|
What is Social Engineering?
An outside hacker's use of psychological tricks on legitimate users
of a computer system, in order to gain the information he needs
to gain access to the system."
Social Engineering is a way of getting important information from
users without them knowing
they are giving this info to you.
To be able to social engineer you do need a few things:
- Some information on the target
- You must be very patient
- Good Social Skills
Although it may sound complex social engineering is probably the
best 'tool' that you can
learn and become good at. IT'S ALSO VERY EASY.
What information can you get from a user using Social Engineering?
Anything. You can get anything you need from the target. But you
must be able to use good
social skills and also be able to 'trick' the user.
How do I Social Engineer?
First of all make sure when you are social engineering that you
do it through a chat program
or email (you may do it on the phone or face to face but if you
get scared and get caught he
won't know who you are). Create a new email with a free host (hotmail,
yahoo etc...) or if
you are going to use chat then create a new user on the chat program.
When asked for your
details make sure you enter fake information but also make sure
that its believable, this means
fill all details of your profile so when a user checks your profile
he will think that he knows
your name, location etc... (but this should not be your real info).
Also before you start make sure you have written down everything
on your self (not your real
self but your fake self) this will come in handy when the target
asks you for your name, age
and other info. Also make a check list of all the info you want
from your target.
Once you have got everything ready then find your target. I like
to use ICQ, because of the
many exploits, flaws which make it easier to find info such as the
victims IP.
Using the chat program find a target and start chatting to him/her.
Become thier friend and
chat from a couple of hours. Make sure you are patient. Then slowly
ask him for the info you
want, BUT make sure you don't make it obvious, for example: If i
wanted to know if the user
had an anti-virus:
(after chatting to the target for a long time and he thinks we
are friends)
ME: I am thinking of getting an Anti virus program, but i don't
know which one. Could you suggest one?
VICTIM: Dunno, i heard Norton is good.
ME: I dont know, someone told me its not that good.
VICTIM: I really wouldn't know, i am not good at computers
ME: which anti-virus do you use?
VICTIM: i don't use one.
>From this case we have found out what we wanted, the victim
does not use an anti-virus program,
we have also found out that he does not know much about computers.
Some of the most common techniques used are:
Direct Approach - An aggressor may directly ask a target individual
to complete a task (for example, a phone call to a receptionist
asking them for their username and password). While this is the
easiest and the most straightforward approach, it will most likely
not succeed, as any security conscious individual will be mindful
of providing such information.
Important User - By pretending to be a senior manager of an organisation,
with an important deadline, the attacker could pressure the Helpdesk
operator into disclosing useful information, such as:
the type of remote access software used;
how to configure it;
the telephone numbers to the RAS server to dial;
the appropriate credentials to log in to the server.
Upon obtaining this information, the attacker could then set up
remote access to the organisation's network. They could then call
back hours later to explain that they had forgotten their account
password and request for it to be reset.
Helpless User - An attacker may pretend to be a user who requires
assistance to gain access to the organisation's systems. This is
a simple process for an attacker to carry out, particularly if they
have been unable to obtain/research enough information about the
organisation. For example, the attacker would call a secretary within
the organisation pretending to be a new temp who is having trouble
accessing the organisation's system. By not wishing to offend the
person, or appear incompetent, the secretary may be inclined to
help out by supplying the username and password of an active account.
Technical Support Personnel - By pretending to belong to an organisation's
technical support team, an attacker could extract useful information
from the unsuspecting user community. For example, the attacker
may pretend to be a system administrator who is trying to help with
a system problem and requires the user's username and password to
resolve the problem.
Reverse Social Engineering (RSE) - A legitimate user is enticed
to ask the attacker questions to obtain information. With this approach,
the attacker is perceived as being of higher seniority than the
legitimate user who is actually the target.
A typical RSE attack involves three parts:
Sabotage - After gaining simple access, the attacker either corrupts
the workstation or gives it an appearance of being corrupted. The
user of the system discovers the problem and tries to seek help
Marketing - In order to ensure the user calls the attacker, the
attacker must advertise. The attacker can do this by either leaving
their business cards around the target's office and/or by placing
their contact number on the error message itself
Support - Finally, the attacker would assist with the problem, ensuring
that the user remains unsuspicious while the attacker obtains the
information they require.
E-mail - The use of a topical subject to trigger an emotion which
leads to unwitting participation from the target. There are two
common forms that may be used. The first involves malicious code,
such as that used to create a virus. This code is usually hidden
within a file attached to an email. The intention is that an unsuspecting
user will click/open the file; for example, 'IloveYou' virus, 'Anna
Kournikova' worm or more recently the 'Vote-A' email aware worm.
The second equally effective approach involves chain mail and Virus
hoaxes. These have been designed to clog mail system by reporting
a non existent virus or competition and requesting the recipient
to forward a copy on to all their friends and co-workers. As history
has shown, this can create a significant snowball effect once started.
Website - A ruse used to get an unwitting user to disclose potentially
sensitive data, such as the password they use at work. For example,
a website may promote a factitious competition or promotion, which
requires a user to enter in a contact email address and password.
The password entered may very well be similar to the password used
by the individual at work.
Other techniques used may include:
//Somebody looking over the shoulder of a person as they type in
their password.
\\A visitor watching users and their behaviour patterns.
//An attacker sifting through rubbish looking for clues to unlock
an organisation's IT treasures.
|