Organizations focus mostly on coming up with technological controls for both physical devices and software. Hackers have come up with strategies to manipulate human behavior. Social engineering is one of the techniques hackers use to exploit users for some information. Hackers use tricks to manipulate individuals into providing personal information or sensitive company’s information which they can use for their own gains.
Hackers engage users in unethical activities by manipulating them to provide confidential information they gain use to gain unauthorized access to computing resources. Social engineering is totally a different technique from ethical hacking.
Ethical hacking is a process where an experienced network security analyst penetrates a network to find loopholes or vulnerabilities which can be used by hackers to gain access to the system. This technique tests the weaknesses of a particular information system. An ethical hacker is legally recognized and hacks the system on behalf of the system owner. He is also called Whitehat hacker.
Social engineering techniques.
Below are some of the techniques hackers use for manipulating human behavior
1. Familiarity exploits: In this method, the hacker gets close to the victim he wants to manipulate. The user may not be aware of his real intention because he may act as a friend, as a colleague or someone they always meet at social events or even during lunchtime. Through the interaction, the user gets familiar with the attack and he can take them to the workplace answer him questions related to work and even personal details. As they keep on interacting the attacker keeps note of the normal operation of the company and security measures established. He tries to find as much information as he can in order to identify the weakness of the system.
2. Intimidating users: The hacker can try to intimidate the user into revealing an important information. This mostly can occur through a phone call where the hacker may call the target victim pretending to be high ranking official and have a heated argument with the victim. To avoid confrontations, the unsuspecting victim may reveal confidential information like login details to the hacker which can later on use to gain access to the system.
3. Use phishing technique: this is the most popular technique used to gain information online from a web application. The attacker can impersonate a particular website like PayPal account and send a message to the user where they have to confirm their details by login to the system. A user may not suspect since the embedded link sent looks exactly as the normal payment account. When the user enters the username and password, that information is directed to the attacker and can use to get more information about the user and even credit card details.
4. Tailgating: this involves following the target victim closely as he enters restricted areas. The target victim may not be aware there is someone following him behind.
5. Exploiting human greed: people like free things and the attacker can use this technique to obtain personal information from unsuspecting users. An example is where a website is used to lure users online that they have won free gifts like phone and some cash. Before the users get the cash, they need to fill a form with their details and even confirm the information provided is correct on their credit card. Hackers can also promise to give free things to the interested users in exchange for certain information. Hackers use this technique to exploit users into giving their personal information.
6. Exploit human curiosity. Some hackers may use physical media to gain access to system information. A USB drive infected with Trojan virus can be left at a strategic place where a suspecting employee can find it. Due to their curiosity to know what’s inside the USB drive, the plug it into their machine. This activates the keylogger and the hacker can gain access to the system’s database and steal some information.
How the attacks are planned
A malicious person interested in hacking a particular system he can plan on to gain access to the system through the following steps.
1. Identify victim: This is the first step in any social engineering attack. The hacker has to gain insightful information about the victim; his responsibilities, weaknesses and any other information he can use to his advantage. This information can be found on company’s website or even engaging the user while pretending to be his friend.
2. Hooking up the victim: In order to plan how to execute the attack, a hacker can engage the victim to know what he knows about the system. He steers the conversation in a way the unsuspecting victim will give out confidential information about the company’s information system.
3. Attack: After getting all the information they need in order to gain access to the system, the next step is to execute their plan.
4. Exit: Sometimes the hackers need to cover up their tracks to avoid any suspicion especially if they need to have control of the network traffic of the company’s system and eavesdrop on the information being exchanged through the network.