to find out in-depth details and possibly private information
about an individual by simply taking advantage of the dial-by-name feature embedded in most voicemails. To tap this feature, all you need is to dial 0 after calling a company’s number or right
after you reached a target’s mailbox. This is usually done after office hours to make sure that no
one in the organization will be available to answer the call.
Voicemail usually contains a wealth of private information, such as times when a person is not
available, which is crucial when it comes to scheduling an all-out attack. Some also use the
information that they find on voicemail messages to find out some details that they can use to
impersonate these people and use their personalities to launch an attack.
Social engineers can easily conceal their identity and location whenever they tap voicemails by
using VoIP servers such as Asterisk to enter any phone number that they want whenever they call.
Active communication with the target
One of the most effective means to gain information through social engineering is to ask the target
for the needed information directly. For this tactic to work, all that a social engineer needs to do is
to build enough trust between him and the target in order to achieve the information he needs
without encountering any resistance.
For example, a social engineer may tailgate a victim right into where the system that he wants to
breach is. He may assume a different identity, such as a manager or IT personnel, and proceed to
ask questions that may severely compromise a person’s personal account or reveal vital
networking security protocols. You may be surprised at the wealth of information that you can get
out of people by simply asking!
Technology makes social engineering easier by simply masking one’s identity in order to pretend to
be someone that targets can identify as one of their own. You can easily ask a user to send any
type of confidential information by creating a professional and legitimate-looking email that
requests social security numbers, user IDs, and even passwords.
Some users even volunteer this highly confidential information in exchange for a free Wi-Fi password, or a gift in return. You can even use spoofed emails to request a user to install a patch in their computers which can serve as a listening device or a virus.
One of the most popular attacks that use this trick is the LoveBug worm that users installed right
into their systems simply by opening an attachment in an email that is supposed to reveal the
identity of a secret admirer. While it might seem too obvious that opening an attachment from a
person that you do not know does not make sense, people fell for this trap anyway.