Recent Posts

What is social engineering- The art of human hacking ?

Security is a coin with two sides. From the one side , we look for a sense of comfort and assurance  and from the other side , thieves, hackers, and vandals are looking for gaps. 

Social engineering is an act of stealing information from humans. As it does not have any interaction with target system or network. It is considered as a non technical attack.

Social engineering is considered as the art of convincing the target to reveal information. It may be physically one-to-one interaction with the target or convincing the target on any platform such as social media is a popular platform for social engineering. This is the fact that people are careless, or unaware of the importance of the valuable information they posses.

“Trust” is the biggest vulnerability of a human. Trust can lead to loss of privacy and threat to credentials from the hacker. 

One of the example is that all the fraud calls we get from the hackers claiming that they are calling from the bank for security concern and ask for credit card details. If the hacker accomplishes in convincing the target and gain trust the victim will share the credentials and hence can lead to loss of money from the corresponding bank.

Phases of Social engineeringattack

Social engineering attacks are not the complex attack which requires strong technical knowledge . An attacker might be non technical personal as defined earlier it is an act of stealing information from people. However, social engineeringattacks are performed  by the following steps :

1.Research  : Research phase includes a collection of information about target organization. It may be collected by dumpster diving, scanning websites of the organization, finding information on the Internet, gathering information from employee of the target organization

2.Select target  : In the selection of target phase , attacker select the target among other employee of an organization. A frustrated target is more preferred as it will be easy to reveal information from him.

3.Relationship  : Relationship phase include creating a relationship with the target in the way that he could not identify the intention in fact target will be trusting the attacker. More trust level between target and attacker will be easier to reveal information

4.Exploit : Exploit of relationship by a collection of sensitive information such as username, password, network, information , etc.

Types of social engineering

Social engineering attacks can be performed by different techniques, differentsocial engineering attack techniques are classified into the following types :

1.Impersonation  : Impersonating is a human-based social engineering technique. Impersonation means pretending to be someone or something . Impersonating in social engineering is pretending of an attacker to be a legitimate user or pretending to be an authorized person. This impersonating may be either personally or behind a communication channel such as while communicating with Email, telephone.

2.Eavesdropping and shoulder surfing  :Eavesdropping is a technique in which attacker is revealed information by listening to the conversation convertly. It does not only include listening to conversation , t includes reading or accessing any source of information without being notified.

3.Dumpster diving  : Dumpster diving is the process of looking for treasure in trash. This technique is older but still effective. It includes accessing the target’s trash such as printer trash, user desk, company’s trash for finding phone bills, contact information, financial information, source codes, and other helpful material.

4.Reverse social engineering  : A reversesocial engineering attack requires the interaction of attacker and victim, where an attacker convinces the target of having a problem might have an issue in future. If the victim is convinced he will provide the information required by attacker. Reversesocial engineering is performed through the following steps : 

    a.An attacker damages the target’s system or identifies the known vulnerability 

    b.Attacker advertise himself as an authorized person for solving the proble

    c.Attacker gains the trust of the target and obtains access to sensitive information.

    d.Upon successful reverse social engineering , the user may often get the attacker for help.

5.Piggybacking and tailgating : These both are similar technique. Piggybacking is the technique in which unauthorized person waits for an authorized person to gain entry in a restricted area, whereas tailgating is the technique is the technique in which unauthorized person gain access to the restricted area by following the authorized person, by making fake IDs and close following while crossing the checkpoints , tailgating become easy.

Gathering Information from Websites

Corporate and/or personal websites can provide a bounty of information. The

first thing a good social engineer will often do is gather as much data as he

can from the company’s or person’s website. Spending some quality time

with the site can lead to clearly understanding:

What they doThe products and services they providePhysical locationsJob openingsContact numbersBiographies on the executives or board of directorsSupport forumEmail naming conventions

Special words or phrases that can help in password profiling Seeing people’s personal websites is also amazing because they will link to almost every intimate detail about their lives—kids, houses, jobs, and more. This information should be cataloged into sections because it will often be something from this list that is used in the attack. Many times company employees will be part of the same forums, hobby lists, or social media sites.

If you find one employee on LinkedIn or Facebook, chances are that many more are there as well. Trying to gather all that data can really help a social engineer profile the company as well as the employees. Many employees will talk about their job title in their social media outlets. This can help a social engineer to profile how many people may be in a department and how the departments are structured

Search Engines

Johnny Long wrote a famous book called Google Hacking for Penetration Testers and really opened up many people’s eyes to the amazing amount of information that Google holds. Google forgives but it never forgets, and it has been compared to the Oracle. As long as you know how to ask, it can tell you most anything you

want to know. Johnny developed a list of what he calls “Google Dorks,” or a string that can be used to search in Google to find out information about a company. For example if you were to type in: site:microsoft.com filetype:pdf you be given a list of every file with the extension of PDF that is on the microsoft.com domain. Being familiar with search terms that can help you locate files on your target is a very important part of information gathering.

Social Media

Many companies have recently embraced social media. It’s cheap marketing that touches a large number of potential customers. It’s also another stream of information from a company that can provide breadcrumbs of viable information. Companies publish news on events, new products, press releases, and stories that may relate them to current events. Lately, social networks have taken on a mind of their own. When one becomes successful it seems that a few more pop up that utilize similar technology. With sites like Twitter, Blippy, PleaseRobMe, ICanStalkU, Facebook, LinkedIn, MySpace, and others, you can find information about people’s lives and whereabouts in the wide open. Later, this book will discuss this topic in much more depth and you will see that social networks are amazing sources of information.

User Sites, Blogs, and So On

User sites such as blogs, wikis, and online videos may provide not only information about the target company, but also offer a more personal connection through the user(s) posting the content. A disgruntled employee who’s blogging about his company’s problems may be susceptible to a sympathetic ear from someone with similar opinions or problems. Either way, users are always posting amazing amounts of data on the web for anyone to see and read.

Social engineering can be done on any individual through their social networking accounts. Most of the Information can be taken from their. Your Phone number to your Address to you family members details, each and everything is available on your profile. May be you think there's no valuable information available on your account , but a hacker can extract each and every minute details and use for exploitation.

"Stay safe , Stay anonymous."

What is social engineering- The art of human hacking ? What is social engineering- The art of human hacking ?
Reviewed by Shirley Bloggastron on 10:07 AM Rating: 5

No comments:

Note: Only a member of this blog may post a comment.


Powered by Blogger.