What is Social Engineering?
It is the practice of getting confidential information by using manipulative techniques.
Social engineers can gain access to systems, data, or buildings through the exploitation of human psychology.
When you think about it, Social Engineering is an art and a science. A SE will use different technological tools, and there’s also lots of creativity.
Social engineering involves a wide range of malicious activities which are executed in various ways such as pretexting, phishing, quid pro quo, baiting, and tailgating.
Types of Social Engineers
There are many types of SE and some of them are:
They are the most popular type of social engineers. They use a combination of personal and hardware skills to hack into minor or major breaches across the globe.
They are like hackers as they pass through the target’s security system.
Pentesters are those who have malicious black hat skills; however, they don’t use the information they have obtained to harm a target.
It’s when someone is using the information of an individual’s name, address, bank account numbers, social security, and birth rate without the knowledge of the owner.
They might also wear a uniform to pose as that particular person.
They use the principles of social engineering in their ploys. They are trained to built credibility and successfully inquire about their targets.
Often, members of organisations who are dissatisfied, might become rebellious toward their employers.
And it’s easier for them to execute acts such as theft, vandalism, security breach, and other offences.
They exploit the desire of an individual’s desires and beliefs to make money.
They are adept to establishing situations that are irresistible and full of “opportunities” for their targets.
Governments use different persuasion techniques to control us. But it’s not always negative because sometimes it’s used to convey messages for our own benefit.
Salespeople- They are experts in several people skills. They use information gathering and psychological principles to influence others.
Psychologists, Doctors, Lawyers
It might surprise you to know that these people belong to the types of Social Engineers.
This group carries out different techniques such as elicitation, psychological principles, interrogation, and interview tactics to influence their targets.
The weakest link
Companies spend thousands of dollars on improving their security. But often they forget that the weakest link is the human factor. They make mistakes.
An employee might have a bad day. Maybe they are tired of that job and just don’t care anymore. So, they might do something they wouldn’t normally do.
Most people believe they are independent thinkers but in reality, is easy to get people to do something.
From early childhood, through school, and into employment, we naturally, follow instructions.
It is not by accident that the military involves intensive repetition in following instructions and acting as a group in compliance with senior officers.
When given an order to attack the enemy, an army would fail if soldiers wanted to debate if that is the best strategy.
In a work environment, they encourage us to be helpful to fellow employees. Especially, the new ones.
Disguising as a new employee can give you a great advantage.
People will be helpful to you when you ask for help and they’ll not suspect when you ask for information.
In addition, targeting the IT helpdesk staff will be good for you because they are trained to be helpful. And they are used to routine tasks as resetting the password.
Your goal is to find as much information about your target as you can. Even the slightest detail can lead to a successful social engineering breach.
Corporate or personal websites can provide lots of information. You can understand:
What they do
What they sell
Biographies of the founders or board of directors
Special words or phrases that can help in password profiling
Other useful websites
Social Media sites (Facebook, LinkedIn, Twitter) contain a wealth of information about millions of people.
Another good tool is Analyzewords.
It can analyze a person’s Twitter account based on the language used.
You shouldn’t expect to know the real personality of that individual. The reason is that most people communicate differently online than in person.
But, many attacks occur based on the “online” personality.
DomainIQ –It gives hosting information about any site.
You can use TinEye to do an image search.
Remove bg – It helps in removing undesired effects from an image. This can lead to better results when doing an image search in attempts to identify a person or an object.
It’s one of the most sophisticated algorithms on the planet. And there are many google search tricks that will help you collect more information about the target.
Here’s a list with google operators:
intext: Returns a chosen word or phrase.
Site: Locates files from a particular site.
inurl: This operator restricts the search results to pages that contain a specific word in the link.
For example, inurl:Citrix/MetaframeXP will show you different organisations that are using Citrix Metaframe set up for their remote access.
If our target is a website with “.org” “.edu” we use:
site: edu|org + inurl:”faculty_login.asp | .php”
filetype: Followed by a file extension (PDF, DOC, XLS) returns specific files.
e.g. confidential business plan filetype:pdf
cache: Find a copy of the page that Google indexed even if the pages are no longer available. You can also use archive.org, also known as way back machine.
info: It will present information that Google has about a webpage
intitle: operator looks for documents where the specified word is in the page title.
e.g. If you want to find an MS Word document with the marketing plan phrase, you can use the query
intitle:”marketing plan” filetype:doc.
You can enter a full street address, city, zip code, or a state and it automatically gives you street maps.
You can do this in different methods. One is just to try to stake out the area, try to sneak in and dig through the trash.
In the USA it’s legal while in most of the Europian countries, it’s illegal.
So make sure to understand the laws as it relates to your social engineering engagement.
The other is through impersonation method, where the SE dresses as if they work for the waste removal company.
And this gives you the pretext to get into the dumpster in a secured area.
It is considered as the most common SE technique which attackers use today.
Phishing scams goals are getting personal information, including names, social security numbers, and addresses of targets.
They might send an e-mail which appears to be from someone you know or a company.
They incorporate fear, or a sense of urgency to manipulate targets to act fast.
In addition, they use links or link shorteners to redirect targets to malicious websites through URLs that may appear legit.
A scammer might also clone a website to look more legitimate. And they might trick you into entering login credentials.
Why phishing works?
Good phishers have a good understanding of decision-making processes.
Greed: This is the first and also the most base. Most people don’t think straight when “offered” large sums of money.
It’s like believing you have a real shot winning the lottery.
Lack of education: There are lots of people who do not understand that a bad person might try to steal their identity or money through e-mail.
Gullibility: Many people fully trust others, especially strangers. And this can put them in an unsafe position.
The Amazon scam is very common. It doesn’t use your name and by looking at the URL you can see it’s not legitimate.
The PayPal phishing
Have you ever met someone and instantly felt, “Wow, I like this person?” Why?
Maybe he seemed in tune with your thoughts and feelings. Or maybe his look was non-judgmental, and you felt at ease with him.
Imagine if you could master that ability. And no, it’s not a simple lesson on how to built rapport.
Elicitation is a powerful technique used by con men, spies, social engineers, doctors and law enforcement.
What is Elicitation?
It means constructing the conversation in such a way that makes him give information without you asking for it.
Many governments warn their employees about elicitation because it is commonly used by spies all over the world.
FBI defines elicitation as “A technique used to discreetly gather information”.
These conversations can occur anywhere the target might be
Elicitation works because:
– Most people want to be helpful and polite to strangers
– If they praise you, you will often talk more
– Most people would not lie for the sake of lying
– There is a tendency to underestimate the value of information being given.
– A desire to convert someone to our opinion.
Master the Art of communication in three steps:
#1 Be Natural. Nothing kills the conversation than seeming uncomfortable.
#2 Educate yourself. You must have knowledge on the subject you’re talking about. And you don’t have to behave knowing more than you do.
For example, your target is one engineer working for the new model of a particular car.
Now you shouldn’t act like you’re a world-class engineer because he might ask you something difficult and throw your cover.
Instead, you can say you are an engineering student and was told that he had amazing knowledge in this area.
#3 Don’t be greedy. Your goal is to get information. Yet, that shouldn’t be your sole focus. The target will lose interest.
Make the conversation a give and take, unless you are with a person who wants to dominate the conversation.
Here, let him dominate. But if you got the answer, feel the conversation out and don’t get greedy trying to go deeper and deeper, which can raise a red flag.
Appealing to someone’s ego
You: “ You must have an important job, “X person” seems to think very highly of you.”
Target: “Thank you, that is so nice of you to say, but my job isn’t that important. All I do here is…”
Or, I bet you were the key person in designing this product.
Appealing to someone’s ego is simple but effective.
But, when you overdo it or when you’re not sincere, it turns people off.
You can criticize someone’s company in the hopes that the person will give information during the defence.
e.g. “How did your company get the contract? Everyone knows that B has better engineers for that work”.
Deliberate false statements
You say something wrong in the hopes the person will correct you with true information.
“Everybody knows that this process doesn’t work…”
You discuss a topic that is related with the main topic.
For example, you discuss the catering at a work party when in fact you want to know about the type of access outside vendors.
Social engineers often offer alcohol to their targets and after a while, they might reveal bits of classified information.
As a social engineer, your goal isn’t to walk up and say, “What is the password to your servers?”
Your goal is to get small bits of information that will help you build a clear picture of the answers you are seeking.
Let’s say I ask, “Pretty cold today?” will lead to a “yes” or “no” response.
But if I ask, “What do you think of the weather today?” Then the person has to respond with more than a yes or no.
In addition, a social engineer can learn a lot by studying and analyzing good reporters.
They know how to use open-ended questions to continue the conversation with his/her interviewee.
Attackers who have advanced skills in social engineering use pretexting to persuade their targets to do certain actions to gain access to an organisation and exploit its structural flaws.
The attacker creates a credible story, leaving little or no room for doubt for his target.
It is more than creating a lie. In most cases, you need to create a whole new identity and use that to manipulate your target.
A social engineer can also impersonate people in jobs they never have done themselves.
It’s like you are an actor and today, for example, your job is to act like a firefighter or a pest control serviceman.
Building the persona
You should use pieces of your real life and the knowledge you already have.
For example, if you‘re trying to build rapport with a target that has a daughter. Don‘t say you also have a daughter. But, you have a niece, right?
In addition, choose a simple name or use a variation of your own name.
Don’t think of too many details.
You don’t have to build an entire life for your pretext.
Keep in mind the big 4 questions:
– Who are you?
– What do you want?
– Are you a threat?
– How long will this take?
Roles for Social engineers
There are plenty of roles to choose from, but these are the most common ones.
There are two reasons to consider this role.
First, it gives you a good excuse for doing technical things such as inspecting PCs or carrying surveys that require you to record logins and passwords.
Second, as a new employee, most of the people won’t recognize you. They might also offer to help you.
This is like your “real life” role so it will be easier for you to carry off.
You can ask many questions about the security of that company. And the main advantage is that people won’t suspect a security consultant to be an attacker.
We all heard the phrase “Customer is king”. And the companies will do anything to satisfy a customer.
You can gather information about existing customers, and you can adopt that role to help the attack.
Robin Dreeke, the author of the book It’s not about me reveals the principles of creating rapport:
Artificial time constraints
Have you ever been sitting in a bar, an airport, a library when a stranger tried to start a conversation with you? Did you feel awkward?
The discomfort comes from you not knowing when or if the conversation will end.
The first step in developing rapport is letting the other person know there is an end in sight and is close.
You can do that by mentioning the time or having the body language that shows you’re leaving.
E.g. “Hi, I was about to leave in a second, and I am very sorry to bother you, but I was hoping you could help me…”
Non-verbals: Your body language should match the pretext.
Speak at a slower rate: Speak at a normal or slower rating speed so you don’t appear nervous.
Sympathy: Use phrases like, “Can you help me?”
Ego suspension: It’s a powerful trick. You suspend your ego to not judge someone and let him be right, even when they aren’t.
Validation: Giving genuine praise of a person’s knowledge, skills or a person.
Quid pro quo: Giving a little information to make the person feel comfortable sharing their info.
Manage expectations: To not become greedy and to realize when something isn’t working and make a change.
Dr Robert Cialdini in his best-selling book, Influence reveals the six aspects of influence:
Reciprocity: Is when you create a feeling of indebtedness by being the first to give something away.
Reciprocity is the expectation that when someone treats you well you respond in the same way.
It’s often used by companies offering a free sample. And people are more prone to buy their product.
But the level of your request you make is determined by the perceived value of the gift to the receiver.
Scarcity: When people think a product or information is hard to get, it becomes scarce and therefore more valuable.
Authority: It’s our inner desire to obey and follow instructions.
Consistency: If you can make the target follow simple instructions, they will be consistent.
Liking: We like people who like us back. If a target feels liked, in return, he will give us the information we need.
Social proof: If everyone else is doing it, then it must be good.
Prevent Social engineering
– Suspect everything that seems to be out of the ordinary. Especially calls from people who tell you there is a serious security problem in the company and you need to give them log-in credentials.
– Think before you click.
As I explained above, email phishing is very common. So make sure to check the e-mail address of the sender and look at where the link will lead you.
– Become digitally quiet.
– Become unpredictable: Don’t fall into patterns of doing the same things every day.
– Physical security
Make sure that the dumpster is in a gated area.
Set up authorization or identity checking at entries to a building. All entrances, not just the front door.
– Raise awareness. Everyone in the organisation should know the techniques of social engineering.
– Delete metadata from your images you posted online.
Many photographs contain metadata such as
- The coordinates of the location where the photo was taken
- The model of the camera
- It also contains the date and time someone took the photo
Follow the experts
If you are seriously considering a career in social engineering, then I recommend following these experts.
They have many years of experience and you can learn a lot from them.
He is a security consultant and the author of 4 books in social engineering.
He is the founder and creator of the Social Engineering Village (SEVillage) at DEF CON and DerbyCon, and the creator of the popular Social Engineering Capture The Flag (SECTF).
Hadnagy has over 16 years of experience in the security fields.
He also interviews different security experts on his Podcast. They release new episodes on the second Monday of each month.
Is an American computer security consultant, author of 4 best-selling books, and a hacker.
He was one of the FBI’s most wanted because he hacked into 40 major corporations just for the challenge.
Now, he is the CEO of Mitnick Security Consulting.
They work with Fortune 500 companies and governments to test their security strengths, weakness and potential loopholes.
He spent 18 years as a government computer crime investigator. He is the author of many books on OSINT and security.
Michael was also one of the technical advisors for the first season of “Mr Robot” (my favourite tv show).
Is a computer security expert, author and co-author of 13 books.
It is known for his background in google hacking, a process by which they can identify vulnerable servers on the internet through constructed Google searches.
He has 20 years of experience in all aspects of penetration testing. He has been engaged in projects and delivered specialist training on four continents.
“The Science of Human Hacking”by Christopher Hadnagy
“The Art of Human Hacking” by Chris Hadnagy
“Hacking the Human” by Ian Mann
What to Read Next?