How hackers exploit human nature for non-technical breach?

The Art Of Making The Employee Deliver Gladly The Key To his Company's Data

How many times someone downloaded a file or clicked a link and got hacked? how many times an employee delivered critical information to a hacker, thinking that he made a good deed? I’m sorry to say that breaching company’s data doesn’t often need technical tricks! Just our human nature hands the hacker all he needs on a silver platter.    

So, social engineers learn well how to use human nature to get critical data from employees without even asking for it.  

Christopher Hadnagy in his book, ‘The Science of Human Hacking’, says that one of the things that makes a successful social engineer is to be aware of: 

  1. Psychology: To know how we make decisions 
  2. Social Psychology: To know how we interact in social groups, and how they affect us  

Thus, what the social engineer needs is to play on the human vulnerabilities that if he can deal with, things goes swiftly without even discovering that the breach has happened.

 

Kevin Mitnick, one of the most famous hackers, used to depend more on social engineering rather than the technical attack. He admitted that he “was so successful in that line of attack that he rarely had to resort to a technical attack” 

 

Let’s have a quick look at some social engineering forms and then see the psychological techniques used beyond them. But if you already know the forms, you can jump to the techniques section 

How social engineers knock your door?

1- Phishing

Phishing is attacking people by sending them an email to click on a malicious file or link to obtain remote access. The mail also may ask for login to take the username and password. 

Ex. To receive an email from PayPal (appears to be from PayPal) telling you that you paid an amount of money and if you suspect this charge, you can cancel the payment via a link. Whether you just clicked the link or logged in, you’re in trouble!

2- Spear Phishing

A very personalized email that contains details about the personal life of the victim.  

An example of spear phishing from Christopher Hadnagy’s book ‘The Science of Human Hacking’ where he knew from the target’s social media accounts that he stayed in a hotel. The spear phishing email was as following: 

3- Scareware

How many times did you visit a website and suddenly a message appeared to tell you that there is a virus on your device, and you should download an application to get rid of it? I am sorry to say that this tool itself is malware. And when you download this tool or app, the malware becomes on your device giving remote access to the attacker.  

4- Vishing (Voice phishing)

It’s phishing via a phone call. The attack doesn’t happen during the phone call, it’s just to take information that helps him breach company’s network. Dislike the email phishing or the other types of phishing, vishing can take more than 4 months to really get the required information.  

Why does it take such time? Because in phishing, the victim just takes a certain action and then the hacker will get the information he needs from the victim’s device which is just an object, but here the social engineer gets the information from man whose feelings and thoughts control him. So, he needs excellent communication skills to deal with him using feelings or logic depending on the victim’s personality. The attacker then needs to build rapport and trust, and use every possible trick for a successful communication with the employee to steal the credential he needs. 

So, what are the techniques a social engineer uses and what is it in the human nature he/she can use easier than the technical breaching?

Let’s see an example from Ian Mann’s book, ‘Hacking the Human’ to discover together what techniques and human weaknesses are used. 

 

It’s three phone calls between a help desk employee, Johnny, and a hacker who claimed to be a new HR employee who doesn’t get used to the company’s system yet.

The First Call:
  • The Hacker: Hello, can I please speak to the helpdesk?  
  • Johnny: This is the support desk; can I help you?  
  • The Hacker: Oh thanks, this is Sarah Clark calling from BankY. I haven’t called you before, but is this the right number for help with PeopleEasy?  
  • Johnny: Yes, this is the right number Sarah, what is the difficulty?  
  • The Hacker: Well, you will have to forgive me, as I am quite new in this role. I am doing some analysis and need help with summary reports. I work mainly from home and tend to catch up with things once I have put my daughter to bed. I am so glad that you are still available to help me. Tell me, do you always work this late?  
  • Johnny: Yes, I am the lucky person who covers the 7pm to 7am shift on Monday to Thursday.  
  • The Hacker: So is it okay if I call you at this time? Sorry, I didn’t get your name?  
  • Johnny: Johnny. Yes, that is fine, your support contract is 24/7, and to be honest it can get a bit dull through the night. 
  • The Hacker: [Laughs]. Okay Johnny, I might just do that if Jessica gets me up like she often does. Well, as I said Johnny, I am quite new to this. I am just not sure how to run a report for a department to get our usual employee summary. 
  • Johnny: Well, are you in the reports section?  
  • The Hacker: Yes, I think so. I have searched for reports, but get lots of results. I’m not sure which is the best. 
  • Johnny: Oh yes, much beer to go to the management tab, then select reports.  
  • The Hacker: Thanks. I can see you are an expert at this. Lucky I called you. 
what are techniques used and human weaknesses that are exploited in the first call?
1- Pretending to be a certain character

Such pretending includes using certain words of an industry, tone of voice (fearing or decisive), body language, and even clothes.  

Here in our example, the hacker pretends to be a new employee who needs help and fears to lose her job using the tone of voice of fear and some term of human resources department that give her credibility and encourage the human nature of liking to help. 

The Human Weakness: Trapping of the Role
  •  Just imagine with me that your friend tells you that her fiancé is a doctor. What do you now think of him without even knowing his name? I’ll tell you what’s the picture you draw to him: serious, respectful, cultured, honest, humane and empathetic man.
blank
  • This is exactly what the social engineer plays on in this example! Just saying on a phone call that she is an HR employee and using some terms of the HR field such as ‘summary reports’ is enough to make Johnny believe her and be ready for building rapport as a first step towards gathering information.   
2- Sympathy

It’s just to say, “Can you help me?” and to show that you will be in trouble if the other person doesn’t help you. In the example, the hacker gains the employee’s sympathy by telling him that she is a new employee who needs help and fears doing anything wrong and losing her job. She also gains sympathy for being a mother needing to get her work done before her baby wakes up.  

The Human Weakness: The desire to help

Psychologists stated that we like to play the role of a helper. We don’t do that for others. Rather, it’s for us in the first place as it makes us feel good about ourselves and feed our pride. Social engineers exploit that very well, using the technique of ‘Sympathy’ mentioned above. 

blank

Then the hacker makes a second call for a little help and a nice conversation to build rapport.

The Third Call:

The Hacker: Thanks Johnny. You are great at helping me when I need it. I bet you have to deal with much more complex problems than my silly requests 

Johnny: Well, it does vary. But most people are not as nice as you. But yes, the other night I was running custom SQL queries directly from the database.  

The Hacker: Wow, not sure what that is, but sounds complicated. Can you pretty much do anything then?  

Johnny: Yes, the system’s not that difficult when you’ve been at it for a while. 

What are techniques used and human weaknesses that are exploited in the first call?
Elicitation

Elicitation is to get information without asking for it. It’s just to keep talking with someone about his life, family, and job, building rapport with him and then he will tell you all of it including information about his job. He will give the hacker information he thinks it’s useless, but the social engineer knows very well how to use such info. 

One of the tactics to do this  

  1. Using open ended questions such as ‘how’, ‘when’, and ‘why’ 
  2. Giving a little information about yourself to encourage the other person to talk about himself.  

In our example, after three calls between Johnny and the hacker, Johnny tells the hacker some of his tasks such as “running custom SQL queries directly from the database.” Such words tell the hacker that Johnny has full access to the database, so she doesn’t need to play on someone else. And the next and last step should be also with him. 

The Human Weakness: Liking

We are all as human beings like and even need to be liked, and unfortunately, as Kevin Mitnick says, “all of us are more likely to say “yes” to requests from people we like.” Social engineers play on this weakness and try to build rapport with the target. Each man has his way to build rapport with people. We see two ways in our example:  

  1. The hacker uses flattery saying “I can see you are an expert at this” &You are great at helping me when I need it” 
  2. The hacker always uses Johnny’s first name damaging any barriers between him and the target. 
Now let’s see the result of the three calls after building rapport with the help desk employee who now speaks to his nice friend, not just an employee.

Hacker: Crying … Oh Johnny, sorry to call you. It’s Sarah again. Don’t know what to do. I’m in a real mess here. 

 

Johnny: It’s all right, can I help? Sarah, don’t cry, I’ll do my best.

 

Hacker: I don’t know what to do. I’ve got to get this information for first thing. I’ve been up half the night with Jessica, and now it won’t work.

 

Johnny: What’s wrong? Tell me the problem, and I’ll see what I can do. 

 

Hacker: I don’t think you can help me. It just won’t work at all. I should have done this yesterday. My boss will probably fire me if I don’t have it for the morning. 

 

Johnny: I’ll do my best. Just tell me the problem Sarah, and we’ll sort it out.

 

Hacker: I can’t get anything to work. My computer’s playing up and Explorer won’t come up. I’ve rebooted about 50 times. I know you are great at helping, but I’ve only really used spreadsheets before. At my last job they taught me to do loads of things with spreadsheets. Now I can’t even get into PeopleEasy. What can I do?

 

Johnny: Oh, I don’t know. You say you can’t open Explorer. This is the only way into the system. Are you sure it won’t work? 

 

Hacker: [Crying] … I’ve told you it won’t work. I have to get these figures. I need lots of reports. I’ve got to summarize all this information. If only it was here in a spreadsheet I could do it in time. [Crying] …

 

Johnny: Sarah, don’t cry. You say, if you had a spreadsheet, you could do what you need to do?  

Hacker: Yes, I think so. It’s just that I need all the information. Can you help me Johnny? 

Johnny: Look, I can get you that information. The database is really quite simple. I can make you some spreadsheets with everything you need. 

It’s done! Johnny gave the hacker all spreadsheets not even some, because she told him that she’s nervous and can’t define what data she exactly needs. 

 

 As we see in the example, Johnny gave the hacker all the information gladly, thinking that he helped a poor and ‘nice’ employee that almost became his friend. 

It’s done with only communication skills, some tricks and full understanding of human nature.  

 

If you want to know more techniques of social engineering and how to fight them, read part two of the article.

If you Like it, Share it