How many times someone downloaded a file or clicked a link and got hacked? how many times an employee delivered critical information to a hacker, thinking that he made a good deed? I’m sorry to say that breaching company’s data doesn’t often need technical tricks! Just our human nature hands the hacker all he needs on a silver platter.
So, social engineers learn well how to use human nature to get critical data from employees without even asking for it.
Christopher Hadnagy in his book, ‘The Science of Human Hacking’, says that one of the things that makes a successful social engineer is to be aware of:
Thus, what the social engineer needs is to play on the human vulnerabilities that if he can deal with, things goes swiftly without even discovering that the breach has happened.
Kevin Mitnick, one of the most famous hackers, used to depend more on social engineering rather than the technical attack. He admitted that he “was so successful in that line of attack that he rarely had to resort to a technical attack”
Let’s have a quick look at some social engineering forms and then see the psychological techniques used beyond them. But if you already know the forms, you can jump to the techniques section.
Phishing is attacking people by sending them an email to click on a malicious file or link to obtain remote access. The mail also may ask for login to take the username and password.
Ex. To receive an email from PayPal (appears to be from PayPal) telling you that you paid an amount of money and if you suspect this charge, you can cancel the payment via a link. Whether you just clicked the link or logged in, you’re in trouble!
A very personalized email that contains details about the personal life of the victim.
An example of spear phishing from Christopher Hadnagy’s book ‘The Science of Human Hacking’ where he knew from the target’s social media accounts that he stayed in a hotel. The spear phishing email was as following:
How many times did you visit a website and suddenly a message appeared to tell you that there is a virus on your device, and you should download an application to get rid of it? I am sorry to say that this tool itself is malware. And when you download this tool or app, the malware becomes on your device giving remote access to the attacker.
It’s phishing via a phone call. The attack doesn’t happen during the phone call, it’s just to take information that helps him breach company’s network. Dislike the email phishing or the other types of phishing, vishing can take more than 4 months to really get the required information.
Why does it take such time? Because in phishing, the victim just takes a certain action and then the hacker will get the information he needs from the victim’s device which is just an object, but here the social engineer gets the information from man whose feelings and thoughts control him. So, he needs excellent communication skills to deal with him using feelings or logic depending on the victim’s personality. The attacker then needs to build rapport and trust, and use every possible trick for a successful communication with the employee to steal the credential he needs.
Let’s see an example from Ian Mann’s book, ‘Hacking the Human’ to discover together what techniques and human weaknesses are used.
It’s three phone calls between a help desk employee, Johnny, and a hacker who claimed to be a new HR employee who doesn’t get used to the company’s system yet.
Such pretending includes using certain words of an industry, tone of voice (fearing or decisive), body language, and even clothes.
Here in our example, the hacker pretends to be a new employee who needs help and fears to lose her job using the tone of voice of fear and some term of human resources department that give her credibility and encourage the human nature of liking to help.
It’s just to say, “Can you help me?” and to show that you will be in trouble if the other person doesn’t help you. In the example, the hacker gains the employee’s sympathy by telling him that she is a new employee who needs help and fears doing anything wrong and losing her job. She also gains sympathy for being a mother needing to get her work done before her baby wakes up.
Psychologists stated that we like to play the role of a helper. We don’t do that for others. Rather, it’s for us in the first place as it makes us feel good about ourselves and feed our pride. Social engineers exploit that very well, using the technique of ‘Sympathy’ mentioned above.
Then the hacker makes a second call for a little help and a nice conversation to build rapport.
The Hacker: Thanks Johnny. You are great at helping me when I need it. I bet you have to deal with much more complex problems than my silly requests
Johnny: Well, it does vary. But most people are not as nice as you. But yes, the other night I was running custom SQL queries directly from the database.
The Hacker: Wow, not sure what that is, but sounds complicated. Can you pretty much do anything then?
Johnny: Yes, the system’s not that difficult when you’ve been at it for a while.
Elicitation is to get information without asking for it. It’s just to keep talking with someone about his life, family, and job, building rapport with him and then he will tell you all of it including information about his job. He will give the hacker information he thinks it’s useless, but the social engineer knows very well how to use such info.
One of the tactics to do this
In our example, after three calls between Johnny and the hacker, Johnny tells the hacker some of his tasks such as “running custom SQL queries directly from the database.” Such words tell the hacker that Johnny has full access to the database, so she doesn’t need to play on someone else. And the next and last step should be also with him.
We are all as human beings like and even need to be liked, and unfortunately, as Kevin Mitnick says, “all of us are more likely to say “yes” to requests from people we like.” Social engineers play on this weakness and try to build rapport with the target. Each man has his way to build rapport with people. We see two ways in our example:
Hacker: Crying … Oh Johnny, sorry to call you. It’s Sarah again. Don’t know what to do. I’m in a real mess here.
Johnny: It’s all right, can I help? Sarah, don’t cry, I’ll do my best.
Hacker: I don’t know what to do. I’ve got to get this information for first thing. I’ve been up half the night with Jessica, and now it won’t work.
Johnny: What’s wrong? Tell me the problem, and I’ll see what I can do.
Hacker: I don’t think you can help me. It just won’t work at all. I should have done this yesterday. My boss will probably fire me if I don’t have it for the morning.
Johnny: I’ll do my best. Just tell me the problem Sarah, and we’ll sort it out.
Hacker: I can’t get anything to work. My computer’s playing up and Explorer won’t come up. I’ve rebooted about 50 times. I know you are great at helping, but I’ve only really used spreadsheets before. At my last job they taught me to do loads of things with spreadsheets. Now I can’t even get into PeopleEasy. What can I do?
Johnny: Oh, I don’t know. You say you can’t open Explorer. This is the only way into the system. Are you sure it won’t work?
Hacker: [Crying] … I’ve told you it won’t work. I have to get these figures. I need lots of reports. I’ve got to summarize all this information. If only it was here in a spreadsheet I could do it in time. [Crying] …
Johnny: Sarah, don’t cry. You say, if you had a spreadsheet, you could do what you need to do?
Hacker: Yes, I think so. It’s just that I need all the information. Can you help me Johnny?
Johnny: Look, I can get you that information. The database is really quite simple. I can make you some spreadsheets with everything you need.
It’s done! Johnny gave the hacker all spreadsheets not even some, because she told him that she’s nervous and can’t define what data she exactly needs.
As we see in the example, Johnny gave the hacker all the information gladly, thinking that he helped a poor and ‘nice’ employee that almost became his friend.
It’s done with only communication skills, some tricks and full understanding of human nature.
If you want to know more techniques of social engineering and how to fight them, read part two of the article.