Le social engineering is a technique which consists of obtaining access or information to people without them realizing it. Unlike other attacks, it does not require software.
The hacker uses a person's trust to obtain information generally about a computer system. This practice exploits the human flaws and social aspects of the victim, to whom the targeted computer system is linked.
The most classic technique is to show up at a company with a “mission order” to update the antivirus on the assistant’s workstation, for example. Instead, we will install a keylogger which will capture all entered passwords.
Social engineering is not new. It has been around forever, with famous engineers such as Kevin Mitnick or Frank Abagnale. According to Kevin Mitnick: It is easier to exploit human nature than to exploit flaws in software.
In this article, we will see in detail the different social engineering techniques used by hackers.
Social engineering by telephone
On the phone, it is easy to be fooled by an individual. The hacker's goal is to obtain information as quickly as possible.
A good hacker will have prepared his character and his speech. With a few well-placed sentences and the right tone, it will be fairly easy for him to extract confidential information.
Some hackers have some techniques to improve their credibility, such as playing a previously recorded tape of office noises on a tape recorder, or even using a voice modifier to imitate that of a secretary.
A social engineering test
A test carried out on the occasion of the Defcon conference made it possible to assess the risk of disclosure of secret information by company employees.
135 employees, from 17 large companies, including Coca-Cola, Ford, Pepsi, Cisco, Wal-Mart, were tested as part of this hacking contest.
The results are shocking, since 96% of them, contacted by telephone, disclosed information considered “sensitive”.
Social engineering via the internet
Le social engineering over the internet is similar to over the phone. It can be done by email, by falsified websites (Phishing ).
Often these attacks start with thesending an email by a hacker pretending to be from someone or something you know or trust, such as a friend or your favorite bank.
These emails prompt you to perform an action such as clicking a link, opening an attachment, or replying to a message. The hackers craft these emails so that they are very convincing, sending them to millions of people around the world.
Hackers do not have a specific target in mind, nor do they know exactly who will be the victim. They just know that the more emails they send, the more people there will be who can be deceived.
Social engineering by direct contact
Even though a hacker can do a lot of things over the phone or the internet, it is sometimes necessary to go into the field. Thus, he will be able to study the inventory, take a password written on a paper or install Malware on the victim's computer.
The hacker must be well equipped so that the target does not report anything. Appearance is going to matter a lot. Suit, tie, very well dressed, very clean, briefcase, filled diary, various documents, business card, badge... He will need to have a confident attitude, his gaze straight and his head held high.
If the hacker takes such risks, it is because he is determined to obtain the desired information. It will therefore be very persuasive.