How to Perform a Social Engineering Attack – Examples Included

Hacking using social engineering is all about taking advantage of the weakest component of every organization’s security — its people. In other words, social engineering is hacking the people rather than the system itself. The technique used is gaining the trust of people in order to maliciously exploit them and get information for profit.

Social engineering can be a very difficult hack to pull off, considering the boldness and skill it requires getting a total stranger to trust you. However, it is also the hardest hack to prevent because every individual is responsible for his or her own security decisions.

Social engineering is carried out when a malicious hacker pretends to be somebody else in order to acquire information that would be difficult to get by other means. The information acquired from the victim can then be used to steal files, destroy resources, commit fraud, or spy on an organization. Social engineering is distinct from physical security hack attempts, but they are normally carried out together.

Examples of social engineering include:

Support personnel — Hackers claim that they require a user to install a software patch or update. They convince the victim to download the software, and the hackers are then able to remotely access the victim’s system.
Product vendors — Hackers pose as vendors of a particular product that the organization relies on, for example, the phone system or accounting software. They claim they need to update the existing systems and request administrator passwords.
Employees — some employees may pretend that they have misplaced their access badges for accessing the organization’s data center. They inform the security department, who hand them keys, only for them to gain unauthorized entry to digital and physical records.
Phishing — Criminal hackers send malicious emails with links that trigger malware and viruses to be downloaded onto the victim’s computer. They are thus able to gain control of the system and steal data.

Performing Social Engineering Hacks

Once social engineers get their intended target to trust them, they begin to exploit the relationship in order to obtain as much relevant information as possible. This can be achieved either face to face or via electronic means, with the strategy being to use whatever mode of communication that the potential target is most comfortable with. Here are some strategies hacker’s uses during social engineering:

Building trust via words and actions

There are many ways that a skilled social engineer can acquire inside information. A good social engineer will be wily, articulate, and have the ability to keep a conversation flowing smoothly. On the other hand, it is possible to detect a social engineering attack if the malicious hacker becomes too anxious or careless. Here are a few signs of a social engineering attack:

Being too friendly or enthusiastic about meeting a person.
Talking about high profile people in the organization.
Bragging that they have authority in the organization.
Behaving nervously when asked questions.
Over-elaborating about things that don’t require such.
Speaking like an insider yet they are an outsider.
Having knowledge of issues that outsiders shouldn’t.
Appearing to be Ina hurry.
Asking weird questions.

These are all signs that a person has malicious intentions. Of course, a good social engineer will be very skilled at hiding these signs. Another strategy that social engineers use is going out of their way to help someone and then immediately asking the target for a favor. This is one of the most common and effective tricks in the social engineering book.

Another common trick is referred to as reverse social engineering. In this case, the social engineer causes a specific problem to occur, and when the intended victim needs help, they swoop in like a superhero and solve the problem. This entrenches them deeper into the relationship with their potential victim.

A social engineer may also falsify a work badge and get a fake uniform just to blend in with the real employees. Everybody in the organization will assume that since they dress like the real deal, they can be trusted with information.

Phishing for information

Social engineers love to use technology to achieve their goals. It makes their work easier and more fun. In most cases, they send the intended victim a text message or email that appears to originate from a source that the victim trusts. However, the email address or IP address that is displayed could simply have been spoofed.

Malicious hackers are known to send their victims emails requesting crucial personal information. The email normally contains a link that the victim is asked to click. If this happens, the victim ends up in a website that looks professional and trustworthy. The aim is to steal their confidential information by encouraging them to update their user IDs, social security number, and passwords. Such requests may even be sent via social media, for example, Facebook or Twitter.

Another tactic used is flooding potential victims with so many emails and spam mail that a person is likely to lower their guard and open at least one of the emails or download an attachment. The victim is then deceived into providing confidential information in exchange for some type of gift.

There have been many high-profile cases where malicious hackers send a patch or software update to their victims via email, claiming to be from a verified software manufacturer. The victims are deceived into believing that the software is genuine, but it is actually a Trojan horse key logger or even a backdoor that allows the hacker unrestricted access into a network.

These backdoors enable the malicious hackers to directly attack the victim’s systems or use them as zombies. Zombies are computers or systems that malicious hackers hack into and then use as launching pads to attack other systems. Social engineering can also involve the use of viruses and worms. A hacker can send a potential victim an email claiming to be a love interest or secret admirer. Once the person opens the email, their computer becomes infected.

One of the most well-known phishing strategies is the Nigerian 419 scam. This is where social engineers send a person an email claiming to be either a relative of a wealthy deceased individual, or the lawyer of the deceased person. The scammers offer to split the inheritance (usually millions of dollars) with the intended victim if they can help them repatriate the deceased’s funds to a bank account in the US.

The unsuspecting victim is asked to provide their personal bank account number as well as some money to pay for transfer fees. If the victim makes the mistake of doing so, their bank account is cleaned out.

What makes social engineering phishing attacks so effective is the difficulty in tracing the source of the attack. Online social engineers are anonymous and are adept at using anonymizers, proxy servers, SMTP servers, and remailers to hide their tracks.

Social Engineering Countermeasures

Social engineers should never be underestimated. They have the ability to manipulate naive and untrained people to allow them access into a computer system. However, there are a few countermeasures that can be put in place to protect a network against social engineering attacks. Some of these measures are corporate in nature and apply mainly to organizations. There are also measures that individuals can take to protect themselves.

For organizations, we have stringent organizational policies, and user awareness and training.

Stringent organizational policies

Creating various classes or hierarchies of information, where users only have access to some but not all levels of information. The information is disseminated purely on a need-to-know basis.
Establishing an ID system where all employees, independent contractors, and consultants are issued with IDs when hired.
Ensuring that all employees, contractors, and consultants who do not work for the organization any more return their user IDs.
Changing user passwords on a regular basis.
Taking immediate action whenever suspicious behavior and security breaches are noted.
Taking good care of private and proprietary information.
Making sure that all guests into the premises have an official escort

If these countermeasures are to be as effective as possible, it is important to inform the people involved and enforce them across the board.

User awareness and training

If the employees of an organization are to be effective in defending themselves against social engineering attacks, they will have to be trained in how to detect and respond to such threats. Awareness is the key to preventing social engineering hacks, so everyone involved must participate in security awareness initiatives on a regular basis.

The organization must ensure it has dedicated security policies that are well aligned with whatever awareness and training measures it comes up with. It would also be a good idea to bring in an external security consultant who has experience in tackling social engineering hacks. This may be a bit expensive bit it is definitely worth it.

To establish a long-term solution, the following things must be kept in mind:

The issue of security awareness and training is not something to take lightly. It is not an expense, but an investment.
Users must be trained continually in order to ensure that their knowledge is updated.
Employees must have security for personal and professional information as part of his or her job description.
Make sure that the content shared with people is tailored and controlled.
Establish an awareness program for employees and other users.
Not all users are technically minded or gifted, so moderate the language to be as non-technical as can be.
Give people incentives to report and prevent security incidents
The top management must practice what they preach and lead by example.

Individual countermeasure strategies include:

Avoid giving out personal or confidential information to people unless you verify who is requesting it and why they need it.
Do not click on any unsolicited email links that lead to web pages that request for personal information to be updated.
Do not hover your mouse over any email links. This may seem harmless but this may trigger malware to be downloaded onto your computer. If you have antimalware installed, it will be able to protect against such vulnerabilities.
Do not share private information with people on social media. Social engineers will try to approach unsuspecting victims with friend and connection requests on Facebook or LinkedIn.
Do not tell people your passwords.
Do not open email attachments that come from strange addresses.
Do not allow strangers to connect to your wireless network or network jacks. All a hacker needs is a few seconds to put a Trojan horse, malware, or a network analyzer into your system.