Social Engineering – What is it? Examples of Human Hacking!
In this tutorial, I had tried to explain what Social Engineering is and how it is performed. I have added variety of examples including videos (a movie as well), images and books to make social engineering clearer to you. Enjoy!
Table of Contents [Quick Links]
Here, I have tried to cover all aspects of social engineering.
Social engineering, in the context of information security, refers to the tricks and techniques used to manipulate human thoughts and believe in such a way that it leads to disclosure of confidential information.
Social Engineering Types
Social Engineering attempts can be divided into following categories:
Phishing: A hacking technique in which a hacker set up a cloned website that looks genuine to innocent target. Then, the hacker tricks the target to interact and log-in into it. These websites logs all entered details and Hacker can view usernames and password later anytime.
Pretexting: It is the human equivalent of phishing, where someone impersonates an authority figure or someone your trust to gain access to your login information. It can take form as fake IT support needing to do maintenance, or a false investigator performing a company audit. Someone might impersonate co-workers, the police, tax authorities or other seemingly legitimate people in order to gain access to your computer and information.
Baiting: In this attack, the attacker leaves a malware infected floppy disk, CD-ROM, or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device.
Quid pro quo: An attacker calls random numbers at a company, claiming to be calling back from technical support. Eventually this person will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will “help” solve the problem and, in the process, have the user type commands that give the attacker access or launch malware.
Tailgating: An attacker, seeking entry to a restricted area secured by unattended, electronic access control, e.g. by RFID card, simply walks in behind a person who has legitimate access. Following common courtesy, the legitimate person will usually hold the door open for the attacker or the attackers themselves may ask the employee to hold it open for them.
Reasons for Success!
When it comes to information security, humans are the weakest element. Humans can be easily exploited because of following reasons:
- Human Psychology – humans trust and respect other humans (kids, news reporter, police, pizza guy etc.)
- Helping Nature – Assuming he is your colleague and needs your help – you gave him the confidential information (such as login address, technical instructions and instruction manuals etc.).
- Human Curiosity – What’s present inside a pendrive or CD? (Found at parking lot, elevator, and near-by desk). What’s available in an email attachment? (Unknown sender and spam folder)
To make social engineering attempt more successful– confusion, excuses and urgency are involved.
- Confusion– He asked for ABC-XYX code that doesn’t exist and you are confused. Then, you politely ask what he actually wants and then he comes to the point.
- Excuses– Hacker gives the excuses – he is at home or at some other place but urgently wants to login to office PC. Need some files and data on which he is working or boss is asking about. Hacker shows urgency and you are tricked.
Social Engineering can be performed by non-technical persons too. It’s most effective and is often used in real World hacking.
We all had received emails claiming that we won lottery or one of our unknown relatives had left billions for us etc.
Then they wait for you to respond and when you ask how you can get that money.
They welcome you to confirm your details (or sometimes even ask you to deposit some token money) so that they can do required paperwork before they handover you money! And lots of string attached!
Then the urgency to send your information otherwise money will be forfeited.
Fake Telephone Calls: Person calling you and pertaining to someone and exploiting the human trust factor:
Fake Delivery Guy: Hi, I’m from XDDE Courier Company and I have a partial for you. I just lost in your area; can you confirm your address?
Fake Colleague: Hey, I’m John. I am your colleague and work at XYYX store at night shifts. I at home and I need to mail some details to boss can you confirm me the password for accounts system?
News Reporter: Hi, I’m reporter John from Cow-Zebra News. We heard about recent changes in your organization and then the person discloses few or more things.
Fake Police/Authorities: Hello, I’m Mark from Your-City Police Station. We have a complaint against you and then… now confirm your details.
Physical Appearance: Some social engineers – confident enough, might also show-up near your cabin or desk, again pertaining to be IT guy or printer repairer. Then, you gave access to your computer and electronic-data.
Social Engineering Guys try leaving infectious USB stick or CD around your desk, in parking lot or somewhere where someone can see it. So that, when someone founds it, open it and run it out of curiosity to see what’s there. Now, the malicious software runs and handovers the complete control of that machine and network to the attacker.
Social Engineering guy might try to reset your password using “Forget Password” option. Then, he is challenged with a security question – “who was your favorite school teacher?”
Now they try to engage with you or your friends on social networking sites or someway to get this information, and now you are out of luck because your friends are going to reveal. Be Careful!
Social Engineer: Hi
You: Hi, do I know you?
Social Engineer: we were in same school
You: really? Sorry, but I can’t recognize you!
Social engineer: I was your junior… and when I saw our school name mentioned in your profile, I can’t resist myself to say Hi to you 🙂
You: Oh, great! So, how are you doing?
Social engineer: I miss my school days, my friends and teachers… It was good time!
You: Yes, I also have good memories of school. I also miss my friends and esp. some good teachers.
Social engineer: oh… so, who was your favorite teacher?
You: Dr. Codd <No one at this point can refuse to answer!>
Social engineer: oh… great! But we didn’t get the opportunity to have him as our teacher.
<Chatting continues… so that it looks usual and the social engineering guy might need more info in his process of trying to get through security questions>
Notable Social Engineers!
He had mastered the art of manipulation and human hacking. He’s also recognized as “the most wanted computer criminal in United States history by The Department of Justice.
During his college days, he used to get free rides in Los Angeles public transport by exploiting the bus punch card system. Of course, he used social engineering to initially gather information about the system and later exploited the weakness.
His exploits were detailed in two movies: Freedom Downtime and Takedown. We had already covered Mitnick and other popular hackers on our website before.
He is the security professional who wrote the first framework defining the physical and psychological principles of social engineering. He is most widely known for his books, podcast and the being the creator of the DEFCON Social Engineer Capture the Flag and the Social Engineer CTF for Kids.
Brothers Ramy, Muzher, and Shadde Badir—all of whom were blind from birth—managed to set up an extensive phone and computer fraud scheme in Israel in the 1990s using social engineering, voice impersonation, and Braille-display computers.
He became notable after his talks where he would play recorded calls and explain his thought process on what he was doing to get passwords through the phone and his live demonstrations. As a child Ridpath was connected with Badir Brothers and was widely known within the phreaking and hacking community.
Of course, there are many social engineers that are worth mentioning and some of them are still working going unnoticed (the experts).
We often uses social engineering in real life to convince others and sometimes to troll our friends. Salesman and marketing professional often uses social engineering to achieve their goal.
How to Protect against Social Engineering Attacks?
Protection against social engineering attacks – This is the most difficult part. It’s not as easy as configuring firewall or implementing password policy.
The only solution present is to educate and train employs about social engineering attacks.
Organizations reduce their security risks by:
- Establishing frameworks of trust on an employee/personnel level (i.e., specify and train personnel when/where/why/how sensitive information should be handled)
- Identifying which information is sensitive and evaluating its exposure to social engineering and breakdowns in security systems (building, computer system, etc.)
- Establishing security protocols, policies, and procedures for handling sensitive information.
- Training employees in security protocols relevant to their position. (e.g., in situations such as tailgating, if a person’s identity cannot be verified, then employees must be trained to politely refuse.)
- Performing unannounced, periodic tests of the security framework.
- Reviewing the above steps regularly: no solutions to information integrity are perfect.
- Using a waste management service that has dumpsters with locks on them, with keys to them limited only to the waste management company and the cleaning staff. Locating the dumpster either in view of employees such that trying to access it carries a risk of being seen or caught or behind a locked gate or fence where the person must trespass before they can attempt to access the dumpster.
Movie: Catch Me If You Can
Most of you might have already seen this EPIC movie where Leonardo DiCaprio plays a character of Frank Abagnale Jr. who, before his 19th birthday, successfully conned millions of dollars’ worth of checks as a Pan Am pilot, doctor, and legal prosecutor.
Here is the complete movie in 10 minutes! Enjoy!
Books on Social Engineering
Following are two popular books on Social Engineering that are highly recommended:
- [easyazon_link identifier=”0470639539″ locale=”US” tag=”hnorg-20″]Social Engineering: The Art of Human Hacking[/easyazon_link]
- [easyazon_link identifier=”1118608577″ locale=”US” tag=”hnorg-20″]Unmasking the Social Engineer: The Human Element of Security[/easyazon_link]
Buy them and read them if you liked the idea of social engineering and human hacking!
References and Further Readings
We have collected some great tutorials and real world social engineering case studies for you. Checkout the following resources on Social Engineering: