Art of Human Hacking: Social Engineering

Art of Human Hacking: Social Engineering

In this blog, we are going to talk about social engineering attacks and we can start by discussing, “What is social engineering?” and the techniques which real-time hackers use for social engineering. The goal here is to show the skills of a potential hacker and the ways in which an attacker can compromise a target.

In the context of information security, social engineering is the art of playing people so that they give up sensitive information. It is a kind of confidence trick played by the hacker in order to gather vital information. It is a non-technical attack that depends upon human interaction and misleading people into breaking security procedures. Social engineering tactics are used by criminals for such attacks as they are relatively easier than other methods.

Social networks can be used to gather as much information as required. Nowadays, almost everyone is using social networking sites such as Twitter, Facebook, LinkedIn, Orkut, etc. Even though these social networking sites are helping people to make a network among their peers, they have also become the largest human identification database. The information that an attacker can gather from social networking sites include the character of the person, information about the potential victim’s personal life, current happenings through status updates, etc.

After finding the accurate profile, the attacker can look for his friend list. They can also clone the victim’s whole profile by downloading all the information and pictures. Through all this information, a fake profile can be created, his/her friends can be sent friend requests and the attacker can then start communicating with these friends. In this way, crucial information can be gathered about the target or their family members and can be used to cause immense damage.

Now we are going to take a live scenario where we will try to compromise a Facebook account by using by using social engineering. Suppose our target is Mr. ********* Baranwal. We have hide the real name of the user for security reasons.

First of all, we will start by searching the name on the Google search and will look up the results.
clip_image002

After searching for the name of the target, we can see that lots of information can be collected from a simple google search. You can find the target’s Facebook, LinkedIn, twitter profile and so on.

Every person is using social networking sites and many are using it to make online friends with strangers. People are not even hesitant in chatting with these strangers, providing them with all their personal information. Suppose you want to gather information about a particular person. Now you can find that person on Facebook with his photo and personal information such as his address, educational background, family members, etc. Not only that, but you can also guess the character of that person and learn more about the potential victim’s personal life from his/her Facebook profile, with the help of their status update.

Assume we got the target’s Facebook profile through just a simple google search. If we closely look into the Facebook public profile. We can see the public profile user name. For example: if your name is xyz baranwal then your public profile will be like www.facebook.com/xyzbaranwal or may be www.facebook.com/xyz.baranwal ,etc.

This username also helps the attacker to predict the target email ID. But the question is how? Let us see. In the previous steps we have found that user name is *******.baranwal. Now, open the facebook login page and click on forget password. You get the following type of screen.

image1

Enter the username in the box and click on search. After that we got the following screen.
image2

We can see that Facebook has identified the actual account and that name belongs to a Gmail ID. Now, we can see that there are three options available, click on third option which is “No longer have access of these?” This will enable you to see the following page.
image4

You can give it any fake email id. After entering the email id you can see the following page.

image5
Now, we have to answer some funny questions. This is a security question that the victim has setup in the Facebook account while creating it. The answer of the question is easily guessed, for we can use some social engineering ways to get the right answers. It totally depends on the attacker’s skills. Once you get the answer of the question, you can reset the password of the Facebook account.

Perversion of Social Engineering

• Never give out any confidential information or even seemingly non-confidential information about you or your company—whether it’s over the phone, online, or in person, unless you can first verify the identity of the person asking and the need for that person to have that information.
• Never use the same password for all services. And make sure your passwords are strong and complex so they’re difficult to guess.
• The additional security questions websites ask you to fill in are supposed to be another line of defense, but often these questions are easily guessed or discoverable (e.g., where you were born). You can shift the letters into uppercase and lowercase and use numbers to create a word, in order to make sure that only you know those security answers.
• Sites like Zabasearch and People Finders publish our private information (like address and date of birth) online for all to see. Remove yourself from these lists with this resource.

References:

• http://en.wikipedia.org/wiki/Social_engineering_(security)
• http://resources.infosecinstitute.com/social-engineering-a-hacking-story/
• http://en.wikipedia.org/wiki/Category:Social_engineering_(computer_security)



Let us know what you think