Social Engineering is a non-technical way of collecting information from someone. A hacker uses his convincing skills to get confidential information out from someone.
People have vital information about their accounts, system passwords etc, but do not care to store them or take care of them safely. The hacker makes use of this negligence or carelessness and tries to extract information from a person.
This is performed with human interaction either by meeting in person or by calling someone and trying to get his information by speaking to him / her. The final goal here also is to get access to the victims system and steal necessary data / information but it begins with discussing personally.
For example, some hacker may dress up like a technician and come into your office, and your receptionist may allow the person and guide him to the systems that have problem etc.
In this type of attack the weakness of the individual person is compromised first and then the computer or network devices. The hackers or social engineers are basically con artists who make you a fool or cheat you and do what they intended to do.
The attacker makes use of these human behaviors to get information:
- Moral obligation
- Get reward to disclose information
Why Social Engineering is Effective or why does it work?
Improper Security policies: No outsider should be allowed without proper ID card verification and appointment.
Difficult Detection: It is difficult to detect that a social engineering is going to take place, because there are no set signatures, like technical attacks have. Also if the attack is making i.e. if information is gathered and the hacker disappears or goes away, there are no logs as to what happened and who came in etc.
Lack of Training: People should be aware of what information to reveal when talking. Understand that someone is trying to probe and gather vital information and could then be misused again oneself.
No patch or software can help: There is no patch or software than can be installed on all your employees for not revealing the information. If some social engineer gets along well with one of the employees, he can get some valuable information in few minutes.
Trojan attacks are mainly done due to Social engineering techniques, a hacker may convince a person to open an email or click a link or install software and then the Trojan gets installed on the system / network to compromise the system.
Success behind Social engineering
The reasons behind Social Engineering being a useful tool are:
a) Trust: Humans have the feeling of Trust and is natural to species. Being dressed like a police officer and asking the receptionist to let you in for an immediate check, the receptionist may trust you and allow access to the building or other internal offices.
b) Nature and Habits: People follow habits and do same things on regular basis, and the hacker can observe the same for few days and then act accordingly. For Example, if the employees enter the office building or premises at 8:45 AM and the security guard does not have time to check all employees, the hacker can observe the behavior for few days and then someday, dress up formally and enter along with other genuine employees.
Social Engineering Phases
Like any other attack, this is also not done at random; It needs to be done in proper phase or steps.
- Collect as much information about the target or your so called victim using different tools like social engineering, research and observation. This could include phishing, dumpster diving, company visits, employee giving information.
- Choose your source or individual or group that may have the maximum probability of get some information to you. Through this you should be able to get closer to your target. The hacker may take into account a frustrated employee who may disclose some valuable information about the company.
- Try and cheat the victim and get close to him/her till information is extracted. Or also behave as if you are someone else, send emails on behalf of someone, join a company as some employee, as at times the employer has not seen the employee till he joins in.
- Once you are close and seem to be in a position to extract maximum information, go ahead and collect as much information as possible and then move out.
These above steps or phases seem to look like these components:
- Research ( Phase 1)
- Develop ( Phase 2 and Phase 3)
- Exploit ( Phase 4)
Impact of Social Engineering
Social engineering can cause many implications on the organization and individual like:
Financial Loss: The most common impact and reason why an attacker would try to compromise your system or organization. Some tender or business idea may be taken off which could incur loss for the victim organization.
Terrorism: This is also common as few terrorists may be part of your organization or act like your friends, flat mates etc and then cause some severe damage to the organization or state or country.
Privacy Exposed: The attacker can extract personal information and use it to blackmail or for any other acts.
Lawsuits and Arbitrations: Depending on the type of information captured or collected by the attacker, there could be some legal actions taken on the victim organization. E.g. If a milk manufacturing company is involved in adulteration and this information is brought out by some hacker, the organization needs to face legal consequences.
Permanent or temporary Closure: Based on the type of information collected and revealed outside, the victim organization can be closed down temporarily.
Loss of Goodwill: If some information that can be disturbing to customers is out of the organization, then the good will of the company can be lost.
Targets of Social Engineering
An attacker is always out to look for someone who has more information which is reliable and available. Some of these are targets of social engineering:
Receptionists: The receptionist is a face of the company as they would be knowing majority of people in the organization and also hear other information taking place in the organization. If some attacker gets close to a receptionist, then he can gain very valuable and reliable information from the receptionist.
Helpdesk: These people have information about the infrastructure and can be a valuable source of information for the hacker.
System Administrators: These can be very useful targets as these personnel have extremely valuable information about the IT infrastructure, domains, accounts, passwords etc. They can be enticed to reveal some information that the hacker is interested in knowing.
This is a new form of social gathering that people have started to use since the past few years. Using social networking applications people share information about their families, work etc.
Some social networking application and sites are: Facebook, Twitter, LinkedIn etc.
The type of information that is posted on these sites is:
- Personal information
- Personal and family photographs
- Information about their location
- Employment details
- Friend list and their details as well
Social Networking Countermeasures
- Don’t disclose personal information and professional information, more than required.
- Do not blindly add friends on these social networking websites, if you do not know them.
- Keep passwords different in different sites, so if one gets compromised, other sites can still be safe
- What is Ethical Hacking
- Footprinting and Reconnaissance
- Scanning Networks
- Trojans and Backdoors
- Enumeration Hacking Phase