Social engineering: How to hack humans

We speak to Chris Hadnagy, author of Social Engineering: The Art of Human Hacking

You get a call from a software company — a Microsoft partner perhaps — who tells you your computer is infected with a virus. But don't worry. The helpful technician on the other end of the line can help walk you through the removal process. Or maybe you're an executive for a major security company who receives an email that states: ’Forward this file to yourself for review. Please open and view it.’ Or perhaps you find a USB stick lying around and plug it into your workplace PC to figure out what's on it.

Next thing you know, your credit card has been charged; or your company's two-factor authentication system has been compromised; or your nuclear power plant's network is in the grip of a worm.

The common factor in all three: People — or perhaps more precisely, social engineering. Chris Hadnagy (@humanhacker on Twitter), a trainer for Offensive Security and the author of Social Engineering: The Art of Human Hacking, describes social engineering as "the act of influencing a person to take an action that may or may not be in their best interest.”

Hadnagy gives an example of how he could use social engineering to infiltrate a tech company: "I might first start by calling the accounts receivable department and acting like a potential new vendor. I might find out how they sign people up, find out lingo they use and codes they have, take down the name of the person I was with and tell them I will call back later," he says.

"Call back later but this time as present vendor, let's say the waste management company. As I call in I say something like, 'I got a call from Jenny, she said there was a report of a damaged dumpster at your location. I am going to send our Paul tomorrow to take a look. Can you let security know?'"

The next day Hadnagy could come dressed as their waste management person and be allowed on site for an 'authorised' dumpster dive, offering access to improperly disposed of documents. "I could say something like, 'Hey, while I was on the lot, I found this USB key...doesn't look like it was disposed of properly. I am turning it into you. Okay?'" Hadnagy says.

Most people would probably insert the USB drive to see what's on it, potentially infecting a computer — which is almost certainly attached to the company's network — with malware. If this vector doesn't work, there are many others that can be facilitated from one of the previous steps, Hadnagy says.

Social engineering is the most common method used in attempt to breach organisations' security, according to Hadnagy. High-profile hacker group Lulzsec, as one example, stated that it “used SE in every attack they launched last year,” Hadnagy says.

"Social engineering is used in many major and minor attacks on companies. Sometimes not even by hackers, but you hear reports such as the 17-year-old that impersonated a doctor and a cop, or the guy who impersonated a pilot flying a plane for over five years. All these are social engineer attacks in one form or another."

Too often, Hadnagy says, there is a tendency to deal with security as a purely 'technical' problem. He says that during sales calls, one of the hardest security services is a social engineering audit. "Why?” Hadnagy asks, “I am not 100 per cent sure, except we hear things like, 'it is cheating' or 'my people won't fall for that'. Of course those companies are usually the ones who fall for it and end up being hurt by it."

Social engineering preys on human weakness more than technical flaws and the threats to businesses can generally fall into one of three categories, according to Hadnagy.

• Web and email attacks: This includes things such as phishing and malicious websites.

• Phone-based attacks: Eliciting information over the phone, usually in order to facilitate "a further, more brutal and personal attack."

• Physical attacks: For example, dumpster diving (or trashing) to obtain information or encouraging someone to use a malware-infected USB key.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitysocial engineering

More about etworkFBIMicrosoftSharp

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Rohan Pearce

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place