Le social engineering is a technique that consists in obtaining access or information to people without them realizing it. Unlike other attacks, it does not require software.
The hacker uses a person's trust to obtain information generally about a computer system. This practice exploits the human flaws and social aspects of the victim, to whom the targeted computer system is linked.
The most classic technique is to report to a company with a "mission order" to update the antivirus on the assistant's workstation, for example. Instead, we're going to install a keylogger which will capture all entered passwords.
Social engineering is not new. It has always existed, with famous engineers such as Kevin Mitnick or Frank Abagnale. According to Kevin Mitnick: It is easier to exploit human nature than to exploit loopholes in software.
In this article, we will see in detail the different social engineering techniques used by hackers.
Social engineering by telephone
On the phone, it is easy to be fooled by an individual. The aim of the hacker is to get the information as quickly as possible.
A good hacker will have prepared his character and his speech. With a few well-placed sentences and the right tone, it will be fairly easy for him to extract confidential information.
Some hackers have some techniques to improve their credibility, such as playing a previously recorded tape of office noises on a tape recorder, or even using a voice modifier to imitate that of a secretary.
A social engineering test
A test carried out on the occasion of the Defcon conference was used to assess the risk of disclosure of secret information by company employees.
135 employees, from 17 large companies, including Coca-Cola, Ford, Pepsi, Cisco, Wal-Mart, were tested as part of this hacking contest.
The results are shocking, since 96% of them, canvassed by telephone, disclosed information considered "sensitive".
Social engineering via the internet
Le social engineering over the internet is similar to over the phone. It can be done by email, by falsified websites (Phishing ).
Often these attacks start with thesending an email by a hacker claiming to be from someone or something you know or trust, such as a friend or your favorite bank.
These emails prompt you to perform an action such as clicking a link, opening an attachment, or replying to a message. The hackers craft these emails to be very compelling, sending them to millions of people around the world.
Hackers do not have a specific target in mind, nor do they know exactly who will be the victim. They just know that the more emails they send, the more people there are likely to be cheated on.
Social engineering by direct contact
Even though a hacker can do a lot of things over the phone or the internet, sometimes it is necessary to get out into the field. Thus, he can study the situation, take a password written on a piece of paper or install malware on the victim's computer.
The hacker must be well equipped so that the target does not report anything. Appearance will count a lot. Suit, tie, very well dressed, very clean, briefcase, filled diary, various documents, business card, badge ... He will have to have a sure attitude, his gaze straight and his head held high.
If the hacker takes such risks, it is because he is determined to obtain the desired information. He will therefore be very persuasive.