Social Engineering

brokenroomNetworking and Communications

Nov 21, 2013 (5 years and 1 month ago)


Social Engineering

Matthew J Duffy


While Software Engineering and Computer Science have become notable fields in the workforce
today, the term Social Engineering is a newer
concept. It is not a field one

can study and declare
as a major at a university, but is a broader concept of how users of today’s digital technologies
are easily impacted by seemingly trustworthy individuals or groups

technological means.
Kevin Mitnick
coined t
he term “Social Eng
has been repeatedly mentioned in
several articles and papers on network and information security. In today’s constantly changing
world of technology, social engineering has become a popular form of obtaining and uti
confidential infor
mation. To combat these new IT threats,
need to
apply new
to protect their users

and their information


In today’s world of technology, not many people think twice when entering their password to
access their
computer, their online bank account
, or their favorite social network
. The notion of a
password and security questions seem trivial to most of these users, but to those of us that have
security at the forefront of our minds, these passwords and security qu
estions are the first and
last lines of defense against the expansive network we know as


The Merriam
Webster online dictionary defines the
as “
an electronic communications
network that connects computer networks and organizational c
omputer facilities around the


The Internet uses a variety of ways to authenticate users against an existing database,
the most common form is the use of a unique username and associated password. For better
security, networks may provide additional means of authentication such as two
authentication, which

requires a password and a specific pin, which is usually a randomly
generated number. Additional means of security include security questions and narrow windows
of availability for users to access a network’s resources.

in recent news, not all of these
forms of authentication are secure and this is due to one very complex idea now known as Social

is Social

What is Social Engineering? This is a question that not many people would be able
answer, as
it is still a fresh


in the IT industry
Social Engineering is a way of convincing/forcing
computer users to divulge important information, whether it is personal or business related that

might compromise their identity, financial situ
ation, the security of their workstation and/or
network. The way Microsoft’s Safety and Security center defines it is

a way for criminals to
gain access to your computer.
The purpose of social engineering is usually to secretly install
spyware or other

malicious software or to trick you into handing over your passwords or other
sensitive fi
nancial or personal information


Kevin Mitnick, a

hacker, was the first to popularize the term “social
engineering” as most of his hacks utilized common social engineering techniques that we can
study and recognize today. He describes social engineering as “using deception, manipulation
and influence to
convince a human who has access to a computer system to do something


Social Engineering Ethics

The world of social engineering may seem very bleak at this

as all of the discussion has
focused on one thing: obtaining your
information and using it against you.

there is a bright side to social engineering and it rises
to the level
of counter
social engineering to
prevent malicious hackers getting at your information.

Ethical hacking: White Hat hackers

If you were
to ask any
on the street
if they like taking
a system

apart just to find
out how it works, you


probably have a 50/50 chance

that the answer would be yes. I
f you
asked any individual in the computer science industry,
you will most likely find that
it is a source
of great entertainment and fun to know how a

works. The phrase “just show me the
source code” is ubiquitous
to programmers understanding how a program works or functions.

This knowledge of how somethin
g works is invaluable to the developers of software, but is even
more useful to people that wish to break or circumvent a software program’s normal operation.
This is where the term
white hat

hacking comes into view. White hat hackers are knowledgeable
ividuals whose primary job is to understand a system from the inside out and this includes
both the hardware and softwa
re sides of a system. These e
thically certified
hackers are
instrumental in probing hardware and software systems for weaknesses. The tes
ts that white hat
hackers perform asses

both computer system weaknesses as well as weaknesses in a business’

corporate IT policy. The three primary questions that ethical white hat hackers need to ask
themselves are “What is the company trying to protect?

What is the company trying to protect
against? How much time, effort and money is the company willing to spend to obtain adequate

Once one can answer those three questions they can then determine what testing
approach to take.

Black bo
x testing

Black box testing deals with the scenario that a hacker knows nothing of the internal system and
the only information they have is a name, which can be either a person’s name or a company

name. Their task then is to
acquire all other relevant in
formation using third party means to
determine if your system is secure or not.

White box testing

White box testing deals with the scenario that a hacker has full knowledge of the
company/person they are targeting. Details might include specific technol
ogies and devices that
are used and network schemas the company incorporates. This type of test determines what kind
of information an inside user can locate when they do not have authorized access.

Gray box testing

Gray box testing is a blend of black
and white box testing where the scenario deals with a mix of
full disclosure and partial restriction. This scenario targets the middle ground where most
unethical hackers will have some information on a company, but be lacking on the specific
internal deta
ils such as network topology and user base.


As a white hat hacker, you can escape most of the federal laws that may apply to illegally
accessing secure networks and their associated resources by obtaining your c
ertification in
ethical hacking. Some examples of ethical hacker certifications offered by the International
Council of Electronic Commerce Consultants
are [


Certified Ethical Hacker


Certified Information systems Security Professional


a full
five years of professional experience in

the information security
field to obtain this level of certification.


Accredited by the American National Standards Institute to ISO17024:2003


Council for Registered Ethical Security Tester


CHECK Team Leader


CHECK Team Member


Limited to those with British citizenship


Qualified Security Testers

Ethical Hacking: Black and Gray Hat hackers

On the other side of the spectrum of the hacking world are
Black and Gray hat
, those
whose actions are not favorable in the IT industry.
A Black hat hacker’s motive usually falls
within three common themes: money, desire for a challenge, entertainment. A Gray hat hacker’s
motives do not lie on the same plane as a Black hat hacker,

as their skills are used more to
inform a company or individual that their security can be compromised and they detail how to fix

the problem.
A Gray hat hacker can be anyone, but most importantly, Gray hat hackers

certified by any accredited orga
nization and are not paid by any corporation for their work.

main difference between a Black hat and a Gray hat hacker is a Gray hat hacker uses their skills
in an unethical manner to achieve semi
ethical goals where a Black hat hacker uses their skill
only to cause disruption.

Social Engineering Techniques

Contrary to popular belief, hacking is not just a means of accessing your personal i
nformation by
brute force alone
. W
the dawn of
social engineering, there are many techniques to acquire
confidential information because the end user will provide it freely

they believe it is for a
legitimate purpose. The primary techniques
of social engineering
are pretexting, online social
ring, shoulder surfing, dumpster diving and phishing.



the most common social engineering tactic used by black hat hackers. Pretexting is

the act of creating and using a contrived scenario to persuade a potential victim to
reveal information or perform actions

This tactic targets a user by requesting a specific
amount of information by providing a false scenario in order to convince the user that real life
consequences (or benefits) will occur if they do no
t comply. Examples of this tactic in use might
be requesting a username and password to ensure that a user’s e
mail account stays active;

bank account information for validation purposes to verify the user in their databases;
sking for a user t
o confirm their home address for mailing purposes (covered in dumpster diving
later on in this

Online Social Engineering

In this world filled with people, social networks have
become the new way of keeping in touch
with other people across the

However, with this new form of social media constantly
emerging, the technology tha
t protects it remains the same.

online social engineering

comes in the form of queries on
search engine
websites such as Google

and Yahoo.

These types
of blanket

searches cover many avenues to locate information on an individual, but usually
indicate that the attacker has little or no information on their target and look to find more by a
widespread search.

More pointed



a specific person


social networks

such as Facebook,
LinkedIn, Twitter,
, Google+ and
These types of attacks make up over 39
percent of all social engineering attacks

These attacks look to find information on a specific
individual to

and dev
elop a social engineered attack against that person.
The security
behind social networks has become stronger in recent years, but relies mostly on the user to do
the majority

of the work in securing their identity and personal information from the outside

This is easy enough to do by spending some time reviewing a social network’s privacy
policy and understanding the default settings for your account.

More secure websites such as
corporate websites


provide a

to authenticate
a user before
a search query


the implementation of
this type of security


Universities or corporate web

is difficult
, which

allows any number of attackers to freely
search for information such as names, phone
numbers, mailing addresses, office location, area of
study or work and general hours of availability.

If an attacker has access to these resources, then

is subject to a localized attack, which

may be more powerful the closer the victim
is to
the attacker.
Unfortunately, for these types of websites

there is no preventable method to
stop an insider from obtaining information on individuals within a company or university.

most targeted users in a corporation are new employees and contracted w
orkers whose
knowledge on the corporate policy and business procedures are lesser known.

Shoulder Surfing

This form of social engineering is the lowest level of information gathering. Shoulder surfing can
occur in any number of locations which are not l
imited to coffee shops, business offices and
cubicles, university computer labs, ATMs and even at home. This form of social engineering
looks to gain access to certain resources by observing the victim enter in his or her credentials.
This social engineeri
ng form prompts no interaction with the victim and assumes that the

is able
to memorize all of the information to carry out a successful future attack. This
form of social engineering is the most preventable by
applying a good sense of security

you go: Conceal the number pad when enter

any pins; Have long and complex passwords and
sit in a secure location away from other individuals if necessary.

Dumpster Diving

As the world transitions to a digital era, there is a paper trail left
behind that details our past and
even our current life story. Everything from medical records, bank information, mortgage
payments, credit card statements, utility bills, social security claims, to simple postcards are all
volatile and sensitive informatio
n if put in the wrong hands. Dumpster diving is the method of
perusing through the garbage to uncover these types of documents and to use them to steal
another’s identity.
The best way to protect against dumpster divers is to remove all traces of

data and dispose of it by either shredding or burning the documents. These methods are
not 100% effective, but do lessen the chance that a diver will be able to retrieve useful


Phishing attacks are the most prevalent social engineering attacks to date. They make up
over 47
percent of all
social engineering attacks
. [

The two charts below show the rise in phishing
attacks. Figure 1 shows the number of phishing e
mails caught in
October of 2006. Figure 2

shows the number of phishing e
mails caught in October of 2011. As one can see, there is a
significant increase over the course of five years.

Figure 1: Number of verified phishing e
mails in October 2006. Highest peak was
350 e

Figure 2: Number of verified phishing e
mails in October 2011. Highest peak was approximately
800 e

A phishing attack is usually a broader attack that targets a large scope of users.
These targets can
be public offic
ials, corporate employees, members of an organization, or groups of people with

level access to network resources (students). A phishing attack “is a two
time scam
technique of fraudulently obtaining private information


The first part of a phish
ing attack

usually is comprised of a

fraudulent e
or phone call
to a
number of users, which holds the pretext of authority

or urgency
. The e
attempt to
an administrator on the network or claim to be from an organization that the user is
familiar with and requires them to verify their status. The second part of a phishing attack is the
final destination that the user reaches when needing to verify their id
entity or to input the
information that the attacker has requested. This destination is usually a fake website setup to
look familiar to the user and allows them to input the requested information.

uestioning e
mails or phone calls

request personal

information or

illegitimate are the
best w
ays to prevent phishing attack. Notify your network administrators or support personnel if
you come across any e
mails that appear to be a
phishing e

Social Engineering Psychological Aspects

A carefu
l social engineer chooses their targets as they specifically profile whom they want to
target in order to obtain the largest yield of information. There are three key properties that
comprise social psychology

of a social engineering attack
: Alternative ro
utes to persuasion,
ttitudes and
eliefs that affect human

echniques for persuasion and influence.

three traits are prime indicators of what type of human being a social engineer is likely to

Alternative Routes to Persuas

An alternative route to persuasion is a way a social engineer can obtain information but not by
directly asking for it, but by coercing their victim to provide it for them. A direct method of
persuasion deals with no contrived scenario and largely “
pends on the (victims)



Rather than directly expose their desire for specific information a social engineer
looks to circumvent logical thinking and targets the victim’s emotional state to obtain
information. Such activators of emotio
n weigh heavily on either fear of consequence or desire of
reward for their actions.

Attitudes and Beliefs that affect Human Interactions

This psychological aspect primarily focuses on the relationship between the attacker and their
victim. If the vict
im knows the attacker, then they are more prone to divulging information than
if it was someone that they did not know. The only question the victims have to ask themselves
is “Do I trust this person

Successful social engineers build relationships in ord
er to take
advantage of them later.


Techniques for Persuasion and Influence

Six primary elements

make up effective persuasion techniques: authority, scarcity,

liking and

, reciprocation,

commitment and consistency

and finally social proof.
How these
attacks are carried out depend on whether the attack is human based (focuses on human targets)
or technology based (focused on penetrating computer systems alone). The six elements listed
above appear in human based

attacks and look to incorporate several of the elements to make up
a successful social engineering attack.


If a socially engineered attack has the element of authority it usually is an indication that it
started at the top of the business hi
erarchy and worked down to the lower levels of the business
An example

that involves

occurs when
a senior member of a law firm
receives a fraudulent e

s it

down to a subordinate. As the e
mail passes through
the chain
of command, the fraudulent e
mail gains more and more authority, so people are less
likely to question the e
mail when they see it comes from a superior member of the business.


A social engineering method of coercing a victim to do somethin
g may involve a type of reward
or consequence based on the type of victim targeted. If a victim is a frequent lottery player, then
a simple masqueraded e
mail mimicking an official lottery organization stating they have won a
large sum of money may suffice

to obtain a large amount of information. If the attacker knows
that their victim has had difficulty in holding a job then they might be able to force them to do
something by threatening to terminate their position. By offering rare opportunities (winning
lottery) or severe consequences (loss of

a social engineer can trigger those emotional
reactions which cloud a user’s judgment and thus
could possibly
provide the attacker with

Liking and Similarity

This trait is similar to the
titudes and Beliefs
section covered earlier which deals with the
relationship between the attacker and their victim. If the victim holds a particular favoritism to
the attacker, then they are more willing to provide information than if it was someone unfam
to them.


By mimicking feelings of


social engineer
can harvest large portions of information by
offering a false
of reciprocation to the victim
. Human beings are more inclined to do

something when they are compensa
ted for their efforts whether that is tangibly with money or
immaterially with feelings of gratification and the satisfaction of helping other people.

Commitment and Consistency

By staying focused and committed to their objective
, a social engineer is more likely to receive
information in return if they
appear to be consistent in their behavior towards their victim. By
asking for small favors or commitments from the victim, they can continually take advantage of
their victim becau
se the victim will feel compelled to stand by their commitment.

Social Proof

Social proof is a last resort attempt to get a victim to fall within the normal
bounds that a social
engineer operates. Social proof is a type of conformity where a person is n
ot sure how to act in a
certain situation so they conform to what the group environment is around them. By getting a
victim to conform to a situation,
it is easier for
a social engineer
extract information from
A prime example of this is
ocial networking by
introducing factors that influence
the group as a whole, which in turn

influences any individuals associated with the group.

Composition of a Social Engineering Attack

Four steps make up a social engineering attack as depicted i
n Figure 3. These steps
provide a

way to determine where
exploitation occurs

in a production environment.

Figure 3: Social Engineering
cycle, which


in order to take advantage of the
victim(s) over

The Information Gather
ing stage is where social engineers use common attacks such as online
social engineering and phishing e
mails to gather and obtain the necessary information to carry

out the next step: Developing Relationships. With the new information, a social engineer c
begin to work their way into an existing business structure to obtain further information. Once
the social engineer has all the information nee
ded, they perform the next step,

Exploitation uses the gathered information to penetrate the tar
geted system and disrupt the
normal work environment. Some disruptions
that users

immediately notice


that are
due to
a Distributed Denial of Service Attack (DDoS) or
the loss of
secure data. Other
disruptions go unnoticed for some time

before discovery,

such as the RSA SecurID token
algorithm to generate pseudo
random numbers for two
step authentication purposes.

Defenses against Social Engineering

As noted before, social engineering is a two faceted attack that has a technology
aspect and a
human base aspect.
Fighting socially engineered attacks with technology alone is an uphill battle,
as the users of technology are more susceptible to divulging secure information than a brute
force technological attack will yield.
The best way

to defend a business environment (and
yourself) is to educate users on proper business protocol; to develop clear and concise security
policies that should be followed at all times; to require identity checks both online and in person
to verify that a per
son is who they say they are.
The best prevention
methods against socially
engineered attacks are

y enforcing compliance to the rules and remaining constantly vigilant on
both the technological and psychological


In conclusion, Social

Engineering is a multi
faceted and complex way of obtaining sensitive
information from users by persuasion techniques and technological means. Anyone in today’s
modern world is vulnerable to social engineering and thus must remain constantly aware of who
they interact with both online and in person. By improving recognition of falsified information
and attempts to trick users into divulging sensitive information, a company and its users will be
able to maintain a secure environment not only for themselves,

but also for their company’s
clients and assets.




. (2011). Retrieved October 31, 2011, from http://www.merriam

Social engineering risks explored
. (2011, September 22). Retrieved October 1,
2011, from

] Caldwell, T. (2011, July). Ethical Hackers: putting on the white hat.
Network Security,
(7), pp. 10

] Gold, S. (2010, November). Social engineering today: psychology, strategies and t
Network Security, 2010
(11), pp. 11

] Isaacson, A. (2011, May). Are You Following a Bot?
The Atlantic Montly, 307
(4), p. 32.

] Luo, X., Brody, R., Burd, S., & Seazzu, A. (2011, July
September). Social Engineering: The
Neglected Human Factor f
or Information Security Management.
Information Resources
Management Journal, 24
, pp. 1

] Luscombe, B. (2011, August 29). 10 Questions.
Time, 178
(8), pp. 37

McMillan, R. (2011, August 26).
Was this the E
Mail that Took Down RSA?

mber 18, 2011, from PCWorld:


Microsoft. (2011).
Resources: What is social engineering?

Retrieved September 17, 2011,
from Microsoft Safety & Security Center:

] Sundar, S. (2011, January 28).
So, You Want to Be an Ethical Hacker...

September 18, 2011, from FINS Technology: http://it