Social Engineering: The Art Of Lying
Greetings AntiOnline. I was thinking earlier that I haven't wrote a tutorial in quite some time and that perhaps I should jump back into doing so. As I continue to want to learn about varied topics (at this current moment, I'm into ANYTHING concerning vulnerability scanners) I also continue to want to share the limited knowledge that I can share with the crowd and hope to help someone in someway. So, here's a relatively short tutorial on Social Engineering.
Social Engineering: What Is It?
Social Engineering. Something that sounds flashy.. "cute" even. It probably sounds frightening to the average home user and definitely sounds as if it was something requiring vast technical know-how. However, nothing could be farther from the truth.
This frightening tech term is simply a "technical" way to say lying. A social engineer is a polite version of a bullsh*t artist. In our case, the user who is doing the lying is "engineering", or lying to the other user, in order to gain some form of information from him. Typically, this information could be passwords to accounts (whether e-mail, system, etc), phone numbers, etc. Well, that's there main objective (and the primary objective of social engineering attempts): Lying to a user in some way, shape, or form to obtain information of any kind.
Social Engineering: Example Of
Below, I will provide you with a sample phone call that happens almost everyday and is nothing more than a social engineering attempt.
You: Hello?
Hacker: Hello, this is Donald over at LocalService ISP..
You: Oh, Hey.. umm, when you say "ISP", you guys are the ones who give me my internet, right?
Hacker: That's correct and that's the reason for my phone call.
You: Oh, really? Is there a problem with the service?
Hacker: Well, we had errors this morning with our service provider and some accounts had difficulty with their GUI optional settings*.
You: Oh.. well, I dunno what exactly that means *laughs* but what can I help you with, sir?
Hacker: *laughs* Ah, thats okay.. I'm not going to need much, I just have to reset the optional settings on your account*, so I'm going to need your account information.
You: Will this directly affect me going online or anything?
Hacker: Nope, that's what I'm here to fix, so that it doesn't.
You: Oh, thanks!
Hacker: No problem.... so, whats your account name?
You: It's joey420.. thats the username.
Hacker: Okay.. entering that in now. And your password, sir?
You: Should I change it from the old one or...?
Hacker: It's recommended you use the old one so that the account is up and running faster.*
You: Okay, makes sense.. again, I dunno about these things. Anyways, it's "password1010".
Hacker: Alrighty, give me a sec.... okay, your re-entered into our systems. Your account should be re-activated within minutes.
You: Awesome, thanks a bunch.
Hacker: No problem sir, and you have a nice day now..
You: You too, bye bye.
* - Where these were indicated something that isn't true and/or isn't needed but was used as an example of a "social engineer" trying to confuse the user into his lack of knowledge, thus having to rely on the hacker.
Social Engineer's prey on two main things. These are the main things they prey on:
1. Your lack of knowledge. They will try to make you feel inferior or use "big words" to confuse you. Their biggest advantage is that they know you the user will feel one main thing: If it doesn't seem right or if it's not making sense, it's because they (the user) doesn't know much about it. Enter the hacker who "seems to know about it" thus the user puts the trust into the hacker.
2. Your trust. 'Nuff said IMO.
Social Engineering: How Do I Defend Myself From It?
Defending yourself from this is simple: Use the mentality that if it seems wrong, looks wrong, smells wrong, and overall has that feel to it that it is wrong.. it IS wrong and run away from it. Have self-confidence, try to think before making decisions (especially rational ones), and be careful. Oh, trust me.. you can do it! ;)
Social Engineering (for the most part) only works on the "weak mind". I know thats somewhat "crass" of me to say, but many of todays IT professionals and system administrators are a tad more tech savvy when it comes to this. Yes, it does happen to the "best of us" from time to time. Many people think of Social Engineering (IMO) as something that "only happens to newbs".
That is a misconception, as I have seen it done to MANY people who are professionals and NEVER thought it would happen to them. Sad, eh? :D
Well, that's my mini-tutorial.. I hope somebody enjoyed it and/or learned from it. :)
