Social Engineering (Because there is no patch for human stupidity)

By: Shobhit GautamTwitter @sh0bhit105

What Is Social Engineering?

The art of manipulating people and getting them to do what you want.

“Social Engineering - A euphemism for non-technical or low-technology means - such as lies, impersonation, tricks, bribes, blackmail, and threat - used to attack information systems.”

"Social engineering" as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick.

Common Types of Social Engineering

Human-based

Computer-based

Personality Traits

Diffusion of responsibility

Chance for ingratiation

Trust relationship

Moral duty

Guilt

Identification

Desire to be Helpful

Cooperation

Techniques for persuasion

A Direct Route

Systematic and logical statement

A Peripheral Route

Beat around the BushTrigger strong emotions such as fear and excitement.

Human Based methods

Impersonating

Intimidation

Creating confusion

May I help you?

Can you help me?

Building Trust

Ask and It shall be given unto you seek and ye shall find.

Dumpster Diving

Computer Based

Popup Windows

Mail attachments

Spam, Chain Letters and Hoaxes Phishing Websites

USB devices

Key loggers

Social Engineering Toolkit

The Social Engineering Toolkit (SET) is a python-driven suite of custom tools which solely focuses on attacking the human element of penetration testing.

SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset.

It’s main purpose is to augment and simulate social-engineering attacks and allow the tester to effectively test how a targeted attack may succeed.

./set

How to Identify A Social Engineer?

Does not provide contact information

Always asks for forbidden information

Rushing Activities

Name-dropping

Intimidation

Observe for Small mistakes

Mitigation

Shredders

Policies and Procedures

Awareness

Updated patches and Anti Viruses/Malwares

NOW