This Article will dive deep into Social Engineering, How it is done and how we can protect ourselves from Social Engineering Attacks and Social Engineering Frauds.Social Engineering is a real life Hack but mostly now a days it’s referred to as a computer related Hack. Social Engineering hacking is the most dangerous and effect type of hacking and we will say this for the longest.
Table of Contents of Social Engineering Article
- What is Social Engineering
- Social Engineering Definition
- Social Engineering Examples
- Social Engineering Techniques
- Social Engineering Attacks
- Social Engineering Toolkit (SET)
- Social Engineering Tools
- Social Engineering Books
- Safety from Social Engineering Frauds
- In-depth Social Engineering Guidance
What is Social Engineering
To continue you will need to enter your Facebook Password < This line is a Social Engineering attempt had I built on to that line to obtain your password by involuntarily making you enter your own password is how Social Engineering (SE) is done.Hacker creates such a situation that leads the victim into sharing confidential Information.
social engineering tactics are used by criminals because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your account. It is much easier to fool a person into sharing their password than it is for you to try hacking it. This concept is what social engineering is all about.
Social Engineering Definition
Social Engineering Definition as per Wikipedia :
Social engineering refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.
Although the term “social engineering” as an act of psychological manipulation is also associated with social sciences, but since social engineering pertains to computers it is referred by information security professionals as a field of computer science. In my definition Social Engineering is an Art, Hacker is the artist and victim is the painting.” Social Engineering the art of human hacking is a great read which will show all aspects of SE based on the same logic I presented above.
Social Engineering meaning must be very much clear by now , as it is important to understand what SE is all about before you read any further, I have tried to keep the start very simple.
Social Engineering Examples
Before we go into the mechanics and explain how social engineering is carried out, I will share some real life examples of social engineering.Although social engineering started taking place even before computers were invented , my favorite real life example is of 1960s when Frank Abagnale made a living faking identities and passing bad checks. Catch Me If You Can was based on the same story
- Mark Rifkin used a series of social engineering attacks to pull off a large bank heist in the 1970’s. He is responsible for stealing $10.2 million through wire transfer via telephone in the autumn of 1978.At that time, it was the largest bank robbery in U.S. history. Read Detailed Hack
- The Blind Badir Brothers is an amazing story of 3 brothers blind born who became notorious phone phreakers and social engineers. It is said at one point they could even tell you the number you dialed by the tones without being able to see you dial. Read their Story
- Notorious Fluffi Bunny was an extreme group of underground hackers that combined social engineering and hacking skills to wreak havoc on companies. They appeared after the incidents in New York, USA on September 11th vandalizing websites with a message “Fluffi Bunni Goes Jihad.” That landed them a spot on the FBI’s radar.Read More about their story
- AOL Hack is a prime social engineering example. AOL tech support member was called and the attacker spoke with him for 1 hour. During the call the attacker mentioned that he had a car and it was for sale. Using rapport building skills and a friendly voice he gained trust with the AOL employee instantly. The AOL employee showed interest in the attacker’s car. The attacker sent the support rep an email with a photo. Instead of sending a photo though, he sent a back-door exploit that busted through the AOL firewall giving the attacker access to AOL’s internal network. Before he was stopped he had accessed over 200 accounts gaining all their personal information.
- SecurID RSA Breach was carried out when the attacker sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees.These employees were not users with particularly level access. The email subject read ‘2011 Recruitment Plan. The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled ‘2011 Recruitment plan.xls‘ . The attachment contained a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability (CVE-2011-0609). The company spent $66 million recovering from the attack, and information about RSA’s popular SecurID two-factor authentication mechanism was compromised.
- Hidden Lynx Watering Hole on Bit9 – In 2013, the “Hidden Lynx” cyberespionage group in China used water-holing attacks to compromise security firm Bit9’s digital code-signing certificates, which later were used to target some Bit9 customers.Watering holes are more subtle than phishing attacks. Malware is injected into a legitimate website that organizations in the target industry are already likely to visit.They accessed Bit9’s file-signing infrastructure, so that they could sign malware and make it seem legitimate. They then used it to attacked Bit9 itself, at least three of its customers, and three defense industrial base organizations that were customers of Symantec.
- AP Twitter Hijack – In 2013, the Twitter account of the Associated Press news wire service reported “Breaking: Two Explosions in the White House and Barack Obama is injured.” AP’s Twitter account had been hijacked by the Syrian Electronic Army. The Impact ? US stock exchange crashed, the tweet was sent at 1:07 p.m. At 1:08 the Dow started the nosedive. It dropped by 150 points before 1:10, when news began to spread that the tweet was erroneous.This was yet another attack that started with phishing, and even a security-savvy user might fall for it.