Home
Cons

How to Get What You Want Through Social Engineering From Start to Finish-Part 1: Understanding the ART

May 15, 2012 08:00 PM

This article was created to help educate individuals about the art of Social Engineering.  It is my personal philosophy that the best combatant against "wrong doers" is educating a populace.  Ignorance is the cancer that devours liberty!

Warnings

  • There are things I say in this article to prove a point but should not be performed or interpreted as a challenge in any shape or form.
  • Although there is no law banning social engineering some of the actions/examples/scenarios in this article could result in legal action and should not be performed.

What is Social Engineering

First off let me explain what Social Engineering is; simply put, Social Engineering is the skillful art of exploiting the human condition by creating situations that force a person to rely on basic moral obligations that society/family has ingrained in them over the years. As human beings we have; a learned and ingrained desire to be helpful, a tendency to trust others that we can relate to, tend to avoid conflict (sometimes through dominance/aggression), and a basic fear of getting in trouble.

Now I know some of you (hardcore mofos) out there will doubt this and take on a silent debate in your head formulating a rebuttal along the lines of, "I don't trust anyone but myself" or "I don't avoid conflict I keep it real!" and "Please, I don't care about getting in trouble I just do what I want".  And yes to an extent that may be true; however, if any of the above apply to you I simply ask these few questions: 

  1. When was the last time your friends talked you into doing something you initially didn't want to do.
  2. If you don't care about getting into trouble then do whatever it is in front of a peace officer.
  3. If you don't trust anyone then you should never ask for advice.

Types of Social Engineering

Pretexting - This type of attack is one that takes some additional initial steps to insure success.  The act of pretexting is one that places the target in an artificial situation, created by you, that seems so realistic they begin to divulge information willingly.  This type is "personally" the best, as a successful attack often results in more information then you originally intended to uncover with little effort once trust is established.

The above is a simulated pretexting attempt I snapped of a friend, the call was fake and only done for the photo.  Realistically though, a malicious user would attempt to gather as much information about the target before attempting contact.  This allows the malicious person to develop a scenario in which to use during the conversation.

Phishing - This type of attack often comes in the form of email, in which a message is sent to (possibly) millions of targets in the hopes that some users may reveal valuable information. Phising is further broken down into two subcategories:  1) Whaling and 2) Spear Phishing.  The difference between them is subtle; however, the former focuses on targeting high profile targets in a company whereas the later focuses on targeting specific groups of individuals that have something in common.  When whaling, malicious users usually take advantage of the information present in the 'Bio' section of a companies website, an executives blog, or just friend them on FB or MS. 

The above example demonstrates a simple phishing attempt, the return senders domain was broadwaymusicalhome.com and the link in the message would send me to http://mvateta.truedateandlove.com/ Now I have never been to either of these sites, nor have I ever spoken with this person. Finally, they close with the name Bella but the sender is Daniel, if I really had spoken to this person why don't I know: their name, the domain, the signature name, heck anything about this.  This is a typical spam message that targets lonely or desperate persons.  (From what I can tell).

Baiting - This type of attack relies mainly on the curiosity of individuals, in which a malicious person will "leave" some form of removable media to be found by a potential victim.  As the victim tries to examine the contents of the media they usually end up with some form of malware being executed on their computing device. "I bet you'll think twice about checking that blank CD next time!"

The above is a sample picture of a pink thumb drive I placed in the driveway, although a real baiting attempt would more likely be some removable media placed in a high traffic area related to the target (break room, commons area, etc.) it still supports the point of this attack.

Physical - This type of attack contains the highest level of risk for the malicious person as it involves actually going to a physical location and attempting to gain information/access.  This form of attack can include, but is not limited to: creation of false identification cards or costumes, tailgating, shoulder surfing, dumpster diving, and just plain old hanging out.

The above is a simple picture to simulate shoulder surfing in which the malicious person attempts to look at what the user is interacting with.

Up coming article

In the next article I will be focusing on various methods of preparation that is done to carry out effective Social Engineering attacks. As always, happy reading and in the words of Stan Lee via Spider Man comics, "With great power comes great responsibility".

Comments

No Comments Exist

Be the first, drop a comment!