Ethical hacking: Social engineering basics by Blackhat Pakistan 2023
Today we will learn about Ethical hacking: Social engineering basics In this article.
What is social engineering?
In short, social engineering is the art of manipulation and misdirection. The goal of a social engineer is to do something they are not authorized to do. This includes everything from stealing sensitive information to gaining access to a restricted area. In order to achieve this, it is necessary to ensure that the target or “brand” does not notice what the social engineer is doing, or at least does not take any steps to stop them.
How social engineering works in Ethical hacking
Social engineering is essentially lying and manipulation. Done right, social engineering can accomplish everything traditional hacking can, and often with much less work. There are some useful tips and tricks when preparing and executing a social engineering attack.
Also Download:Non VBV Websites To Card IN 2023
Know your goal
One of the most important parts of social engineering is knowing your target. This includes knowing as much as possible about what information or access you are trying to get and from whom you are trying to get it.
Summarizing everything into a single piece of information can make social engineering engagements much simpler and more efficient. If you need to ask many different questions, the more likely it is that the brand will become suspicious, which can lead to an abrupt end to the social engineering exercise.
Simplifying what you want down to the simplest amount of information may require some attack modeling. In many cases, a collection of information can be obtained from a single other piece of data. For example, accessing an email account can provide a large amount of valuable data and only requires knowledge of the user’s password.
Getting information in a subtle way often requires knowing the target. There are a number of different social engineering approaches (see Cialdini’s research for some suggestions) and knowing which one to try depends on the individual’s knowledge. Doing some research beforehand can dramatically increase the likelihood of success in social engineering.
Keep it subtle
A social engineering exercise is only successful if the grade does not stick in the process. Social engineers are asking for something they shouldn’t be allowed to have, and if a brand realizes this, they can easily deny access.
In most cases, the key aspect of maintaining subtle social engineering is to hide it in the conversation. While a single odd question may raise suspicion, critical questions may not even be noticed by the brand if the conversation lasts a few minutes and the social engineer and the brand have built a certain rapport.
One way to test whether this level of rapport is sufficient (and whether the grade is comfortable enough to answer unusual questions) is to ask something personal. Depending on whether and how the target responds, the social engineer can get a feel for whether the question will be successful before asking it.
Another important concept is the serial position effect, which states that someone is most likely to remember the first and last items in a list. When asking a series of questions to get a single answer, bury it in the middle of the list to minimize the chances of detection.
Not just talking
Social engineering is based on manipulating communication, but speaking is not the only way people communicate. We communicate through body language, tone of voice, and more, and to be successful, a social engineer must match the message. In fact, some social engineering engagements can be done without a single word in Ethical hacking.
For a social engineer, a few well-chosen outfits can be invaluable. A good suit, a quick and steady step and a mobile phone can (literally) open doors. Some willing employee may mistake the social engineer for someone from management in a hurry and politely hold the door. A similar effect can be achieved with a heavy load and a mail carrier uniform (choose a private company because impersonating a USPS employee is a crime) or in a variety of ways.
During a conversation, an individual’s appearance and body language must also match the persona they are using. A manager can get away with giving orders authoritatively, but an intern can’t. Preparing and practicing a good social engineering personality can make everything easier and more efficient.
Social Engineering and Ethical Hacking
In some cases, social engineering is placed outside the scope during ethical hacking. Many people dislike social engineering because it involves outright lying and can damage the relationship between a company’s employees and its management. This is especially true if the job is handled poorly and the employees feel that the company tried to lure them into bad behavior.
However, social engineering exercises are a crucial aspect of ethical hacking commitments. More than 99% of cyber attacks require human interaction because in most cases it is much easier to fool a person than to fool a computer. An attacker trying to steal millions of dollars from a company is unlikely to have any qualms about defrauding several employees in the process. As a result, ethical hackers must help customers learn to identify and respond appropriately to attempts at social engineering.
Conclusion: Becoming an Effective Social Engineer
Social engineering is the art of manipulation. Success in social engineering depends on understanding what makes people do things and how to motivate someone to do something that is not in their best interest. People do things that are not in their best interest all the time, and the key is to make what the social engineer wants seem appealing.
There are a number of different resources on social engineering and they are definitely worth a read. However, there is no substitute for exercise. Communication is a two-way street, and social engineers must think on the fly to ensure the brand is hearing the message they want to send. You can’t learn that from a book.
Sources of Ethical hacking
- The Science of Persuasion, Scientific American
- Serial Position Effect, Simply Psychology
- More than 99% of cyberattacks rely on human interaction, Help Net Security