Social engineering, as it relates to information security, is manipulating people to divulge confidential information, performing harmful activities or divulging confidential information, allowing hackers to crack a security system. In fact, the most frequent and effective acts of social engineers (SE) rely on and exploit human vulnerabilities and is thus referred to as “social engineering.” Hackers refer to one such social engineering method as the “username & password harvesting technique.”
A recent prime example that may have cost Hillary Clinton the US presidential election was a miscommunication between Democratic National Committee (DNC) IT security personnel and her campaign manager. The campaign manager was instructed to click on a rogue link in an email to reset his password. This mistake gave away emails, allegedly to Russian hackers, that were made public through WikiLeaks, further damaging her already tarnished image.
According to a PC World article, the following are the “Top 5 Social Engineering Exploit Techniques“:
- Familiarity Exploit – this technique requires hackers to blend into a social situation and to make themselves familiar with others so that when the time is right, guards are down, and the hacker can perform hacking activities without any red flags. This might take the form of being able to access a secure area by following someone who has developed trust in you.
- Creating a Hostile Situation – sometimes by appearing angry, mad or upset, some people are hesitant to stop and engage you or are willing to limit the length of these engagements. For example, getting someone to open a door or to provide information is easier when a hacker has created an uncomfortable situation, such as an argument with a wife, causing a security guard to waive through the couple without checking them.
- Gathering and Using Information – hackers look to collect information from wherever they can get it including unlocked cars in parking lots, sites that contain biographical information such as LinkedIn, Google, Facebook, MySpace and more, pictures, postcards, books, and other personal items that can be viewed in a workspace area or office, pretending to be a manager from another office, dumpster diving, etc.
- Getting a Job There – some with insidious intent go so far as to get a job at a place they are interested in targeting. Once an employee is in a business, it is easy to collect social engineering information from coworkers, offices, and fellow employees.
- Reading Body Language – SEs often find it beneficial to learn human body language to read the thoughts and feelings of targets as well as to appear sincere to targets.
Following is an interview with a social engineer who makes money scamming unsuspecting individuals and businesses.