Social engineering means manipulating a person to get access without authorization. Practically speaking, it’s a blanket term for non-technical hacking. FierceITSecurity gives the classic example: Hacker calls target and pretends to be “from the IT department,” getting the target to divulge a password or other sensitive corporate information.
Derek C. Slater at FierceITSecurity discusses a short-list of social engineering terms with Chris Hadnagy, author of the book “Unmasking the Social Engineer: The Human Element of Security.” The author explained that some of the terms below aren’t social engineering per se, but they are related to the same goal: Gaining unauthorized access to information, systems, and facilities through deception and other non-technical means.
In his Social Engineering course, Mr. Hadnagy tells participants that one goal is that every target “will be glad to see them” because the social engineering methods covered seem friendly, not antagonistic. “It’s amazing how much information people will give you if you’re just nice to them,” he says. “Con men don’t look malicious–they’re the guys with the biggest smiles.”
Social Engineering terms
Confidence trick: The ‘con’ in “con man” refers to gaining the confidence of the target before attempting to exploit him. Examples: The movie Grifters with John Cusack, and every Ponzi scheme from Charles Ponzi himself on through to Bernie Madoff and whoever’s doing it now. And somebody’s doing it now warns the article.
Amygdala hijacking: Your amygdala is the part of your brain that manages decision-making and emotional responses. “Amygdala hijacking” in the social engineering context means putting the target emotionally off-balance by causing stress, or contacting the person during an unusually stressful time, according to Hadnagy. That means the target is less rational and more vulnerable to exploitation.
Example: Friday at 4:30 pm, or the day before holiday vacation starts, many employees–not you or me, obviously–are anxious to get out of the office. That’s a perfect time for a pretexting call (see below) or a hacker-simulated crisis, putting the target further off-balance and making them more likely to do whatever is expedient–giving information over the phone or via email to make the “crisis” go away.
Elicitation: means getting information without asking for it directly.
Influencing: Mr. Hadnagy says influencing means provoking a desired response from the target “while getting them to think it’s their idea.”
Manipulation: involves getting the target to perform the desired action, regardless of whose idea they think it is. Unlike influence, manipulation could involve a direct or implied threat, for example.
Pretexting: Mr. Hadnagy’s definition, is equal to method acting. The social engineer doesn’t just say “I’m Bob”–he becomes Bob.
Example: Contracted to test one company’s defenses, Hadnagy gained access to various facilities by posing as Paul the Pest Inspector. “I had the uniform with the name patch, I had Paul’s business cards, and for a day before the event, my team was calling me ‘Paul’,” he says.
Phishing: is the use of email as a conduit for social engineering attacks.
Example: Know those emails that start “I’m Prince Phillip and I need help transferring my royal fortune to an American bank”–the venerable so-called 419 or Nigerian scam? People still fall for those. It’s a phishing attack and an example of a confidence scam.
Spear-phishing: Spear-phishing is a more targeted form of phishing. Instead of blasting that “I’m a Prince” email to everyone with an email address, a spear-phishing attack is personalized to reach a small group or individual.
Example: A hacker identifies a target, Fred, and finds personal details, professional connections, and current project information via Fred’s LinkedIn profile. He then sends the target an email that is correctly addressed to Fred, appears to come from a real colleague, and references specific project details. Fred is much more likely to click on malicious links or open attachments in this email than he is likely to respond to Prince Phillip spam.
These next four terms don’t involve deception. However, they’re all important non-technical information attacks and can work in concert with social engineering efforts.
Harvesting – is using publicly available sources–particularly on social media, these days–to gather information about a target for later use in social engineering.
Dumpster diving – means what it sounds like: rooting through the trash to find discarded papers or items with valuable information. This is less glamorous than social engineering, but it’s also a useful form of harvesting and doesn’t need human interaction. (rb- I have covered the dangers of dumpster diving on Bach Seat since 2010.)
Shoulder surfing – means reading sensitive information on-screen and over the shoulder of a legitimate user.
Tailgating – is the ancient practice of going through a physical access point on the heels of someone who has an access card, key, or entry code. Catching the door before it shuts behind them, as it were.
rb-
Whether it is your home or corporate email account, social engineering is dangerous. Being educated about the risks of social engineering is critical. The next time someone reaches out via email or the phone, take a second and ask a few questions before you give away your digital identity unless of course they also have a candy bar.
Related articles
- NOOK Daily Find! Social Engineering: The Art of Human Hacking by Christopher Hadnagy for $4.50! (randomizeme.wordpress.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.