The Art of Human Hacking
Learn the tricks and methods scammers use and how to steer clear of them.
Have you heard about the email of a Nigerian prince seeking help retrieving an inheritance in exchange for money? Or have you seen the movie The Sting and been astounded by how the two main characters can trick almost anyone? You might have wondered if someone can truly carry off these types of schemes. Do people actually fall for them? The obvious response is yes, but the real question is why.
Social engineering is a broad set of information and skills that might leave us vulnerable to scammers. Most of the time, we're unaware that it's happening. Social engineering is more than simply a natural ability to talk nicely and be social; it is a science that scammers and those who strive to prevent scammers utilize.
In this brief, we will examine the fundamentals of Social Engineering, how it works, and the tools involved.
In this summary, you will find
How a website about stamp collecting exposed up a security weakness.
How 734,000 social media users all used their first name as their password.
Why a photo of your children could expose you to Social Engineering.
1. Social engineering is a method for gaining influence over others without their knowledge.
Have you ever been convinced to buy anything only to subsequently discover you don't need or desire it? If so, you are not alone. Most of us have been exposed to some form of social engineering at some point in our lives.
Social engineering is a set of psychological methods that use human vulnerabilities to affect a target's behavior. These techniques might manifest as spoken language, body language, or covert indications.
Governments, salespeople, and law enforcement personnel are well-versed in these strategies, but the truth is that we all utilize social engineering, including our friends, family, and coworkers. For example, when a child says "Mommy, I love you. Can I have a puppy for my birthday?"They're employing social engineering to influence their parents.
Of course, social engineering is not just for short-term advantage; it may also be used to cause significant harm to people. Scammers and scam artists, for example, utilize social engineering to deceive their victims and breach security systems.
If you want to put malware on a company's server, you may go all out and fight your way into the server room. But that's a mess. Instead, a social engineer will disguise themselves as an IT specialist and develop a compelling story in order to bypass security.
Once inside, they can do whatever they want, and no one will know. As far as the security guard knows, the "IT person" was simply performing their job.
But nobody wants to be duped like this. Fortunately, we can defend ourselves by understanding how social engineering works.
Security auditors, such as the author, are employed to impersonate harmful social engineers in order to assess a client's security system through permitted penetration testing, or pentests, which are essentially fake social engineering attacks. The client has yet to determine when, where, or how this will occur.
2. The initial step of a social engineering campaign, whether fake or real, is to gather information.
Whether you're a security auditor or a criminal social engineer, you must first identify your target before planning an attack. The better you understand your target, the more you'll be able to influence them and make your plan more effective.
Begin by establishing a profile for your target. A excellent place to start is on the internet: certain websites allow you to trace a person's e-maiemailess, phone number, and even her IP address, and social media can be a valuable resource. Be diligent! Even little details can be useful.
For example, Mati Aharoni, the author's mentor, was once paid to conduct a pentest for a particular organization. Aharoni learned that one of the company's top officials used his company email on a stamp collectors' forum.
So Aharoni established a website with a stamp-related URL and embedded a program that allowed him to access the target's PC. He then called the official and asked if he wanted to buy his "deceased grandfather's stamp collection" and offered to provide him a link to the website. The target, caught off guard, gladly accepted - and fell for the trap.
As you can see, even seemingly small information can have a significant payout!
You can also learn a lot about someone by observing his daily activities.
It's a good idea to follow your target through her regular activities. What sites does she regularly visit? Does she smoke? If your target is a firm, do employees enter the premises with keys or magnetic cards? Does the building have any security cameras?
Finally, while it is not glamorous, searching your target's rubbish might provide valuable information. People toss away CDs, letters, invoices, and other essential information items. But be wise: move the bags somewhere else to avoid being apprehended!
3. Attackers develop undercover pretexts and identities in order to get access to their targets.
Imagine you are a detective preparing to go undercover. Would you reveal your real name, address, and backstory? Of course not! You'd make a backstory and an alias, then utilize what you know to devise a good plan to go undercover.
It starts with a pretext, a circumstance that makes your target feel comfortable doing something they would not typically do. This is why it is critical to obtain accurate information about your target from the start: the better your information about them, the more convincing the pretext will be.
Assume your target is a CEO who routinely donates to a charity. This knowledge may be important in developing your pretext. You may pretend to be a salesperson and offer to contribute a percentage of a purchase to the CEO's favored charity.
After all, CEOs will only meet some people, and naming this charity increases your chances.
When creating your identity, it is critical to draw inspiration from your target's hobbies in order to inspire their trust in you.
The most straightforward approach is identifying a genuine shared interest with your target. If that isn't possible, you can change your identification to reflect your actual level of competence in your "shared interest." For example, if you want to persuade a chemist to reveal a patented chemical formula but aren't a scientist, acting as a fellow chemist is risky. However, you could be a "student" who appreciates their work.
Accents and dialects are another effective communication technique. With a keen ear and some decent teaching audiotapes, you can learn them quite easily.
Depending on the situation, some accents can quickly make you likable. In a sales training class, the author discovered that 70% of Americans prefer to listen to someone with a British accent!
Whatever you do, keep in mind that your pretext and identity must appear rational and natural.
4. Building a relationship and rapport with your target makes them more open to your suggestions.
Social engineers understand that people like to be liked. They also know that those who want you will go to great lengths to win your affection. But how can you persuade complete strangers to like you instantly?
Begin by making the target believe you have good chemistry and rapport. One approach to accomplish this is to focus the discourse on the target. After all, everyone enjoys talking about themselves!
Be aware of your body language. Matching their movements discreetly demonstrates that you two have chemistry. For example, if they cross their arms, follow suit.
You can also establish rapport by matching your appearance with theirs. For example, if you're speaking with company management, you should dress professionally, wear a tie, and speak as they do.
Once you've established rapport, you can use elicitation to persuade people to perform as you desire because it makes sense or feels rational to them. To use elicitation effectively, you must first understand a few facts about people: they prefer to be friendly to strangers, talk more when appreciated, and respond pleasantly to someone worried about them.
Social engineers use this expertise to persuade others to follow their advice. If you know your target is a parent, for example, use a child as a pretext.
You may explain to the receptionist that you had a job interview set, but your daughter inadvertently spilled coffee on your briefcase this morning, and you needed more time to print up another CV. You could notice that, based on the picture on his desk, his child must be around the same age as your daughter. Maybe he might help you out by printing another CV?
That's when you can deliver him a USB stick containing spyware.
5. Social engineers are adept at reading microexpressions.
Think about all the white lies you've ever spoken. Do you think others were aware you were lying? Probably. But it's not because they were paying attention to the logic of your deception; instead, they probably read it on your face.
Our faces tend to unintentionally disclose our feelings. These microexpressions appear in less than a second yet are unmistakable.
Microexpressions are universal; people similarly convey their feelings on their faces, regardless of ethnic background. For example, a genuine smile activates the orbicularis oculi muscles, which, according to French neurologist Duchenne de Boulogne, cannot be moved freely.
While law enforcement examines microexpressions to detect deception, social engineers use this knowledge to mislead their victims.
For example, Tom, one of the author's coworkers, saw his target smile when discussing anything nice. Tom began clicking a pen whenever his target mentioned something pleasant, and the target eventually associated the click with positive emotions.
Tom eventually clicked the pen when his target said something terrible. This encouraged him to grin, but he felt uncomfortable because he was smiling at something awful.
But recognizable emotions extend well beyond smiles. The author outlines seven sorts of universal emotions, each with its unique microexpressions:
Anger causes the brows to slant down together while the lips expand outward.
Disgust causes creases in the nose and lifts the top lip.
Contempt wrinkles the nose and lifts only one side of the lip.
Fear causes us to widen our eyes, with brows bunched and lips extended outward.
Surprise elevates the eyebrows and lowers the jaw.
Sadness also lowers the jaw, drags the lips down, and squints the eyes.
Finally, happiness widens the eyes, lifts the cheekbones, and causes a smile.
Reading your target's microexpressions can help you detect their emotions and respond appropriately.
6. Social engineers utilize neuro-linguistic programming to persuade their target to do what they desire.
Con artists are well-known for their ability to convince anyone to do anything. Many people attribute this to a natural ability for sweet talk, but there is actual science behind it. In this brief, we will examine one such science: neurolinguistic programming.
Neurolinguistic programming, or NLP, is a type of communication that focuses on how individuals think and perceive the world.
Richard Bandler and John Grinder created NLP in the 1970s to investigate how language patterns influence behavior. NLP emphasizes the concepts of state of mind, conscious/unconscious interactions, and the filters we employ to make sense of reality.
Salespeople and supervisors learn NLP to improve their self-awareness and communication skills. For example, NLP training scripts can assist a salesman in getting a customer to talk about their aims and dreams. With this new information, the salesman can present their product in the conversation to realize those dreams.
Social engineers utilize NLP to insert commands into their speech without alerting the target. In NLP, this skill is known as the ultimate voice.
One technique to employ ultimate voice is to emphasize the words you want the target to focus on using your tone of voice. For example, we typically end queries with "Don't you agree?"." with an upbeat tone. However, saying "agree" with a downward tone sounds more like a command.
Another method is to conceal commanding statements in sentences organized as mild suggestions, emphasizing specific words and commanding the listener's subconscious.
For example, when you ask, "So, do you want steak or something else for lunch today?"" Your emphasis on "you want to eat steak" will sway the listener's opinion.
These are advanced psychological techniques that require training and practice. However, if you take the time to learn them, you may significantly impact others simply by appropriately communicating with them.
7. Social engineers penetrate and collect information using physical and online techniques.
Sometimes, social engineers face a difficulty that requires polite talk: locks. However, no lock, whether physical or digital (e.g., password protection), is impregnable.
You will need to use specific equipment to open a physical lock and gain access to personal files or other data.
A lock consists of unequal pin tumblers that the key aligns in an even line. Once the tumblers are aligned, the key can be turned to unlock the door. Lock picks perform the same thing, except you have to press each tumbler into place individually.
To do so, you just need a tension wrench, a flat piece of metal that applies pressure to the lock's bottom, and a pick.
It's simple: first, insert the tension wrench. Then, you line up the tumblers with your pick, a long piece of metal with a bend at the end. When the tumblers are correctly aligned, you will hear a click, and voilà !
Passwords are slightly different. Fortunately for social engineers, most people's passwords are highly vulnerable. How weak? In 2009, a hacker known as Tonu replicated a social media site using a recently lost web address. Of the 734,000 persons who entered this bogus site, 30,000 used their first name as a password, while 17,601 used the password 123456.
Of course, if your target's password isn't their first name, you'll have to try something different. Passwords can be cracked using free software, such as Common User Password Profiler (CUPP).
When the author conducts security training exercises, he invites volunteers to enter a password that they believe is secure onto a computer. He can crack it using tools like CUPP in under two minutes.
CUPP collects the target's personal information, such as nicknames, birthdays, and spouse names, and generates a list of possible passwords. Weak passwords can be cracked in a few days or less.
8. Learn how to recognize social engineering strategies and be mindful of the vital information you disclose.
Social engineers use various strategies and technologies to manipulate their targets without their knowledge. Understanding their tactics and how they work is the most effective defense approach.
If you don't want to be fooled, educate yourself and your team about social engineering strategies. The more you understand about elicitation, body language, and so on, the more prepared you will be to notice when someone is attempting to use these techniques on you.
Remember that any information can be helpful to an attacker. So, be cautious about what you disclose to unauthorized persons.
Be extremely wary of attackers who pose as distressed individuals pleading for aid. On one occasion, a social engineer compromised an antivirus firm by calling its customer service number and inquiring if the program was blocking him from accessing a website designed to harm the company.
The representative tried numerous times to explain that he was not permitted to open the website, but the assailant insisted on going there regardless.
Without a desire to assist, the representative opened the site URL, compromising the antivirus company.
To avoid falling victim to social engineers, establish security protocols for all employees and adhere to them at all times.
One approach could be to create a standard script that staff can use to respond to a suspicious person asking for information. It may be as simple as asking for their name, ID number, and the project name they are interested in before answering any questions. If they cannot supply any of this information, direct them to contact the company via email and email the conversation.
Of course, these are only suggestions. You will need to create an appropriate system for you and your firm.
Final Summary
The human mind, like a computer, is vulnerable to hacking. Criminals deceive and defraud their victims by employing psychological methods, fabricated cover stories, and careful phrasing. The best safeguard is to be aware of their tactics.