Social engineering is the art of hacking people. People are essentially good and are willing to help; social engineering exploits that. It’s a great skill to have in the world of red teaming and information security, and while it’s not a new thing we’ve been hearing a lot about it lately: in the RSA, Lockheed Martin and other attacks recently the technique used was something the infosec world likes to call spearhead or phishing attacks. Essentially a form of social engineering via email or phone in which you convince an unsuspected target to open a document (that has been weaponized with a piece of malware) or by redirecting them to a malicious website where another piece of code is waiting for them.
As part of my red teams services I often find myself using this to gain some information or to get the first step into my client’s network or computers or to physically enter an office or server room. It’s not so hard, however sometimes I have to deal with people that had a bit of security awareness and that’s when it gets interesting.
In one case I spent an hour trying to convince the assistant of a CEO I was targeting (by request of the IT security manager that hired me) to open a PDF that contained important information that I needed the CEO to consider. It was important to me that she open it while I was on the phone because I needed to verify that I had a connection to their network via the code I embedded on the PDF. She wouldn’t have it. She kept on saying that she would open it later when she was free. Not good. Eventually she got tired of me (I was using every trick in the book to convince her!) and she said: “Fine! I’ll open it.”
Sometimes all it takes it good social skills, some language command and good coding to hack into someone’s network. No exploits needed. That’s the beauty of social engineering.
Be aware of it. It’s not hard to detect when someone is trying to exploit your mind.
If you are interested in this try reading The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick. It’s a fantastic book and it’s always relevant.