Social engineering is an art of human exploitation. Exploiting the human itself gets sensitive information. It plays a significant role in the hacking and penetration testing. It itself is a vast topic. If a hacker is good in social engineering, that hacker can do many dangerous things using this one skill. An attacker manipulates the user in order to get sensitive information using it.
We can understand social engineering in a better way through the following example: Children promise to be quiet only if their demands are met. Similarly people are also manipulated psychologically until they do what hackers wants them to do such as give up their personal or confidential information online or offline.
Social engineering is broadly classified as Human-based social engineering and Computer-based social engineering.
HUMAN-BASED SOCIAL ENGINEERING:
A human is the weakest part of any company. Exploiting the human by manipulating can give tons of sensitive information and sometimes even access to the network of company.
There is no solution to fix human manipulation. Hence human is always vulnerable to social engineering and that makes the whole corporate network vulnerable.
Simply manipulating a person can provide huge information disclosure, the person may be directly or indirectly related to the company, and it can be any employee or an employer itself. Anyhow in social engineering there is no such role of post.
Social engineering totally depends upon the manipulating skills of an attacker, if he is good at manipulating or convincing a person, he can compromise into the whole network, without performing any attack in real.
HUMAN-BASED SOCIAL ENGINEERING TECHNIQUES:
- Impersonating an employee or valid user
- Pretending to be an important user
- Fear of authority
- Insufficient knowledge
- Phone call
- Message
- Dumpster diving
- Shoulder Surfing
- Eavesdropping
COMPUTER-BASED SOCIAL ENGINEERING TECHNIQUES:
- E-mail attachment
- Ads and Pop-up screen
- Online social engineering
- USB Drives
- Phishing
IDENTITY THEFT:
Identity theft can be termed as making a fake identity of the same person in order to get some benefits.
If an attacker steals name and personal / confidential details of the target, this is called as identity theft. It is generally performed by an attacker who is engaged or intending to get engaged in fraud cases.
The way how an attacker steals the identity is an interesting thing. Generally people throw away bills and other documents from which an attacker can gain information about you.
Nowadays the attackers also gain some amount of information from social media accounts. Sometimes due to pickpocket you might lose your identity card and then the attacker can use it for getting a fake passport, by simply stating and showing bills that you have moved to a new address. This is a major threat where the fraudsters can do big scams and the target is victimised. From the fake identity of the target an attacker can do anything.
For example: ask bank to issue new cheque books, credit and debit cards by showing the fake identity. He can also issue new sim card, bank accounts and many more fake documents on the name of the target. If the activities are caught, ultimately the target is victimised in the first sight.
PROCESS OF SOCIAL ENGINEERING:
Every social engineering attack is unique, but with a little understanding on situation encountered, we can draft the process of all social engineering projects goes through leading to a successful outcome. The process of social engineering involves four main stages:
- FOOTPRINTING
- ESTABILISHING TRUST
- PSYCHOLOGICAL MANIPULATION
- EXIT
FOOTPRINTING:
It is the technique used for gathering information regarding the target and the surrounding environment. It can reveal individuals related to the target with whom the attacker has to establish a relationship, so as to improve the chances of a successful attack.
The information gathering during the footprinting phase includes but is not limited to:
- List of employee names and phone numbers
- Organization chart
- Department information
- Location information
ESTABILISHING TRUST:
Once the possible targets have been listed out, the attacker then moves forward to develop a relationship with the target who is usually an employee or someone working in the business so as to develop a good relation with them.
The trust that the social engineer is gaining will later be used to reveal confidential information that could cause severe damage to the business.
PSYCHOLOGICAL MANIPULATION:
In this step the social engineer manipulates the trust that he has gained in the previous phase so as to extract as much confidential information related to the target system performed by the employee himself so as to penetrate into the system with much ease.
Now after all the vital information has been extracted, the social engineer has to make a clear exit in such a way that there is no unnecessary suspension over him.
He ensures no trace of visit that could lead a trace-back to his real identity nor link to him to the unauthorized entry into the target system in the future, is left behind.
IN SOCIAL ENGINEERING PART 2 WE SHALL SEE IN DEPTH ABOUT HUMAN & COMPUTER BASED SOCIAL ENGINEERING TECHNIQUES, HOW ARE THEY PERFORMED AND IN PART 3 WE SHALL SEE WHAT IS REVERSE SOCIAL ENGINEERING AND HOW TO STAY SAFE FROM THESE TYPES OF FRAUDS AND ATTACKS.