Hacker holiday greetings: Social engineering tactics

Hackers, at least ones who are good at what they do, have an intimate and in-depth knowledge of computer systems and applications. They have high-tech tools and utilities to help them identify target systems, bypass security measures, compromise computer systems and otherwise cause mischief.

The truth of the matter is that all of the programs and exploits in the hacker's arsenal pale in comparison to their number one weapon: social engineering. Social engineering is the art of preying on human nature for the purpose of misleading or deceiving someone.

The root of the problem is that most people, at their core, are fairly nice. People have an innate desire to be kind and helpful to one another. Just as some of the best features of an operating system or application end up being exploited for malicious purposes, this built-in kindness can be exploited by less scrupulous people to gain information or access. There are a number of angles that can be used to exploit basic human nature. Here are a few of the most common:

  1. Urgency. "I know that this is totally against the rules, but my job is on the line. I was working on a report using information from the CFO. The report is due this afternoon and my computer crashed. I need access to the CFO's computer so I can get the data he sent me and get this report done in time for the meeting or I will be unemployed this time tomorrow." A hacker can use a sense of urgency to get a target to empathize

    Requires Free Membership to View

  1. with them. By pretending to be a user whose job is on the line a convincing hacker might be able to dupe a help desk technician into changing a password or otherwise granting access.
    More Information

    Read this chapter excerpt and learn about the social engineering process.

    Learn how social engineering can be used with technology.

  2. Authority. "Good morning. Bob Reynolds, I am sure you were told to expect me. No? I am in from the Boston office for the audit. They should have told you. Oh well, just buzz me in. I still remember my way around from the last audit." A hacker pretending to be someone in a position of power or authority can convince a front desk receptionist to buzz them into the building or a user to hand over their username and password.

  3. Greed. "Good day. My name is Mr. Umbutu Zabala. I am the former Secretary of the Interior for the sovereign country of Nigeria. Sadly, our illustrious prime minister has died and the government has been replaced by depraved villains. I have $39 million US dollars that I need to get out of the country until a legitimate government can be installed again. I hope that I can trust you to help me transfer this money to your country. For your services, I will gladly pay you 10% of the total funds, or $3.9 million…" Preying on basic human greed is a tremendous social engineering tactic. While most people recognize this as a ridiculous request and would never reply, this "Nigerian Bank Scam" has been victimizing naÏve people for decades.

These are just a few examples. Unfortunately, there is little defense. You want people to use common sense and good judgment. You don't want your users granting access or giving network credentials to strangers, but you also don't want everyone to be cynical and jaded against everyone and everything. Keeping users aware of common social engineering strategies may help them to be kind and helpful, but with a healthy dose of skepticism.

About the author:
Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security, providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications.

This tip originally appeared on SearchWindowsSecurity.com.

This was first published in December 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.