Ethical Hacking: Social Engineering

Article Index


Over time, industry has strengthened our network defenses with security appliances and anti-malware protection. As a result, the Black Hat Hackers seek to penetrate a softer target, the people in an organization by using social engineering.

Course By : Lisa Bock


In this course, you will explore another phase of ethical hacking, social engineering. you will cover concepts such as how attackers visualize the victim, the skills that are necessary to become a social engineer, and how to recognize an attack.

By the end of this course, you'll understand how social engineers exploit our trusting nature and use charm, power, and influence to obtain information or to get the target to complete an action, such as opening an attachment that contains malware or clicking on a link. you will learn how social engineers use different methods such as browsers, mobile devices, and social media to launch an attack.

In addition, you will learn why you should be caution of the disgruntled employee, insider attacks, and identity theft. This course is part of the Ethical Hacking series. Are you ready? Let's get started.
Click Next Down For The Next Chapter

Social Engineering Overview

Social Engineering is a con game relying on influence, social skills, and human interaction to obtain information about an organization or computer system. Logical network defenses, security appliances, and anti-malware protection get stronger every day. Over time, industry has strengthened our defenses and as a result, black hat hackers look to penetrate a softer target, the people in an organization, including employees, contractors, and customers by using a Social Engineering attack.
Cyber criminals achieve Social Engineering in many ways. Telephone, online, dumpster diving, shoulder surfing, and simple persuasion. In the right setting, someone can shoulder surf your information by simply watching what you type. You should tell them to step back if they're getting too close. Scam artists work on our emotions, and many times launch an attack that may promise gifts and prizes, important information, or threaten to take action if you do not reply.
Organizations can thwart Social Engineering attacks many times by employing user education and strong spam filters to prevent deceiving emails from getting through to the employees. There are many working parts to a Social Engineering attack, but of course at the heart of this is the victim. But the other components include motive, and that is why cyber criminals use Social Engineering. Reasons include: obtaining money, gaining access into a system, or causing damage to a system.
And method, this is how cyber criminals achieve Social Engineering, using human intervention or technology, or sometimes a combination of both. The hacker themselves must be able to pull off a believable hoax. And the tools used, they include: email, social media, webpages, phishing, or farming. And stimulus, or what is the best way to inspire someone into giving up information? Using fear, need for compliance, or appeal to his or her need for friendship, acceptance, or social validation.
A skilled hacker will most likely try to use Social Engineering before spending any time on more difficult methods to obtain a password, such as password cracking to obtain access to a system. Now getting someone to give up their password is easier than you think. Studies show that over half the individuals tested gave up their user name and password. Some gave it up freely, some for money, and some even for a bar of chocolate.
Social Engineering is one of the hardest threats to defend against. As a result, it should be part of an organization's ethical hacking exercise.

Click Next Down For The Next Chapter


Visualize The Victim

The social engineer's goal is to trick someone into giving them what they want by preying on basic human nature. In an organization, the social engineer will take advantage of the very characteristics that make us good employees, characteristics such as being helpful. We train our employees to ensure customer satisfaction. As a result, employees want to be helpful, which can lead to giving away too much information. Providing timely responses in order avoid getting into trouble.
Someone may have reprimanded the employee at some point for waiting too long for verification and offending someone; therefore, an employee might provide information without ensuring source authentication. And trusting nature. Most social engineers are extremely confident in their behavior, and if someone tells an individual that they are a certain person, and appear genuine, there is a tendency to believe someone's word.
In addition, social engineering works with some not so great qualities, such as taking shortcuts and cutting corners instead of validating someone's identity. They may just accept someone's word and give him or her what they want, and then go back to doing what they were doing before someone interrupted them. In order to conduct an effective social engineering attack, the hacker must identify a potential victim.
The exercise goes through a process, reconnaissance, establishing trust, exploiting that trust, and then departure. For example, if a hacker needs to gain access into a building, they first try to find a target like this custodian. The hacker checks out the custodian and determines that they would be a good target. To really sell the scene, the hacker might go to a nearby door and attempt to open it.
He can even pretend to try and find his access card. - Excuse me. Hi, my name's Dave. I'm from the Manitou office. My badge doesn't seem to be working. Could you let me in? - Okay. (beep) - [Voiceover] A talented social engineer will get what they want without raising any suspicion. - Thanks so much, I appreciate it. - Sure. - [Voiceover] Identification without authorization is dangerous. A social engineering exploit may very well lead to a major security breach.
Click Next Down For The Next Chapter


Skills Of A Social Engineer


Social Engineering can involve direct interaction with the victim or use technology. Either way, social engineers must have a variety of skills and tools that are used in order to obtain information. The key is knowing which method will work on the victim. Although there are different methods, the social engineer, many times will use Pretexting which is lying in order to obtain information. The social engineer will use different approaches depending on a situation and the victim.
With a direct approach the social engineer simply asks the target for the information. Most likely the social engineer may have taken the time to build a relationship with the victim, and then rehearsed possible arguments for his or her case in order to get the victim to act. With an indirect approach, the social engineer will concoct a believable story. They will try to trigger a reaction such as excitement or fear to fuel the con.
They may try impersonation of someone who needs help in another department. In this approach, it's important to have an understanding of the target's environment to have more credibility. For example, if the target is in a medical facility, some knowledge of medical terms might be helpful. The social engineer may call someone and pretend to be angry in order to get a response. No one likes dealing with someone who is upset, so the victim may give up the information in order to get someone off the phone.
The social engineer may play the nonchalant approach. For example, being dressed up as a janitor and casually ask if they can empty the trash or clean the desk's surface. Many employees will say sure, and get out of the way, in order to get out of their office for a few minutes. The social engineer may play the authority figure, or reference someone who gave them authority to act. For example, they may call someone and say, "Before Mr. Smith left for the conference, he said I should call you in order to get the latest stats for the third quarter." Now, the social engineer will have checked with Mr. Smith's office to establish that he is going to be out in order to validate the request.
In addition to having psychological skills, the social engineer must be able to read and convey nonverbal communication, and possibly generate emotional reactions. They'll need to understand proxemics, or how close do you stand to someone. Body posture, how you stand. Hactics, or the use of touch. Eye contact, or facial expression. The social engineer is aware of non verbal communication skills, and has most likely rehearsed his or her scam.
Possibly with another social engineer, or they may have done this before. They'll also need some theatrical skills such as, gesturing, or communication using the body or hands. Covering the mouth. For example, a full hand over the mouth will indicate shock or surprise, or something as simple as the head tilt, which is a sign of interest or curiosity. Social engineering has a strong overtone of psychology with a mix of theatrical skills, rehearsed and perfected to achieve a goal, and can be a valuable tool to obtain information in an organization.
Click Next Down For The Next Chapter

- Email And Websites
- In person and on the phone
- Social-Engineer Toolkit


Social engineering is a con game relying on influence, social skills, and human interaction, with a goal of obtaining information about an organization or computer systems. The Social-Engineering Toolkit is open source tool aimed at penetration testing using social engineering. You can download the toolkit or use it within Kali Linux. By using social engineering skills, we can get the victim to click on a link, open a file or go to a malicious website so they can install malware such as a rootkit, spyware, or a keystroke logger.
The Social-Engineering Toolkit provides the tools to build the bait. However, to complete the attack, you'll want to use Metasploit and create the exploit. What's really great is the Social-Engineering Toolkit has an ability to launch an attack that is in one of three main categories, phishing and spear phishing attacks, generating malicious files such as PDFs, Office documents, and executables.
Or create a malicious website, probably one that you've cloned from a legitimate site. Kali Linux has the tools built right in, so you can effectively clone an entire website. Now we'll take you to a couple of websites before we get started. And I'm going to give you a high-level overview of the Social-Engineering Toolkit. Here I've gone to, and you can see the Social-Engineering Toolkit is easily downloaded.
All you need to do is type the following command in Linux. And once you type that in Linux, it will install it. However, we're going to use Kali Linux and it will already be built in. Another thing is, I'll talk about phishing and spear phishing attacks. One of things you'll need to have is a number of email addresses I'm at this website here where you can see the Chrome webstore is an email address generator. I've clicked on this and this is actually something that we can add to Chrome, which I have.
And here's the extension I've added. I'll just go into email address generator. So I'm going to need to generate some email addresses. So we need a suffix, we'll put Jasper, at, we'll put one of our fictitious companies, Kinetecoinc dot com, and then generate. You can use any other tool that you like, but as I said, you'll need to have some emails to generate them and create a generated file in order for you to launch an effective attack.
Click Next Down For The Next Chapter

Impacts And Countermeasures


Defending against social engineering in an organization is difficult. We cannot defend using hardware and software alone. Therefore, a successful defense requires effective information security policies, standards, and education. There are some best practices. Know who is on the line. Use caller ID for all calls and if possible, use a separate ringtone for inside calls. Hesitate before transferring an outside call. Hackers use social engineering to navigate a company and learn the names of key employees.
Take down the name and the number and forward the message to the appropriate person. Create help desk procedures, so employees know how to verify someone on the other line. Know who's in your building. Allow only authorized individuals to roam freely about the building. Provide an escort if possible. Any service people must show appropriate identification. Train receptionists to make a phone call when unsure, especially when requesting forbidden information or access.
Know your employees. While in the building, have employees wear appropriate identification. Tell them to protect their ID badges and key cards. Have the employees remove the identification when going out into the public. Set privacy settings in your browser. Take a moment and read privacy policies. Use encryption for portal access and train employees to watch for the secure connection. Hackers clone websites and then lure victims to visit the bogus page and gather user and login information.
Review the company website and protect sensitive information from the public. Hackers use information gathered during reconnaissance to launch attacks on the network. Properly dispose of all media. Have shredders on each floor. And for large piles of documents, use a service that provides confidential storage bins with locks. Social engineering continues to be an effective way to obtain a password.
Educate employees to use strong, complex passwords and change them often. Do not give away passwords on the phone. Do not leave passwords lying around. And when resetting passwords, have some type of challenge question that only the user will know to ensure another level of authentication. Talk with your employees about security. Create and enforce realistic policies. Policies should be brief and to the point. As technology changes, review policies at least on a yearly basis.
State clearly what employees can and cannot do. In addition, stipulate what consequences if there is a violation. Train employees to protect the information resources the enterprise. Use caution when giving out personal information. Guide employees on how to spot phishing. Train supervisors and managers in security awareness, as they are your first line of defense. Be able to answer questions and post documents on the company intranet.
Create an interactive webpage dedicated to security. Update frequently and include security tips. A social engineer with enough time, patience, and resolve will eventually be able to break down barriers and be successful in breaching a system, so get everyone involved to stop this threat. In your organization, reinforce observant behavior. For example, if they find a phishing email and report it to the security officer, thank them for being observant.
Employees at all levels of the organization need to understand that they are important to the overall security strategy. With training and support, we can lessen the impact of social engineering.



Leave a comment