Human-based Social Engineering:
What is human-based social engineering (SE)? Simply, SE is the art of convincing people to
reveal corporate secrets and confidential information. Social engineers depend on the fact that
people are unaware of their valuable information and are careless about protecting it. It is very
difficult to detect because these attacks are considered low tech assaults on human behavior. In
other words, a hacker would not require sophisticated programs to deploy attacks on a company.
Human nature of trust is the basis of any social engineering attack. The hacker would rely on her
human skills to create a breach of information.
Social Engineers lure people to divulge information by promising something for nothing.
Sometimes the targets of SE are asked for help and they comply out of a sense of moral
obligation. Companies spend thousands of dollars on IT technology to defend against cyber
attacks. However some companies overlook focusing resources on the weakest targeted link in
the company….the human workforce. Common targets of social engineering include users,
receptionist, help desk personnel, executives, and system administrators. Other targets include
insiders with criminal backgrounds and terminated employees.
the phases of a SE Attack:
- Research on the target company – dumpster diving, websites, employees, tour company
- Select the victim – try to identify a frustrated disgruntled employee(s) in a company.
- Develop relationship with the employee.
- Exploit the relationship – collect sensitive account information, financial information, and
current. You might discover their technologies are not so current and probably vulnerable to an
Internet connectivity enables attackers to approach employees from an anonymous internet source. This
is considered preliminary reconnaissance. Other sources include courthouse records, Facebook, Twitter,
and LinkedIn. Employee may unknowingly post sensitive data about their company on social
networking. All social networking sites are subject to flaws and bugs that may lead to vulnerabilities in a
One of my favorite searches includes a visit to the companies’ career websites. The carrier site often
publishes detail job descriptions to include IT infrastructure and applications used in the company.
Attackers can hide behind chain of IP proxies and disguise their approach. Armed with this research, an
attacker then can effectively convince employees into disclosing information.
Another example of human-based SE is shoulder surfing which includes looking over shoulder or
watching from a distance using binoculars to get information. Employees are unaware of this attack. An
attacker could easily watch through windows and view information on computer displays.
Link – https://technologyfirst.org/magazines/2013/51-april/839-pete-cortez-technical-