Social Engineering: The Art of Human Hacking

A Look into the World of Social Engineering!!

Photo by Austin Distel on Unsplash

I was once discussing social engineering with a friend of mine, and how social engineers can (sometimes) easily collect information about their target from social media, but she seemed surprised.

“You know what does ‘social engineer’ mean, don’t you?” I asked.

“Yes, they are the engineers who deal with social science,” my friend replied.

It was that moment when I decided to share my knowledge and write about it because, naturally, anyone who is not familiar with the world of social engineering would think the same.

In this post, you will learn about social engineering and explore it by going through examples.

What is Social Engineering?

“Social engineering bypasses all technologies, including firewalls.”

— Kevin Mitnick —

Christopher Hadnagy defines social engineering as the act that influences a person to take an action that may or may not be in his or her best interests. In cybersecurity, social engineering is the art of exploiting a weakness of individuals and/or organizations in order to collect information for the purpose of using it for a specific goal. This information should be confidential. Actually, social engineering is different from any other cyber-attack type, it is a way of hacking/attacking the target through non-technical means, it is a psychological manipulation.

Social engineering gives an outside attacker the knowledge and abilities of internal employees. It can also give an internal attacker more knowledge and abilities than they should have. Social Engineering can bypass all technical security mechanisms to allow an attacker to obtain the information of their choosing [1].

How Does it Works?

“Information is the key. The more information that social engineer gathers, the more successful the attack will be.”

— Christopher Hadnagy —

1. Preparation

By gathering information about the target, communication is a powerful skill that social engineers rely on. Hackers usually consider social engineering to be calling people up within a targeted organization and asking them for information. The hackers usually use a variety of resources to obtain information [1]. Social media is another powerful tool that really helps attackers to gather crucial information from people who give it up (it really doesn’t matter what information you reveal, every information is important for the hacker). And guess what? Garbage, yes garbage is another useful source where lot of information can be revealed. People usually throw away the things they think they don’t need anymore such as company data, bills, etc. while attackers can find it useful.

2. Pretexting

“Honesty is the key to a relationship. If you can fake that, you’re in.”

— RICHARD JENI —

Pretexting is the act of playing a role and impersonating someone else by creating an invented character and scenario to fool the targeted victim. This technique can be used whether to gain information or perform a particular action.

The figure above lists some characters that can be used in a particular situation. In fact, as a social engineer, you can become anyone you’d like to be.

FUN FACT

Many companies in the United States have a policy that their support staff must never question a caller’s gender. So, when someone with the name “Sally” calls in and has a voice like Barry White, you just don’t ask. You risk offending the person if they have a voice that is unusual. With this knowledge, I have used the names Christina, Christine, and Laurie when making phone contact [2].

3. Exploitation/Elicitation

“Fake it till you make it”

Once trust between the impersonator/attacker is established, the attacker take actions to perform the attack.

Common Types of Social Engineering

1. Phishing is the most common type of social engineering, it is this type of attack can also include several types, including but not limited to, Business Email Compromise (BEC), Smishing/SMS phishing, Angler phishing and Spear phishing.

2. Whaling/CEO fraud, according to Kaspersky, whaling is similar to phishing in that it uses methods such as email and website spoofing to trick a target into performing specific actions, such as revealing sensitive data or transferring money.

3. Honey Trap Attack is an attack in which the social engineer pretends to be romantically or sexually interested in the victim in order to yield money or gather sensitive information or . This attack is very like to Confidence/Romance Fraud attacks.

4. Baiting Attack is the attempt of alluring the victims by making them curious in a way that may lead the victims to compromise their security. For example, an attacker leaves a malware-infected physical device, such as a USB flash drive, in a place where it is easy to be found. Curious users in an organization will then retrieve the object and hurriedly plug it into their machines.

5. Vishing/Voice phishing is a type of social engineering attack that uses phone to steal personal confidential information from victims or/and to represent a fake organization representative.

6. Holy Water Campaign/Watering hole attack is a security exploit in which the attacker seeks to compromise a specific group of targeted users by infecting the websites they’re known to visit, these websites are called “target group“. The goal is to infect a targeted user’s computer and gain access to the network at the target’s place of employment.

Don’t Became a Victim

“Knowledge is power” — Francis Bacon —

Cybersecurity and social engineering awareness

The more we know and learn the more we are aware. By “we”, I mean all of us, regardless how old we are, regardless our jobs. Beware of any information request or downloads. It’s also right to use our common sense if something seems suspicious, it may be an attack. Organizations on the other hand need to ensure that each manager and employee has a security training program in place, regularly updated.

According to SANS Institute [3], The most common clues of a social engineering attack include:

• Someone creating a tremendous sense of urgency. They are attempting to fool you into making a mistake.
• Someone asking for information they should not have access to or should already know, such as your account numbers.
• Someone asking for your password. No legitimate organization will ever ask you for that.
• Someone pressuring you to bypass or ignore security processes or procedures you are expected to follow at work.
• Something too good to be true. For example, you are notified you won the lottery or an iPad, even though you never even entered the lottery.
• You receive an odd email from a friend or coworker containing wording that does not sound like it is really them. A cyber attacker may have hacked into their account and is attempting to trick you. To protect yourself, verify such requests by reaching out to your friend using a different communications method, such as in person or over the phone.

Social Media Awareness

Social media is a double-edged sword. I have noticed a lot of people give up and share a lot of information they think it’s not important. Actually, I could know a lot of details about a lot of people through commenting and sharing in social media. Can you imagine if I were a social engineer, how much information I could gather easily and without even asking you?

• Be carful about what you share or make visible especially to public.
• Be careful about commenting on others’ public posts, especially the posts that ask random questions, don’t give up your personal information.
• Ensure the people in your networks are aware of how much information you want them to share about you

Educate yourself, Research and Read

“It’s easier to limit yourself, but if you do, you will never reach your true potential.”

— CHRIS WITTY

Fortunately, nowadays, over a short period of time we can learn and research anytime and anywhere with no cost. In this post I am providing additional resources for further reading.

Conclusion

This post is designed for people who are not familiar with social engineering. In the next post, I will try to tell some real-life-incident stories and companies who were a victim of social engineering.

I welcome your input and opinions on this post.

Further Reading and Resources

• Introduction to Social Systems Engineering
• The Social-Engineer Podcast includes the fascinating conversation with Dr. Zak about his life’s work. www.social-engineer.org/podcast/ep-044-do-you-trust-me/
• Don’t Believe This Podcast with Michael F. Schein https://www.social-engineer.org/podcast/ep-139-dont-believe-this-podcast-with-michael-f-schein/
• Social engineering is the new method of choice for hackers. Here’s how it works.
• Social Engineering Hacking Systems, Nations, and Societies By Michael Erbschloe · 2019

References

[1] Winkler, Ira S. “The non-technical threat to computing systems.” Computing Systems 9.1 (1996): 3–14.

[2] Hadnagy, Christopher. Social engineering: The science of human hacking. John Wiley & Sons, 2018.

[3] January 2017. The Monthly Security Awareness Newsletter for Everyone: Social Engineering.