What is Social Engineering And How Is It Used To Hack SystemsSocial Engineering is something we're exposed to each day, from watching news to adverts. Social Engineering is psychological manipulation.
This article is part of a series of articles. Please use the links below to navigate between the articles.
- An Introduction to Hacking and Cyber Security - Complete Guide
- An Introduction and Brief History of Cryptography and Codebreaking
- Online Privacy and Why it Matters in Today's Hyper-Connected World
- What Are Supercookies? The Web's Latest Tracking Device
- How to Spot Scam and Phishing Emails And Avoid Being Scammed
- How Internet Security and SSL Works to Secure the Internet
- What is Man in the Middle Hacking and Transport Layer Protection
- What is Social Engineering And How Is It Used To Hack Systems
- Cookie Security and Session Hijacking in Web Applications
- What is Cross Site Scripting? (XSS) How is it Used to Attack Websites
- What is Internal Implementation Disclosure?
- What is Parameter Tampering and How to Protect Against It
- What is SQL injection - With Examples & Prevention
Social Engineering is something we are all exposed to every day, from watching the daily news to advertisements. Social Engineering is psychological manipulation.
How can a target be manipulated to do something they normally would not do? This can be as simple as manipulating someone to use your product over another or even buying something they don't need through divulging sensitive information, such as passwords, or transferring money.
Social Engineering exploits a specific set of human weaknesses - sympathy, for example. Most people will think of themselves as nice people willing to help others, and attackers will use this to exploit a target's weakness. A common trick is to hack someone's Facebook or email account. They will then send a message to a friend or frequent contact, stating that they are on holiday, have their money stolen, and ask for a loan to get them home. Being nice, you agree to send money over the internet to your friend, not knowing that the destination bank details are those of an attacker, not your friend.
Greed is another weakness that is exploited, especially by the "Nigerian Scam". These usually revolve around someone with much money looking to get it out of the country. They require a small amount of money to set up an account in your name, whereby they promise to transfer all their money to you for holding. When they leave the country, you return half the money to them and keep the other half for yourself. You transfer the "set-up fee" to them, and you never hear anything from them again.
Social engineering is not limited to social media and email; it can happen human to human - either in person or via telephone, whereby they can convince you to do things you would not normally do. Some call that marketing, and it is a very fine line, but it can be a lot more sinister than that. The intent is usually the decisive factor. The intent may be to sell you a product, or it could be to get you to disclose a password or bank details.
Computer-based social engineering is very cheap and incredibly easy to perform. It typically requires a vulnerable site to expose a cross-site scripting vulnerability; this is then exploited to include anything from key loggers (a program which captures every key you press) to malware and even Ransomware. Even ad servers can be infected, so legitimate websites running adverts can also become infected in this way. A typical attack would be to show the user a fake Facebook login box, simply stating that their session has timed out and to re-enter their details. The unsuspecting user, usually on autopilot, fills in their details, hits OK, and carries on browsing as if nothing happened. In reality, the username and password were just sent to the attacker. Some attacks can be more sophisticated, and the payload (the attack's content) can be anything from a key logger or even taking control of your computer to activating your webcam, installing a botnet or even more sophisticated persistent monitoring software.
Curiosity is another weakness. If you don't do this, then you will miss out on... A common trick is to "Find out which of your [Facebook/Instagram/Twitter] friends have viewed your profile." Who isn't curious about that? It then lists the steps the user must perform to see which of their friends has looked at the profile. In reality, these users have been duped into performing an XSS attack on themselves by executing scripts on their browsers. The result is similar to the above example; the attacker now has access to that person's browser. The social engineering aspect of this relies on the person being so focused on the end goal that they don't pay as much attention to the steps being executed. How many Facebook users know what a malicious script looks like? They will copy and paste the code as directed.
Social engineering doesn't necessarily involve computers. They can also involve phone calls or in-person meetings. Typical examples can be fake IT support voice calls, either claiming to be from the IT help desk of your company or, in the case of individuals, Microsoft support or Apple support. In either case, they will typically state that they are from whichever department or company, that a problem or virus has been detected on your computer and that you need to perform these steps to remove the threat or face having your internet disconnected or computer locked out to ensure that the threat is contained and cannot spread to other devices. The unsuspecting victim, panicked by these threats, then performs the actions given over the phone and grants the attacker access to the computer. From then on, any number of malicious programs can be installed.
Another telephone example comes from the bank. Someone or an automated system will call you, stating that fraudulent activity has been detected on your account. They will then prompt you to read or key in your card number to verify your details. They will then list a few transactions (obviously not genuine) and ask for further details so these transactions can be reversed and the block on your card removed. Bingo! They now have the details they need to empty your account.
Both of these examples of social engineering exploit the human weakness of fear. Fear of being disconnected or blocked.
Another example of exploiting curiosity is that of the ubiquitous USB stick. For example, an attacker will deliberately leave USB sticks around in a public place, in car packs, on a train or in a cafe. The average person will be curious about its contents, take the device home, and plug it into their computer. Simply by plugging in the device, your computer is infected with viruses, malware or Ransomware in seconds.
In-person social engineering can also take many forms and exploit various weaknesses. In your place of work, have you ever held a door open for someone you don't know, maybe they are carrying something large or heavy? Who was that person you let in? Should they be allowed in, or did you just let in a social engineer who now has physical access to your company network? With physical access, a social engineer can plug any device into the network to capture and re-transmit information. They can swipe printouts from the printer, copier or fax machine. They can even steal information from the trash can or recycling bins.
Digital forensics is gathering information about a target by analysing their digital signature. Think about the amount of information on your Facebook profile - when you went on holiday, where you went, maybe even a photograph revealing the airline you used. From that information, they can get your flight number and other details so that the fake email asking for confirmation of payment details clearly states your airline, travel times, and dates, and the flight number looks even more legitimate.
