What is Social Engineering?
Social engineering is a ‘deadly’ art form which relies on persuasive psychology to manipulate victims to give up confidential information. Social engineers (the perpetrators) seek various types of information to deceive you into providing your confidential information such as banking details, passwords, and other information. They may also secretly install malicious software onto your computer which gives them control over your computer without you even knowing.
These scam artists use social engineering techniques to exploit people’s natural inclination to trust others. In general, it is much easier to trick someone into giving you their password than it is to guess their password unless the password is weak.
Even though cyber attacks may occur, the IT Department is not always to blame. While cyber security does rely on great anti hacking software, cyber security is also about actually taking in those tips and knowing whom and what to trust. Whether it’s a scam via the phone or on the internet – humans are the weakest link in the security chain. All the deadlocks and security alarm systems in the world cannot save you if you shout your passwords loudly across the office or put them on sticky notes for all to see.
Here are the 5 ultimate social engineering techniques that actually work to fool unsuspecting victims:
#1 Familiarity Exploit
(Editor’s Note: If you manage your company’s payroll or do any other type of online banking you’ll want to read and understand this.)
Called by many as the ‘cornerstone of social engineering’ the familiarity exploit succeeds because the social engineer does a good job of convincing the people around him/her that he/she should be there — in this case walking the halls of an office with physical access to company work stations and computers.
People are far more willing to give assistance and information to those they recognize and know — even if only little. That familiar person, in the eyes of the target, doesn’t set off any alarm bells about who that person is and why that person is wandering the office.
Social engineers do this in many ways but mainly it involves physically getting into a targeted business and getting your targets familiar with your presence and personality. In larger companies, social engineers have been known to gain access by ‘tailgating’ (sliding in behind a large group as it goes through a secure door) and then pretending to be a company consultant.
In one well known hacking case at a major New York financial services company, a hacker spent 2 days ‘working’ in one of the target company’s conference room. After he felt recognition and trust he struck: inserting a USB with key loggers and other malware into 5 company computers. Once the malware was installed he left, now free to strike from a distance at optimal time.
The larger the office, the harder it is to protect oneself against this technique. Having said that, you can protect your business from it by frequently checking visitors and foreign faces to see if they have a legitimate reason to be in the office.
But remember, once the social engineer has succeeded in infecting even one company workstation, access to private financial data through the company network is not too far off.
#2 Hostile Situation
Social engineering is a term that describes how a hacker uses psychology and human emotion to gain access to a computer network. This technique preys on mankind’s fundamental, ‘cognitive laziness’ in a negative way.
The ‘hostile situation’ technique draws its considerable strength from the fact that people have a deep seated urge to withdraw from conflict – and from those who appear angry or upset.
Simply put, if you are angry people are much less likely to stop you. In fact, some studies have shown that people are more likely to heed the request from an angry person over a nice person. The urge to avoid conflict it that ingrained.
It’s a diversionary tactic that leverages that need to withdraw from negativity by manufacturing and bringing a hostile situation to a person managing access to a place, room, building, etc…, hoping that, in an effort to avoid the situation, a security guard will just wave the person through.
One example would be to pretend to be on the phone having a heated argument as one passes through a situation where, under calm circumstances, one’s presence might be stopped and verified. Like an office building checkpoint.
The ‘hostile situation’ technique been around for centuries for one simple reason: it works. Be sure your employees are aware of it.
#3 Offline Information Gathering
Social engineering is all about gathering the bits and pieces of information that, when pulled together, give a hacker the ability to break into a system and hack it. Much of social engineering revolves around how a hacker gets the access to be able to steal information. But, an equally large part of social engineering are how a hacker uses public spaces and sources of information to compile the personal profiles they need to break into a system.
To put it another way, the more information one has about their ‘mark’ the faster one will be able to exploit the mark. If you review the history of social engineered hacks you’ll find a lot of old-fashioned, offline work.
For example, check out the story of Stuxnet. This hack, where a joint team of US and Israeli intelligence specialists planted malware inside Iran’s uranium enrichment program that destroyed its centrifuges succeeded because an employee picked up a USB that had been dropped in the parking lot of the centrifuge facility.
A social engineer will comb the parking lots of a target business – finding cars that are unlocked or easily opened that might have security badges, paperwork, devices, etc..
A good social engineer will notice (and when possible) photograph personal details and pictures an employee might have on display in their office. A picture of a favorite vacation place could be a password clue.
Social engineers leverage the leveling power of alcohol – usually by following employees to the office bar. Much can be learned simply by over hearing work talk.
Or she might tail a mark to learn their patterns and likes and dislikes – all good data points that can facilitate a personal connection to the mark.
Finally, there is the online treasure trove of social media. Social engineers have sophisticated tools to index, sort, correlate, derive and compile personal information most people would NEVER reveal. Be wary of what you put online into the public domain.
#4 The Inside Job
If the mark is big enough, a social engineer will often go big and actually get a job at his/her target company. That is technique #4 of our series and is most often done at small to medium-sized businesses.
Studies show that a majority of small to medium-sized businesses do not perform even simple background checks on new hires. Large companies will but they are typically not very extensive. Regardless of the size of the company, most background check protocols don’t do a very good job of compiling a prospective job candidate’s social/online profile.
At this writing screening for potential inside-job hackers is not very well developed or sophisticated. However difficult it is to spot, companies – especially small to medium-sized companies – need to be aware of it and have employee monitoring protocols in place.
The risk is substantial. One need only look at one of 2014’s biggest hacks – the Sony Pictures hack, now believed to have been an inside job.
#5 Body Language Mirroring
Social engineering is inseparable from human psychology and the better a social engineer understands psychology the most successful (and dangerous) the hack. This brings us to our fifth social engineering technique: body language mirroring.
Like the familiarity exploit, body language mirroring creates subconscious identification between social engineer and his/her mark.
According to master social engineer Chris Nickerson, body language is a social engineer’s most powerful tool. Breathing when the mark breathes, recognizing and emphasizing with the mark’s emotions, smiling at the right times, being friendly and polite but not overly so: it’s all about making the mark comfortable.
<iframe width=”560″ height=”315″ src=”https://www.youtube.com/embed/HW9hH0vlPEM” frameborder=”0″ allowfullscreen></iframe>
Body language mirroring creates a level of identification that makes marks WANT to help you and feel good while doing it. And it works. A truly great social engineering hack is one where the mark doesn’t even realize he/she has been had. Body language mirroring makes it possible. It makes marks comfortable.
And once a mark is comfortable it will do things like let you into a data center without asking for your ID. That is the essence of successful social engineering.