Sunday, 1 May 2011

Social Engineering – Art of Manipulation

What is Social Engineering?


·      Social Engineering is the use of influence and persuasion to deceive people for the purpose of obtaining information or persuading the victim to perform some action. This may include obtaining information, gaining access, or getting the target to take certain action.

In other word Social engineering is defined as the process of obtaining others passwords, personal information, ideas…ect by the act of manipulating or to handle a people using technical cracking techniques (force victim to do something that is in your interest) realize that they have been scammed.
·      It can also be defined as the human side of breaking into a network. People with authentication process, firewalls, virtual private networks and network monitoring software are still wide open to attacks.
In Other word if there is some planning for a company it can be used in such a way that an employee may unwittingly give away key information in an email or by answering questions over the phone with someone they don't know or even by talking about a project with co-workers at a local bar after hours.
It is said that security is only as strong as the weakest link. It does not matter if enterprises have invested in high end infrastructure and security solutions such as complex authentication processes, firewalls, VPNs and network monitoring software. None of these devices or security measures is effective if an employee unwittingly gives away key information in an email, by answering questions over the phone with a stranger or new acquaintance or even brag about a project with coworkers at a local pub after hours.

Attackers take special interest in developing social engineering skills and can be so proficient that their victims would not even realize that they have been scammed because social engineers exploit the natural tendency of a person to trust their word, rather than exploiting computer security holes. It’s generally agreed that users/people are the weak link in security; this principle is what makes social engineering possible.

Here I will show you an example on how social engineering works:-

Let’s look at Example 1: -

!!SAURAV!! (Hacker) calls(mail,chat,etc..) Ankit(victim) and pretends to be a Gmail employee, Here is the conversation:

!!SAURAV!!: Hi Michael I am Robert a Gmail employee

Ankit: Oh so, How are you doing?

!!SAURAV!!: I am fine. I am here to inform you that Gmail is performing a security update on all Gmail accounts and we therefore need to install those securities updates on your account.

Ankit: Yes kindly install those security updates.

!!SAURAV!!: Thanks for your interest in our security updates we will require your account
password for installing it..(You may also tell i will give u a tool install it which may be a sniffer)

Ankit(Victim) has become a victim of social engineering, he will give out his password thinking that the person whom he was conversing was a Gmail employee.


Art of Manipulation

·      Social Engineering includes acquisition of sensitive information or inappropriate access privileges by an outsider, based upon building of inappropriate trust relationships with outsiders.
·      The goal of a social engineer is to trick someone into providing valuable information or access to that information.
·      It preys on qualities of human nature, such as the desire to be helpful, the tendency to trust people and the fear of getting in trouble.
Social engineering is the art and science of getting people to comply with an attacker's wishes. It is not a way of mind control, and it does not allow the attacker to get people to perform tasks wildly outside of their normal behavior. Above all, it is not foolproof. Yet, this is one way most Attackers get a foot into the corporation.
Let’s look at Example 2: -
Attacker: "Good morning Ma'am, I am Bob; I would like to speak with Ms. Alice"
Alice: "Hello, I am Alice"
Attacker: "Good morning Ma'am, I am calling from the data center, I am sorry I am calling you so early..."
Alice: " Uh, data center office, well, I was having breakfast, but it doesn't matter"
Attacker: "I was able to call you because of the personal data form you filled when creating your account."
Alice: "My pers.. oh, yes"
Attacker: "I have to inform you that we had a mail server crash tonight, and we are trying to restore all corporate users' mail. Since you are a remote user, we are clearing your problems first."
Alice: "A crash? Is my mail lost?"
Attacker: "Oh no, Ma'am, we can restore it. But, since we are data center employees, and we are not allowed to mess with the corporate office user's mail, we need your password; otherwise we cannot take any action"(first try, probably unsuccessful)
Alice: "Er, my password? Well..."
Attacker: "Yes, I know, you have read on the license agreement that we will never ask for it, but it was written by the legal department, you know, all law stuff for compliance. (effort to gain victim's trust)
Attacker: Your username is AliceDxb, isn't it? Corporate sys dept gave us your username and telephone, but, as smart as they are, not the password. See, without your password nobody can access your mail, even we at the datacenter. But we have to restore your mail, and we need access. You can be sure we will not use your password for anything else, well, we will forget it." (smiling )
Alice: "Well, it's not so secret (also smiling! It's amazing...), my password is xxxxxx"
Attacker: "Thank you very much, Ma'am. We will restore your mail in a few minutes" Alice: "But no mail is lost, is it?"
Attacker: "Absolutely, Ma'am. You should not experience any problems, but do not hesitate to contact us just in case. You will find contact numbers on the Intranet"
Alice: "Thanks"
Attacker: "Goodbye"

You see above example in a few minutes a hacker is able to get information that might have taken him days to get by capturing traffic and cracking the password. So, Social engineering is hacker that depends for getting needed information from a person rather than breaking into a system. It is much easier to gain information by social engineering than by technical methods.

People are usually the weakest link in the security chain. A successful defense depends on having good policies in place and teaching employees to follow the policies. Social engineering is the hardest form of attack to defend against because a company can’t protect itself with hardware or software alone and social engineering concentrates on the weakest link of the computer security chain.

One of the essential tools used for social engineering is a good memory for gathered facts.


Social Engineering can be broken into two common types:
·      Human-based: Human-based social engineering refers to person-to-person interaction to retrieve the desired information. An example is calling the help desk and trying to find out a password.
·      Computer-based: Computer-based social engineering refers to having computer software that attempts to retrieve the desired information. An example is sending a user an e-mail and asking them to reenter a password in a web page to confirm it. This social-engineering attack is also known as phishing.

Many example of Social Engineering is share with you in my next coming article. So, continue reading TRICKS4INDYA.


Note: This is illegal and is for educational purpose only. Any loss/damage happening will not be in any way our responsibility.

If u like then ple follow my blog & also help to promote. Don’t forget to leave comment.

1 comments:

BlueHost is one of the best website hosting company for any hosting plans you might require.

Post a Comment

Related Posts Plugin for WordPress, Blogger...
Twitter Delicious Facebook Digg Stumbleupon Favorites More