{"id":537,"date":"2019-09-14T12:23:17","date_gmt":"2019-09-14T11:23:17","guid":{"rendered":"http:\/\/zerothcode.com\/blog\/?p=537"},"modified":"2020-12-08T10:26:59","modified_gmt":"2020-12-08T10:26:59","slug":"what-is-social-engineering","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/what-is-social-engineering\/","title":{"rendered":"What is Social Engineering?"},"content":{"rendered":"

\u00a0Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques.<\/h3>\n

While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for information gathering, fraud,<\/h3>\n

or computer system access; in most cases, the attacker never comes face-to-face with the victim.<\/h3>\n
\"http:\/\/zerothcode.com\/blog\/what-is-social-engineering\/\"
http:\/\/zerothcode.com\/blog\/what-is-social-engineering\/<\/figcaption><\/figure>\n

“Social engineering” as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick.<\/p>\n

The term had previously been associated with the social sciences, but its usage has caught on among computer professionals.
\nExample 1: You receive an e-mail where the sender and the manager or someone on behalf of the support department of your bank.<\/p>\n

In the message, he says that the Internet Banking service is presenting a problem and that this problem can be corrected if you run the application attached to this message. Social Engineering<\/p>\n

The implementation of this application presents a screen similar the one you use to access bank account, waiting for you to type your password.<\/p>\n

This application is prepared to steal your password to access the bank account and sends it to the attacker. Social Engineering<\/p>\n

<\/h3>\n

Some Examples of Social Engineering<\/strong><\/h3>\n

Example 1: You receive an e-mail where the sender and the manager or someone on behalf of the support department of your bank.<\/p>\n

In the message, he says that the Internet Banking service is presenting a problem and that this problem can be corrected if you run the application attached to this message.<\/p>\n

The implementation of this application presents a screen similar the one you use to access bank account, waiting for you to type your password.<\/p>\n

This application is prepared to steal your password to access the bank account and sends it to the attacker<\/p>\n

Example 2: You receive an e-mail saying that\u00a0your computer is infected\u00a0by a virus.<\/p>\n

The message suggests that you install a tool available on an Internet site, to eliminate the virus from your computer.<\/p>\n

The real function of this tool and does not eliminate a virus, but I give someone access to your computer and all data stored on it.<\/p>\n

Example 3: a stranger calls your house and says it is the technical support of your ISP.<\/p>\n

In this connection, he says that his connection to the Internet is presenting a problem and then, ask your password to fix it.<\/p>\n

If you give your password, this so-called technical can perform a multitude of malicious activities, using your access account Internet and therefore such activities relating to its name.<\/p>\n

Practical Examples:<\/p>\n

Retail Paging Systems<\/p>\n

———————<\/p>\n

Wal-Mart store phones have marked buttons for the paging system.<\/p>\n

Wal-Mart is the exception, not the rule. So how do you get on the paging system to have a little fun when you’re bored out of your mind shopping with your girlfriend?<\/p>\n

Social engineering, my whipped friend. Find a phone and dial an extension, preferably the store op.<\/p>\n

The key here is to become a harried employee, saying something similar to…”This is Bill in shoes. What’s the paging extension?”<\/p>\n

More often than not, you’ll get the extension without another word. Now, get some by saying something sweet over the intercom.<\/p>\n

Airport White Courtesy Phones<\/p>\n

—————————–<\/p>\n

Imagine you’ve already been stripped searched and you’re waiting for your delayed flight.<\/p>\n

Naturally, you gravitate to a phone. Is it white? Then you’ve got a free call right in front of you.<\/p>\n

Just pick up to get the op. “This is Bill at Southwest, Gate A5.<\/p>\n

We’re swamped and our phones are tied. Can I get an outside line?”<\/p>\n

If the phone does not have DTMF, or the op wants to dial the call for you, do not call a number related to you.<\/p>\n

Hotels<\/p>\n

——<\/p>\n

Hotels hold such promise. Some hotels have voice mail for each room, guests receiving a PIN when they check-in.<\/p>\n

Hotels also have “guest” phones; phones outside of rooms that connect only to rooms or the front desk. Pick up a guest phone, make like a friendly guest and say, “I forgot my PIN. Could I get it again?<\/p>\n

Room XXX.” Knowing the registered name of the target room helps, for the Hotel and Restaurant<\/p>\n

Management Degree Program graduate may ask for it.<\/p>\n

Do not follow through with the next social engineering example. Or, like the author, try it on a friend. Go to the front desk and tell the attendant that you’ve locked our key (card) in the laundromat, in your room, lost it, etc.<\/p>\n

Do not try this with the attendant that checked you in. And again, do not enter someone’s room without permission.<\/p>\n

Calling Technical Support<\/p>\n

————————-<\/p>\n

So you’ve found a new-fangled computerized phone and you want to learn more about it.<\/p>\n

Do the same thing you do when you have trouble with your AOL – call tech support. First, do a little planning<\/p>\n

(after getting the tech support number off of the phone or the web).<\/p>\n

Get some info on the phone, like phone number, model number, other identifying numbers, etc.<\/p>\n

Also, know the name of the facility in which the phone is located. Now that you’ve got some ammo, you’re ready to make the call.<\/p>\n

Posing as an employee of the facility, call tech support and make up a problem for the phone you’ve identified.<\/p>\n

Act a little dumb and be apologetic, acting like you don’t want to waste their time.<\/p>\n

All the while, pumping them for information – “I hate to bug you for this, but<\/p>\n

<insert problem here>.”<\/p>\n

<You’ll get some info from tech support here.><\/p>\n

<Build on what you’ve learned and curiously ask another question.><\/p>\n

And so on until you reach the point where you can feel that it’s time to end the call.<\/p>\n

Occasionally acting amazed at their knowledge may be helpful.<\/p>\n

Methods of Social Engineering<\/em><\/u><\/h3>\n

Phishing<\/strong><\/p>\n

Phishing is a technique of fraudulently obtaining private information.<\/p>\n

Typically, the phisher sends an e-mail that appears to come from a legitimate business \u2014<\/p>\n

a bank, or credit card company \u2014 requesting “verification” of information and warning of some dire consequence if it is not provided.<\/p>\n

The e-mail usually contains a link to a fraudulent web page that seems legitimate \u2014<\/p>\n

with company logos and content \u2014 and has a form requesting everything from a home address to an ATM card’s PIN.<\/p>\n

For example, 2003 saw<\/p>\n

the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user’s account was about to be suspended unless a link provided was clicked\u00a0to update\u00a0a credit card<\/p>\n

(information that the genuine eBay already had).<\/p>\n

Because it is relatively simple to make a Web site resemble a legitimate organization’s site by mimicking the HTML code,<\/p>\n

the scam counted on people being tricked into thinking they were being contacted by eBay and subsequently,<\/p>\n

were going to eBay’s site to update their account information.<\/p>\n

By spamming large groups of people, the “phisher” counted on the e-mail being read by a percentage of people who already had listed\u00a0credit card numbers\u00a0with eBay legitimately, who might respond.<\/p>\n


\nVishing or Phone Phishing:<\/strong><\/p>\n

This technique uses an Interactive Voice Response (IVR) system to recreate a legit sounding copy of a bank or other institution’s IVR system.<\/p>\n

The slave is prompted to call into the “bank” via a phone number provided to “verify” information.<\/p>\n

Baiting<\/strong><\/p>\n

Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the slave.<\/p>\n

In this attack, the attacker leaves a malware-infected floppy disc, CD ROM, or USB flash drive in a location sure to be found,<\/p>\n

gives it a legitimate-looking and curiosity-piquing label, and simply waits for the slave to use the device.<\/p>\n

Quid pro quo<\/strong><\/p>\n

Quid pro quo means something for something:<\/p>\n

* An attacker calls random numbers at a company claiming to be calling back from technical support.<\/p>\n

Eventually, they will hit someone with a legitimate problem, grateful that someone is calling back to help them.<\/p>\n

The attacker will “help” solve the problem and in the process have the user type commands that give the attacker access or launch malware.<\/p>\n

* In a 2003 information security survey, 90% of office workers gave researchers what they claimed was their password in answer to a survey question in exchange for a cheap pen.<\/p>\n

Similar surveys in later years obtained similar results using chocolates and other cheap lures, although they did not attempt to validate the passwords.<\/p>\n

Read Here How to Bypass proxy site<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

\u00a0Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in<\/p>\n","protected":false},"author":1,"featured_media":1099,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[51],"tags":[159],"yst_prominent_words":[92,75,85,78,84,86,93,76,94,79,91,82,80,89,90,88,83,87,81,77],"class_list":["post-537","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorials","tag-hackers-news"],"_links":{"self":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/537","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/comments?post=537"}],"version-history":[{"count":0,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/537\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media\/1099"}],"wp:attachment":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media?parent=537"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/categories?post=537"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/tags?post=537"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=537"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}