What is Social Engineering? How It is Helpful for Hacking & Spying?

Posted on the 21 July 2018 by Ruby Mariah @rubymariah22

Social Engineering or “SE” is an activity that exploits a person in a way to take action that could or could not be in their interest. However, we will bring your attention to the malicious forms of SE, helpful for hacking and spying in particular and plenty of other categories govern through it. On the other hand it is very important to know it psychologically, physiologically, and last but not the least technological aspects of influencing someone generally. No matter what if it is being used for positive outcomes, even then it will be used maliciously. Malicious type of social engineering needs to be categorized into the three such as Phishing, Vishing, and impersonation. Let’s discuss all these categories shortly.

Phishing

It can be done by sending an email to someone and seems it is from a reputable source with the aim of controlling and getting the private information.

Vishing

It is the practice or an activity to eliciting the information or to have an attempt to influence action through the cell phone, which includes these types of tools as cell phone spoofing.

Impersonation

It is the act of sending someone pretext messages as another person with the aim in mind to get information or access to a person, company or to the computer device.

Major categories of Social Engineering

Social Engineering can be further categorized for those who use it due to some odd reasons. Professional spies and black hat hacker and white hat hacker use to a salesperson and everyday people.

Hackers

They usually use social engineering techniques, because the human weakness factor is very easy to exploit than to exploit the network weakness. Most of the time professional hacking or hackers win because they are not bound for the time and motivation. An ordinary person may work for 8 hours a day to accomplish his goals, but when it comes to the professional hackers they spend 24 hours a day in order to accomplish their goals. They spend hell amount of time and due diligence to get every aspect of their target and then they launch all of their skills and energies on the human infrastructure that can truly harm a company within few minutes. They get over the personal information of the target, passwords, remote user accounts and plenty of others things alike. Over the last few year’s stats, sponsored hackers have hit the world by storm and have made headlines worldwide. Their attacks could be very devastating for the target and we are going to bring you a little information about how hackers implement these attacks and what is the ultimate destruction.

The Lazarus Group: Example no. 1

It is a group that is based on one of the most destructive hacking collectives on the cyberspace. It is allegedly responsible for monstrous 2014 Sony hack, $81 million Bangladesh Bank Heist and is also allegedly involved in 2017 Wanacry ransomware attack. However, it has been detected over the last few years in more than 18 countries of the world

Fancy Bear: Example no.2

It is also known as APT28, Pawn Storm, Sofacy group, Sendit and STRONTIUM and it is also a cyber – espionage community. There is a number of hacking methods of this particular group such as zero – days, Spear phishing, OAuth phishing and malware. The group is allegedly responsible for a number of hacking breaches such as 2016 attacks on the World Anti –Doping Agency (WADA) and further for phishing attacks that have been devastated for Democratic National Committee (DNC).

Spying or Espionage

People who spy have skills and methods to fool the victims and make them believe they are someone or something which they are not in reality.

“Furthermore, being able to use social engineering, number of times people who spies will also be been created having a little or a lot regarding business or government they are trying to social engineering”. Chris Hadngy, Social Engineering, in The Art of human hacking stated that.

Espionage or spying is basically are skills that can be used for getting information about the target whether a person, government or a competing industry, having an aim of replacing one’s government or trying to gain financial or other advantages. On the other hand, spying cannot be labeled as all intelligence gathering such as codebreaking, aircraft or satellite photography. Over the decades spying or espionage was known as for obtaining political and military intelligence. Moreover, with the rise in the rise of technology the focusing point further goes to the communication technologies, IT, energy, scientific research, aviation and plenty of other departments.

There are following few examples of military and industrial spying that how the skills were used to carry out social engineering attacks.

State-sponsored Facebook Fakes

Since January 2017, Israeli Defense Forces have published a blog post on their website that says attack have launched on their military personals using influence tactics known as liking. Attackers have created fake Facebook profiles of attractive young women having an aim of seducing Israeli Defense Forces (IDF) to befriend with them. Further, after the fake profile users successfully got the trust by sending text messages, sharing photos and at end of the day ask for video chat. For video chat, the soldier had to install an app that was basically a virus. Once the soldier installed it, its phone has become an open source to view contacts, location apps, photos and files and at the end of the day went to the Hamas operatives.

Penetration testers

They are the ones who test the vulnerabilities or unauthorized access breaches to the system. It is also called pen testing and it is the skills of testing computer machines, network, web application or onsite perimeter to catch vulnerabilities that hackers use loopholes in the system for spying.

Pen Testing & Social Engineering

Business organizations with the process of verification procedure, firewalls, VPNs, and network monitoring software could be under the cyber-attacks if employee unwillingly provides confidential information. “SE” is the human side of checking for corporate network vulnerabilities. Penetration testers used different skills to test their target by means of phishing, vishing, and impersonation a pen tester will mimic the breaches that a malicious social engineer could use to aim to breach the target system. Therefore, even the company’s hires pen testers to deal with the malicious “SE” to prevent the breaches.

Identity thieves

It is a kind of malicious art to seat someone’s identity or personal identifiable information (PII) such as name, address, social security number and email addresses as well. People do it for the financial gain and to do number of criminal acts. They can use it for stolen payment card account making fraudulent purchases and to get control over the existing account of the target.

The private information of kids and teens that includes social security numbers, mother’s maiden name and date of birth have been found for sale on the dark web, CNN reported that.

The identity theft is not restricted to the individuals, these days business identity theft also been on the rise that hacks company’s websites and phone numbers using social engineering techniques.

Disgruntled Employees

Most of the employees who become disgruntled and uncontrolled internet access at workplace, the reasons are very common such as they feel irritated, overworked, underpaid and last but not the least passed up for promotion. “Five factors that have made US workers are promotion policies, bonus plans, education and job training programs and performance views procedure, according to the job satisfaction survey conducted by the Conference Board Consumer conference survey.

Disgruntled Employees could be the risk for the company

The Insider report 2018 published that, 90% of the business organization has to deal with the insider threats. The disgruntled employees are the root cause of two elements, one accesses and the second is motivation. They usually have access to the confidential information, financial information, and high-level administrative privileges to corporate applications.  The earlier five elements discussed can make a productive employee into the disgruntled employee. The ultimate threat to the company could be spreading negativities on social networking apps such as LinkedIn and on Facebook, stealing the confidential information, willingly leaking the sensitive information and even potential lawsuits.

Information Brokers

According to the (FTC) Federal Trade Commission data brokers such companies that collect information such as personal information about the consumers, from famous sources and then resell it to their customers for various reasons such as to verify to any individual’s identity, records, marketing products, and to prevent financial fraud. Data brokers get the information from various sources but in the modern world social media platforms such as Facebook, LinkedIn, WhatsApp and others are one of the biggest platforms for collecting the data of the general public.

How Data Brokers use social Engineering?

They mostly use elicitation, scams, courting, and last but not the least pretexting in order to get the personal data or information. According to the book “Information and security” data brokers and another kind of social engineers use the method which is known as courting. It seems random or a chance meeting that builds report and then trusts between the social engineer and the target. With the passage of time, they successfully build a relationship and then subtly pressure brings the information of the target.

Scam Artist

It is a person that traps people in fraudulent or deceptive action to defraud others. The scam usually labeled to a particular type of fraud that is based in the wide range of dispersed initial approaches to the masses that don’t know about the scammer. There are two types of scams, one is known as Mass –marketing Fraud and the second one is advanced fee fraud. Most of the social media scammers use the Facebook and claims that they are Facebook employees and they are going to tell you, you have won the Facebook lottery and the winner has to pay some money to release the money.

Conclusion:

It is worthy enough for the attackers and it works consistently. Social engineering tactics are very time consuming but effective ones. Therefore, malicious social engineers use the skills in order to achieve their goals. An experienced black hat hacker knows well that it would take time, days, weeks and even months to get access to the network and steal the credentials. However, when it comes to social engineering techniques used by the hacker such as using a pretext to a cell phone or email, it would be a matter of minutes to get the same goal of the getting the credentials.

Resource links:

https://www.csoonline.com/article/2124681/social-engineering/what-is-social-engineering.html?page=2

https://www.ca.com/content/dam/ca/us/files/ebook/insider-threat-report.pdf

http://mobile.abc.net.au/news/2018-05-03/facebook-lotto-scam-targeting-social-media-users/9723322?pfm=sm

https://www.ftc.gov/news-events/press-releases/2006/01/choicepoint-settles-data-security-breach-charges-pay-10-million