We have written much about Social Engineering, and you might have read about it at other places too. Social Engineering is the method where social engineers (read: hackers) do not even not even have to touch a keyboard to get confidential data. The methods are different and hard to count. I studied a bit and found that I can categorize these methods into different headings as written below. Out of the many methods, this article covers the top 5 popular methods of social engineering.
Methods of Social Engineering
We had touched upon the social engineering techniques earlier. This article can be considered in continuation of the linked one. Following are most used methods – not including the socially engineered malware.
The most used method for social engineering is to gain the confidence of employees of the target business. One or more of the other headings in this article also fall into this category, but I’ve written about them separately so that I can detail them.
You can talk about anything with your friends, people whom you trust. In the case of problems, you would reach out to them and tell them whatever is bothering you. And during such a time, if the other asks you a question, you won’t give a second thought as to why the person is asking the question, before replying. Social engineers manipulate human emotions and use them to obtain the data and information they want.
The easiest method is to pose as an authority. It is common that social engineers use fake ID cards to prove their fake identity and to make you trust them. Once you fall into their trap, it is easy for them to obtain any type of information they want.
According to what I read on the topic, most social engineers will show that you are in some kind of trouble for working with the company and that they are trying to help you. When in terror, you speak like a parrot – giving them the information they need.
A website said that acting in anger makes other submit to your deeds. I am not sure about it completely as I am not a psychologist but am mentioning it here in case you wish to know about it. It is usually said the social engineers would feign anger while walking to departments containing information. People wish to avoid anger, and they won’t stop you if they see you are angry. That’s an attempt on your part to stay away and keep your mood stable instead of dealing with an angry person. It gave an example that when a couple wanted to sneak in a bottle of alcohol into some park, the couple just acted angrily and bypassed the frisking zone as security just hailed them in. I don’t know how effective it is, but there seems some logic. If it is true, you should tell your guards to stick to rules irrespective of how the customers are behaving. One of them might be just a social engineer.
Making friends is another popular method that I will cover in the next section.
Using waterholes for Social Engineering
While friends can be made anywhere, following an important person to his or her waterhole (bar/pub etc.) is the best method to gain confidence. People usually talk a lot at such places – if you provoke them. Since they unwind there, they have the need to talk and vent out their emotions. If they see you more than once, it is natural that they would want to know you more. And in this scenario, it is very easy to gain their confidence. Once you have their confidence, you can simply direct the conversation to their workplaces and get the information you want.
Using interviews for obtaining data
Among the other popular methods of social engineering, attending interviews of the target company also stands out. Interviewers, after asking you questions, are ready to take questions. You can ask them about the company, its strength, etc. as general questions. But if you have managed to gain the confidence of interview panel, you can also ask them questions that provide you with the information you need. They could be questions about the performance of the company, how they got an order that you were sure for yourself, and things like that. For them, you are just an honest interviewee while in reality, you went there with the aim to gather information.
Employment for social engineering
In some cases, social engineers take up employment in the target companies to dig out the required information. While for some social engineers, an interview is enough to get the desired info, others plan bigger and get into employment. Being an employee, they get access to the machinery of the company that they use for their agenda.
They’ll make use of training to know how the target business functions. Then, they will have colleagues that they’ll convert into friends. They’ll hang along for smokes, breaks and maybe even after office hours. The best method is to talk about your role and get them talking – first by asking simple questions and then moving towards the desired information.
These types of social engineers can provide information to their masters or whoever hired them, for longer periods. Being an employee, they can also move from one department to others and may get managers into talking by raising questions about the functioning of a certain process – as if they don’t get it or as if they are not satisfied with the way a process works. That’d lead the manager to speak about the process and unknowingly provide the information to the social engineers.
Honey Trapping: Techniques for social engineering
This is among the popular methods of social engineering when the stakes are high. Usually, men are more prone to honey traps compared to women – according to a movie I saw about the assassination of an Indian Prime Minister. The method might be costly as it engages third parties. It also is pretty bad on the trapped person as he or she will live under constant fear and stress, not to mention the guilt he/she will carry for rest of life.
This dangerous method can be described in following steps:
- Identify the person in the target company who has good insider information
- Have a high-class hooker to seduce the person
- Film it when they’re in the act
- Use the film to blackmail the trapped person
The same method was used in recent Pathankot Air Base (2016) terrorist attack in India. As the film/video is with the social engineer, the person can get whatever he or she wants. They can even make the trapped person do things he or she won’t ever think of doing. In some cases, the stress and guilt are so high that the trapped person may commit suicide.
There is not much you can do in cases of honey traps except to educate the people who work for you. But that is not a guaranteed solution as it plays with the basic human tendencies. Likewise, there is no 100% firewall against any of the above methods of social engineering. People err, and that’s where the social engineers make profits. All you can do is to educate, and if the employees understand, it is good or else not only they themselves, but their companies are also at risk of social engineering.
Download this ebook on Social Engineering Attacks released by Microsoft and learn how you can detect and prevent such attacks in your organization.