Sometimes, you need something you can't access. Perhaps you get the idea of posing as someone else to gain information otherwise can't access. Social engineering has endless possibilities. social engineering is different from physical-security issues, because people can always be "hacked" or tricked.
False support personnel claim that they need to install a new version of software on a user's computer, talk the user into downloading the software, and obtain remote control of the system. Social engineering can make you a hacker with no skills in hacking, but an effective people hacker can break into systems with the greatest security.
Here is an example of some social engineering.
Say you need to access the password for an email address because you need to confirm you want to withdraw money from their account. You contact this person via email or what ever contact means possible, claiming to offer a service or maybe say they are an artist, invite them to an art fair. Get a VOIP number in their country and give them the number. They key is to make it as convincing and legitimate as possible. They call, and you now have their phone number. Do a domain whois search and find the name of their hosting company and phone number. There are few ways of spoofing phone numbers, there are android applications that do it very easily. You pay someone to DDOS attack the site (directed denial of service attack) and you then call the person from their hosting company's phone number, Saying "Hello this is Jim from xyz hosting, We have detected that your website xzy.com has been hacked and we need your password information in order to determine the source of the attack as well as to ensure that your email is not compromised" 70% of people will fall for this. You have just just hacked an email with no hacking experience at all.
Social engineering is one of the toughest hacks, because it takes great skill to come across as trustworthy to a stranger. Sometimes it is best to perform attacks slowly, so they're not so obvious and don't raise suspicion. Gather information over time and use the information to create a broader picture. Alternatively, some social-engineering attacks can be performed with a quick phone call or e-mail. The methods used depend on your style and abilities.
Everyone is vulnerable
Everyone from receptionists to security guards to IT personnel are potential victims of social engineering. Help-desk and call-center employees are especially vulnerable because they are trained to be helpful and forthcoming with information. Even the average untrained user can fall victim to giving you information
Effective social engineers can obtain the following information:
- user or administrator passwords
- badges or keys to the building and even the computer room
- Intellectual property such as design specifications or other research and development documentation
- financial reports
- employee information
Simple steps to social engineering
1. Perform research.
2. Build trust.
3. Exploit relationship for information through words, actions, or technology.
4. Use the information gathered for malicious purposes.These steps can include myriad substeps and techniques, depending on the attack being performed.
Before you start, you need a goal of what you want to gain or accomplish
Typically you should start by gathering public information about their victim. It is good acquire information slowly over time so they don't raise suspicion. Obviousness is a tip-off when defending against social engineering. Information is the masterkey of social engineering.
Traits of a good social engineer:
- Likeablilty: Be a likeable person, Speak/type professionally and sound like a well educated nice person.
- Be believable: Make everything you say sound as legitimate as possible and try to have a quick and sensible answer to any questions a person might ask. The more you know about the person, the easier it is
Some red flags are:
- Acting too friendly or eager
- Mentioning names of important people within the organization
- Making threats if requests aren't honored
- Acting nervous when questioned, fidgeting especially the hands and feet
- Overemphasizing details
- Refusing to give information
- Knowing information that an outsider should not have
And those are the basics!