Social Engineering: Your deadliest tool
#1
Credit / Author: FrederickTheGreat

Social Engineering: Your deadliest tool


Sometimes, you need something you can't access. Perhaps you get the idea of posing as someone else to gain information otherwise can't access. Social engineering has endless possibilities. social engineering is different from physical-security issues, because people can always be "hacked" or tricked.

Impersonation

False support personnel claim that they need to install a new version of software on a user's computer, talk the user into downloading the software, and obtain remote control of the system. Social engineering can make you a hacker with no skills in hacking, but an effective people hacker can break into systems with the greatest security.

Here is an example of some social engineering.
Say you need to access the password for an email address because you need to confirm you want to withdraw money from their account. You contact this person via email or what ever contact means possible, claiming to offer a service or maybe say they are an artist, invite them to an art fair. Get a VOIP number in their country and give them the number. They key is to make it as convincing and legitimate as possible. They call, and you now have their phone number. Do a domain whois search and find the name of their hosting company and phone number. There are few ways of spoofing phone numbers, there are android applications that do it very easily. You pay someone to DDOS attack the site (directed denial of service attack) and you then call the person from their hosting company's phone number, Saying "Hello this is Jim from xyz hosting, We have detected that your website xzy.com has been hacked and we need your password information in order to determine the source of the attack as well as to ensure that your email is not compromised" 70% of people will fall for this. You have just just hacked an email with no hacking experience at all.

Social engineering is one of the toughest hacks, because it takes great skill to come across as trustworthy to a stranger. Sometimes it is best to perform attacks slowly, so they're not so obvious and don't raise suspicion. Gather information over time and use the information to create a broader picture. Alternatively, some social-engineering attacks can be performed with a quick phone call or e-mail. The methods used depend on your style and abilities.


Everyone is vulnerable
Everyone from receptionists to security guards to IT personnel are potential victims of social engineering. Help-desk and call-center employees are especially vulnerable because they are trained to be helpful and forthcoming with information. Even the average untrained user can fall victim to giving you information

Effective social engineers can obtain the following information:
   - user or administrator passwords
   - badges or keys to the building and even the computer room
   - Intellectual property such as design specifications or other research and development documentation
   - financial reports
   - employee information

Simple steps to social engineering

   1. Perform research.
   2. Build trust.
   3. Exploit relationship for information through words, actions, or technology.
   4. Use the information gathered for malicious purposes.These steps can include myriad substeps and techniques, depending on the attack being performed.

Before you start, you need a goal of what you want to gain or accomplish

Typically you should start by gathering public information about their victim. It is good acquire information slowly over time so they don't raise suspicion. Obviousness is a tip-off when defending against social engineering. Information is the masterkey of social engineering.

Traits of a good social engineer:
- Likeablilty: Be a likeable person, Speak/type professionally and sound like a well educated nice person.
- Be believable: Make everything you say sound as legitimate as possible and try to have a quick and sensible answer to any questions a person might ask. The more you know about the person, the easier it is

Some red flags are:
   - Acting too friendly or eager
   - Mentioning names of important people within the organization
   - Making threats if requests aren't honored
   - Acting nervous when questioned, fidgeting especially the hands and feet
   - Overemphasizing details
   - Refusing to give information
   - Knowing information that an outsider should not have

And those are the basics!
Reply
#2
Thanks, Got some good infomation here.
Reply
#3
(11-30-2016, 07:15 PM)Insider Wrote: Credit / Author: FrederickTheGreat

Social Engineering: Your deadliest tool


Sometimes, you need something you can't access. Perhaps you get the idea of posing as someone else to gain information otherwise can't access. Social engineering has endless possibilities. social engineering is different from physical-security issues, because people can always be "hacked" or tricked.

Impersonation

False support personnel claim that they need to install a new version of software on a user's computer, talk the user into downloading the software, and obtain remote control of the system. Social engineering can make you a hacker with no skills in hacking, but an effective people hacker can break into systems with the greatest security.

Here is an example of some social engineering.
Say you need to access the password for an email address because you need to confirm you want to withdraw money from their account. You contact this person via email or what ever contact means possible, claiming to offer a service or maybe say they are an artist, invite them to an art fair. Get a VOIP number in their country and give them the number. They key is to make it as convincing and legitimate as possible. They call, and you now have their phone number. Do a domain whois search and find the name of their hosting company and phone number. There are few ways of spoofing phone numbers, there are android applications that do it very easily. You pay someone to DDOS attack the site (directed denial of service attack) and you then call the person from their hosting company's phone number, Saying "Hello this is Jim from xyz hosting, We have detected that your website xzy.com has been hacked and we need your password information in order to determine the source of the attack as well as to ensure that your email is not compromised" 70% of people will fall for this. You have just just hacked an email with no hacking experience at all.

Social engineering is one of the toughest hacks, because it takes great skill to come across as trustworthy to a stranger. Sometimes it is best to perform attacks slowly, so they're not so obvious and don't raise suspicion. Gather information over time and use the information to create a broader picture. Alternatively, some social-engineering attacks can be performed with a quick phone call or e-mail. The methods used depend on your style and abilities.


Everyone is vulnerable
Everyone from receptionists to security guards to IT personnel are potential victims of social engineering. Help-desk and call-center employees are especially vulnerable because they are trained to be helpful and forthcoming with information. Even the average untrained user can fall victim to giving you information

Effective social engineers can obtain the following information:
   - user or administrator passwords
   - badges or keys to the building and even the computer room
   - Intellectual property such as design specifications or other research and development documentation
   - financial reports
   - employee information

Simple steps to social engineering

   1. Perform research.
   2. Build trust.
   3. Exploit relationship for information through words, actions, or technology.
   4. Use the information gathered for malicious purposes.These steps can include myriad substeps and techniques, depending on the attack being performed.

Before you start, you need a goal of what you want to gain or accomplish

Typically you should start by gathering public information about their victim. It is good acquire information slowly over time so they don't raise suspicion. Obviousness is a tip-off when defending against social engineering. Information is the masterkey of social engineering.

Traits of a good social engineer:
- Likeablilty: Be a likeable person, Speak/type professionally and sound like a well educated nice person.
- Be believable: Make everything you say sound as legitimate as possible and try to have a quick and sensible answer to any questions a person might ask. The more you know about the person, the easier it is

Some red flags are:
   - Acting too friendly or eager
   - Mentioning names of important people within the organization
   - Making threats if requests aren't honored
   - Acting nervous when questioned, fidgeting especially the hands and feet
   - Overemphasizing details
   - Refusing to give information
   - Knowing information that an outsider should not have

And those are the basics!


do you think
social engineering can work againest fellow hackers (or infosec professionals if yes then ) any examlple?
Reply
#4
(04-24-2019, 08:18 PM)thunder Wrote: do you think
social engineering can work againest fellow hackers (or infosec professionals if yes then ) any examlple?

If well executed and with enough info I think that almost everyone can be fooled by a social engineering attack.
Obviously if the individual knows about the subject it will be more difficult than if it isn't the case, but everyone has their bad days and that's where you want to attack.

The attack depends on your target, and the point of social engineering is in my opinion to improvise and know how to win the victim.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  can someone with autism and psychosis learn social engineering? QMark 5 757 04-03-2020, 08:46 PM
Last Post: Insider
  Best way to social engineer one's way into a social media account? LOSTINSAUCE 8 8,097 03-05-2019, 02:18 AM
Last Post: thehappydino
  What are some ways to social engineer GMail accounts besides resetting passwords? QMark 0 2,878 09-27-2018, 09:11 PM
Last Post: QMark
  how to gain the prerequisites to learning social engineering? QMark 6 5,672 06-18-2018, 09:30 PM
Last Post: sten0