Social Engineering

Social Engineering

July 02, 2020 115 Comments

Social engineering – hacking humans if you will – it’s one of those sexy topics that comes up from time to time, usually from a warning.. “Beware of the social engineers!”.  But what is it? 

Logan and I did two podcast episodes on social engineering.  Part one goes into the different tactics used by social engineers. The more we talk about what they are, the more we can protect ourselves from using social engineering against us in a malicious way.  And who knows, maybe we can get an upgrade using it ourselves? 

Let’s start by breaking it down a bit. 

Social engineering focuses on the targeting of people, versus computers, and it primarily relies on individuals or groups of people breaking security procedures, policies, and rules.  Really, a social engineer’s job is to find and exploit human weaknesses and behaviors to accomplish their goals.  This can be done in person, over the phone, text message, email, or really any method where you can engage with the target.  It requires a good understanding of human behavior and human weaknesses – you want to persuade your target to provide information or access that will allow you to succeed in your goals, such a during a penetration or “Red Team” test. 

Now let’s take a look at some tactics used by social engineers.  Let’s also note that these are primarily focused on those in the sense of performing a penetration test. 

  • Trust: trust is at the foundation of most social engineering attacks.  The easiest way to get someone to do what you want is to build trust.  And remember, most individuals unconsciously want to trust others – we really do tend to think the best of others.
  • Reciprocation: this is going to rely on the target feeling indebted to you, or that they need to return a favor.
  • Authority: focuses on making the target believe you have the power or right to ask them to perform actions or provide information.  Think about how official someone looks when they’re walking around with a clipboard (and some confidence!).
  • Urgency: this is the sense that an action needs to be performed – now (or else). 
  • Fear: fear that something will go wrong, or that the target would be punished if they do not respond or help in some way. 
  • Likeness or similarity: people want to belong, they want to feel liked; finding a common denominator with your target is a simple means of building trust.  Does your target love the Chicago Blackhawks?  Wear a Blackhawks shirt (and make sure you know at least some of their history or some unique facts). 
  • Social proof: this relies on persuading your target that they should do something because other people have behaved similarly.  Think of it like guilt-ing someone into doing something “because everyone else does it”. 
  • Scarcity: this is related to a fear-based approach, but focuses on there being fewer rewards or opportunities, requiring someone to act fast.  Anyone remember the Great Toilet Paper Scare of 2020? 
  • Helpful nature: my personal favorite, this is people’s inherent nature to be good people and to help others. 

Now that we’ve addressed some of the tactics of performing social engineering – let’s break it down into in-person vs. computer based social engineering.  Each method is going to require a different skill set, but both are going to require a good understanding of the target. 

In-person social engineering provides us with the ability to read our target’s body language and use that to our advantage (or disadvantage).  Some of the more well-known methods of it include:

  • Elicitation: by definition, elicitation is getting information without directly asking for it.  Magic.  Right?  Well, not exactly.  Typically, asking for information directly can cause suspicious.  If someone asked you what your password was you’d probably tell them off, wouldn’t you?  Well, what if they ask you about your pets, or ask when your birthday is, or where you’re from?  Those are somewhat innocuous questions that could arise throughout a normal conversation, but they provide quite a bit of personal information.  Elicitation is all about asking questions or talking about seemingly unrelated topics that are used to lead a person to reveal the information you are looking for.  One of the best ways to do this is through open-ended questions or leading questions.
  • Interrogation and Interviews: interrogation questions typically involve you (the social engineer), asking most, if not all, of the questions which is also likely to make the target less comfortable.  Interview question, on the other hand, typically put a person at more ease.  Think about the difference between a cop show and an interview on an Anthony Bourdain episode. 
  • Impersonation: essentially, disguising yourself as another person to gain access to facilities or resources.  This could involve claiming to be a staff member or wearing a uniform and presenting a false or cloned badge or ID. 
  • Shoulder surfing: this is truly just watching over someone’s shoulder to get information like passwords or access codes.  I see this at coffee shops when I set up behind another table and can watch everything that person is doing, watching people enter their cell phone passwords, or even in an office building when someone swipes their badge and enters a pin.  Sometimes you don’t need to be a cyber nerd that cracks passwords when you can just watch someone enter it themselves. 

Social engineering over a computer allows us a little more flexibility (in methods, timing, targets, etc.).  Instead of spending hours looking for a potential software vulnerability to exploit, like in the case of a “hacker”, a social engineer is more likely to pose as a support technician and trick an employee into giving them their login credentials. 

  • Bating: this involves leaving something for someone to find, relying on an individuals curiosity.  For example, leaving a USB thumb drive (or two or three), that is loaded with malware of course, in a commercial parking lot, waiting for someone to see it and plug into their computer to see what’s on it, thus injecting malware into the computer/network.  Bonus points for labeling the USB thumb drive with “Confidential” or “Bonuses”. 
  • Phishing: probably one of the most prevalent methods of obtaining information from an unwitting victim.  All it requires is ending an email to a target, sometimes with a link to clink or an attachment to download, or simply questions to answer. 
  • Email hacking or contact spamming: how much more likely are you to read an email that is coming from someone you know?  A lot, I’d assume.  This is something we see coming from criminals who have gained access into an email account and then proceed to send out mass emails to the entire contacts list, hoping to then compromise additional accounts.
  • Watering-Hole: compromising a website by modifying its code to include malware.  This can be done on the code of the site itself, or code from ads or plug-ins.  Now, when a target accesses that site, the site will be laced with malware unbeknownst to the target.
  • Cloned website: Just as it sounds, creating a replica, aka clone, of a website.  It will appear to be a real website, but it will instead capture any data that is entered and either pass it along to the real website (while keeping a cope of it for the attacker), or by redirecting the user elsewhere.  This is a great way for obtaining login credentials, and as easy as copying and saving the code and then using a tool such as Social Engineering Toolkit

Social engineering is always malicious.  Penetration Testers and Red Teamers use it all the time in their attempts to compromise a site or network.  I’ve seen it used at bars, at the airport, or anywhere someone is just trying to get something for a discounted price.  Negotiation is social engineering to an extent.  Want to get someone’s number at a bar, use some of the tactics I mentioned above.  But remember, it’s going to take practice to get it “right”, you want it to feel natural.  And yes, the “bad guys” use it all the time, and we should be able to recognize when someone is trying to social engineer us. 

 

Originally posted on www.allymarie.net



15 Responses

Dylan Twine
Dylan Twine

August 22, 2023

SCAM VICTIMS RECOVERS THEIR MONEY THROUGH CAPTAIN WEBGENESIS.

My name is Dylan. Here’s my recommendation:
To anyone who has been a scam victim and you been looking for Means and ways to recover your lost Assets or lost Bitcoin Wallets I must recommend Captain WebGenesis a licensed Crypto Recovery specialist Helping Victims recover their lost Crypto and providing safe ways to protect your wallets from online fraudsters. I must say before my 3.9Btc in my Trezor wallet was recovered by Captain WebGenesis, I was drowning in depression and had lost all hope in life. To anyone who is a victim too of losing your Crypto share your issue with the Expert and have your funds recovered.
for more info email: Captainwebgenesis@hackermail.com
Web Add; Www.captainwebgenesis.com
WhatsAp +1 (447) 442-0456.

Dylan Twine
Dylan Twine

August 22, 2023

SCAM VICTIMS RECOVERS THEIR MONEY THROUGH CAPTAIN WEBGENESIS.

My name is Dylan. Here’s my recommendation:
To anyone who has been a scam victim and you been looking for Means and ways to recover your lost Assets or lost Bitcoin Wallets I must recommend Captain WebGenesis a licensed Crypto Recovery specialist Helping Victims recover their lost Crypto and providing safe ways to protect your wallets from online fraudsters. I must say before my 3.9Btc in my Trezor wallet was recovered by Captain WebGenesis, I was drowning in depression and had lost all hope in life. To anyone who is a victim too of losing your Crypto share your issue with the Expert and have your funds recovered.
for more info email: Captainwebgenesis@hackermail.com
Web Add; Www.captainwebgenesis.com
WhatsAp +1 (447) 442-0456.

Dylan Twine
Dylan Twine

August 22, 2023

SCAM VICTIMS RECOVERS THEIR MONEY THROUGH CAPTAIN WEBGENESIS.

My name is Dylan. Here’s my recommendation:
To anyone who has been a scam victim and you been looking for Means and ways to recover your lost Assets or lost Bitcoin Wallets I must recommend Captain WebGenesis a licensed Crypto Recovery specialist Helping Victims recover their lost Crypto and providing safe ways to protect your wallets from online fraudsters. I must say before my 3.9Btc in my Trezor wallet was recovered by Captain WebGenesis, I was drowning in depression and had lost all hope in life. To anyone who is a victim too of losing your Crypto share your issue with the Expert and have your funds recovered.
for more info email: Captainwebgenesis@hackermail.com
Web Add; Www.captainwebgenesis.com
WhatsAp +1 (447) 442-0456.

Winfred Hale
Winfred Hale

August 21, 2023

How to Recover Cryptocurrency from fraudulent investment platforms.

Have you ever been a victim of a scam? or have you Suffered a loss from a Fraudulent Ponzi Scheme? I implore you to Contact Captain WebGenesis, A Certified Cryptocurrency Assets Recovery Expert. I once fell victim to an online imposter who convinced me to invest in a Bogus Cryptocurrency scheme by claiming to have made large profits from the plan. My Mycelium wallet contained $369,000 in Crypto that I lost, I had been reporting to the Authorities tirelessly for a longtime without getting assistance before I finally got in touch with Captain WebGenesis. Fortunately after a serious long chat with Captain WebGenesis all my funds were recovered back.
I recommend this Expert to any victim who has lost Crypto to any fake online Schemes.

Talk to Captain WebGenesis Through ;
Mail Captainwebgenesis@hackermail.com
WhatsApp, +1 (447) 442-0456.

Jamie Hawke
Jamie Hawke

August 19, 2023

FOR BITCOIN RECOVERY CONSULT AN EXPERT/ CAPTAIN WEBGENESIS.

Hello, my name is Jamie Hawke – Managing editor (Securityweek)
I was involved in a bitcoin trading scam, I came across a company website that promised a big return on investment. I was completely sold. The website was excellent, and after much coaxing, I opted to invest 278,000 USD, which unfortunately ended up in the wrong hands. I was frustrated until I sought the counsel of a Crypto Expert CAPTAIN WEBGENESIS. I had no notion there were techniques for reclaiming stolen funds. I emailed the highly rated expert. I explained my case to Expert and provided all the required information and to my amazement, CAPTAIN WEBGENESIS refunded 90% of my BITCOIN to my wallet within a few working days, which I didn’t think was possible. I was startled as well as relieved.

With folks like CAPTAIN WEBGENESIS on your side, Crypto recovery is possible.
Visit: www.captainwebgenesis.com
Mail: Captainwebgenesis@hackermail.com

Jamie Hawke
Jamie Hawke

August 14, 2023

FOR BITCOIN RECOVERY CONSULT AN EXPERT/ CAPTAIN WEBGENESIS.

Hello, my name is Jamie Hawke – Managing editor (Securityweek)
I was involved in a bitcoin trading scam, I came across a company website that promised a big return on investment. I was completely sold. The website was excellent, and after much coaxing, I opted to invest 278,000 USD, which unfortunately ended up in the wrong hands. I was frustrated until I sought the counsel of a Crypto Expert CAPTAIN WEBGENESIS. I had no notion there were techniques for reclaiming stolen funds. I emailed the highly rated expert. I explained my case to Expert and provided all the required information and to my amazement, CAPTAIN WEBGENESIS refunded 90% of my BITCOIN to my wallet within a few working days, which I didn’t think was possible. I was startled as well as relieved.

With folks like CAPTAIN WEBGENESIS on your side, Crypto recovery is possible.
Visit: www.captainwebgenesis.com
Mail: Captainwebgenesis@hackermail.com

Jamie Hawke
Jamie Hawke

August 14, 2023

FOR BITCOIN RECOVERY CONSULT AN EXPERT/ CAPTAIN WEBGENESIS.

Hello, my name is Jamie Hawke – Managing editor (Securityweek)
I was involved in a bitcoin trading scam, I came across a company website that promised a big return on investment. I was completely sold. The website was excellent, and after much coaxing, I opted to invest 278,000 USD, which unfortunately ended up in the wrong hands. I was frustrated until I sought the counsel of a Crypto Expert CAPTAIN WEBGENESIS. I had no notion there were techniques for reclaiming stolen funds. I emailed the highly rated expert. I explained my case to Expert and provided all the required information and to my amazement, CAPTAIN WEBGENESIS refunded 90% of my BITCOIN to my wallet within a few working days, which I didn’t think was possible. I was startled as well as relieved.

With folks like CAPTAIN WEBGENESIS on your side, Crypto recovery is possible.
Visit: www.captainwebgenesis.com
Mail: Captainwebgenesis@hackermail.com

Catherine walker
Catherine walker

August 11, 2023

Hello everyone I want to use this Medium to say big thank you to www.ethicsrefinance.com for they just helped me recover my stolen crypto worth $367,000 through their hacking skills I tried it I was skeptic but it worked and I got my money back, I’m so glad I came across them early because I thought I was never going to have my money back from those fake online investments website .. you can also contact them via
ethicsrefinance@gmail.com
www.ethicsrefinance.com
You can also contact them for the service below
Western Union/MoneyGram Transfer
Blank atm card
Bank Transfer
PayPal / Skrill Transfer
Crypto Mining
CashApp Transfer
Bitcoin Loans
Recover Stolen/Missing Crypto/Funds/Assets

Matthew Alden
Matthew Alden

August 11, 2023

I’m a victim of the LIQULDOHN cryptocurrency investment scam, I was asked to deposit £700 which I did and it tripled to £2200 within 1 hour. That got my interest, The next deposit was £3,500 and my profit shot up to £18,200. I was amazed at how little money can make you crazy profits. I invested more and more. When I tried to cash out, I was asked to pay taxes and other complicated fees. My profits had accumulated to £531,000 as it would show on the trading website but I could not access it. By the time it got to me that the company is illegitimate, l had already lost a total of £190,000. I decided to do proper research about the company to ease my fears that I might have been conned and that’s when I found out that they have been stealing from harmless Americans and individuals around the globe. While reading more about the company in pain, I stumbled upon a United States veteran article on how this same fake crypto investment website took his money but was able to recover it back from them with the help of an Ethical hacker. I inquired more about this Ethical hacker and that’s when I was introduced to CYBER GENIE HACK-PRO. I am writing this positive review to affirm that, Recovering stolen Bitcoin from scammers is real and can be achieved when done by the right expert. If by any means you are a victim of a Crypto Investment scam and wish to get your funds and profits back, I highly recommend (Cybergenie(@)Cyberservices(.)Com) OR (Whats-App (+1252) 5120391), you know why, I am living testimony of their greatness.   

Schanel David
Schanel David

June 29, 2023

I kept wondering how possible it was to raise a score as low as 430 to 800+ until I came in contact with H A C K M A V E N S CREDIT SPECIALIST who helped me clean up all the bad items in my credit report and raised my score to 805 within a short period of time. That was incredible! I strongly recommend them to anyone having credit-related issues. EMAIL: H A C K M A V E N S 5 @ G M A I L. C O M or Call/Text/WhatsApp: [+ 1 (2 0 9) 4 1 7 – 1 9 5 7].

Kerron Terry
Kerron Terry

June 22, 2023

TRACE AND RECOVER YOUR LOST CRYPTO THROUGH ULTIMATE HACKER JERRY.

Learn more;Web www.ultimateshackjerry.com

Last year I stumbled across a cryptocurrency platform Advertisement online and I felt compelled to watch them since I had little knowledge of how profitable cryptocurrency is. I was immediately intrigued by it and decided to invest with the investment firm., on my first trial, I deposited $113,000 to the platform.My profit had accumulated so quickly after 48hrs that I became more interested and decided to add $215,100 to my initial investment.on attaining my profit target I requested for withdrawals. This company then began asking for more funds to activate my withdrawals.This made me suspicious, so I decided to consult a Crypto Expert. I came across Ultimate Hacker Jerry who advised me that I had been scammed but was also an Expert in Crypto Recovery Services. This expert Ultimate Hacker Jerry was able to recover all my Crypto a total of $328,100.I must recommend this erpert to any Scam victim that has been defrauded and have your Crypto recovered back by Ultimate Hacker Jerry.

CONTACT;Mail Ultimatehackerjerry@seznam. cz \
Whatsapp +1(520)282-7151.

Kerron Terry
Kerron Terry

June 22, 2023

TRACE AND RECOVER YOUR LOST CRYPTO THROUGH ULTIMATE HACKER JERRY.

Learn more;Web www.ultimateshackjerry.com

Last year I stumbled across a cryptocurrency platform Advertisement online and I felt compelled to watch them since I had little knowledge of how profitable cryptocurrency is. I was immediately intrigued by it and decided to invest with the investment firm., on my first trial, I deposited $113,000 to the platform.My profit had accumulated so quickly after 48hrs that I became more interested and decided to add $215,100 to my initial investment.on attaining my profit target I requested for withdrawals. This company then began asking for more funds to activate my withdrawals.This made me suspicious, so I decided to consult a Crypto Expert. I came across Ultimate Hacker Jerry who advised me that I had been scammed but was also an Expert in Crypto Recovery Services. This expert Ultimate Hacker Jerry was able to recover all my Crypto a total of $328,100.I must recommend this erpert to any Scam victim that has been defrauded and have your Crypto recovered back by Ultimate Hacker Jerry.

CONTACT;Mail Ultimatehackerjerry@seznam. cz \
Whatsapp +1(520)282-7151.

Maria Elisabeth
Maria Elisabeth

April 22, 2023

RECOVERY OF LOST FUNDS FROM SCAMMER.

Tracking Down Lost Bitcoins and Other Cryptos: Fast without wasting time Contact: Telegram: https://t.me/WizardWebRecovery / Email: wizardwebrecovery @ gmail.com, Do you need support of recovery of your lost or stolen bitcoin, trying to obtain cryptocurrency transferred to the wrong wallet address, or believe your wallet has been compromised, get in touch with Wizard Web Recovery Group Hackers . I lost over 412,040 $ after participating in a SINCODE binary scam. The money I fraudulently lost has been recovered thanks to the super work of Wizard Web Recovery Group Hackers . They Working with the new digital software that recovers funds without a twinkle of eyes beep Wizard Web Recovery Group Hackers is trustworthy you can always contact them via
Telegram: https://t.me/WizardWebRecovery
Email: wizardwebrecovery @ gmail.com

Kylie Harvey
Kylie Harvey

April 18, 2023

GET RICH WITH BLANK ATM CARD, Whatsapp: +18033921735

I want to testify about Dark Web blank atm cards which can withdraw money from any atm machines around the world. I was very poor before and have no job. I saw so many testimony about how Dark Web Online Hackers send them the atm blank card and use it to collect money in any atm machine and become rich {DARKWEBONLINEHACKERS@GMAIL.COM} I email them also and they sent me the blank atm card. I have use it to get 500,000 dollars. withdraw the maximum of 5,000 USD daily. Dark Web is giving out the card just to help the poor. Hack and take money directly from any atm machine vault with the use of atm programmed card which runs in automatic mode.

You can also contact them for the service below

Western Union/MoneyGram Transfer Bank Transfer PayPal / Skrill Transfer Crypto Mining CashApp Transfer Bitcoin Loans Recover Stolen/Missing Crypto/Funds/Assets

Email: darkwebonlinehackers@gmail.com

Text & Call or WhatsApp: +18033921735

Website: https://darkwebonlinehackers.com

Dennis Demchyna
Dennis Demchyna

February 18, 2023

Hi

I like your website. Have You Considered Selling? I would propose x25 of your monthly earnings.

Thank you
Best Regards
Dennis Demchyna
https://www.facebook.com/profile.php?id=100077635508369

Leave a comment


Also in Rogue Dynamics

Grow From Conflict
Grow From Conflict

January 10, 2024 13 Comments

Read More

Change in the New Year

January 01, 2024 10 Comments

Each moment is a chance for change and rogues know how to seize it.

Read More

So, You Keep Getting Hacked?
So, You Keep Getting Hacked?

June 01, 2020 1440 Comments

Read More