How Social Engineering Is Done : Be AWARE

Social engineering is the art and science of getting people to comply with an attacker's wishes. It is not a way of mind control, and it does not allow the attacker to get people to perform tasks wildly outside of their normal behavior. Above all, it is not foolproof. Yet, this is one way most Attackers get a foot into the corporation. There are two terms that are of interest here.

• Social engineering is hacker jargon for getting needed information from a person rather than breaking into a system.
• Psychological subversion is the term for using social engineering over an extended period of time to maintain a continuing stream of information and help from unsuspecting users.

Let us look at a sample scenario.

Attacker: "Good morning Ma'am, I am Bob; I would like to speak with Ms. Alice"

Alice: "Hello, I am Alice"

Attacker: "Good morning Ma'am, I am calling from the data center, I am sorry I am calling you so early..."

Alice:" Uh, data center office, well, I was having breakfast, but it doesn't matter"

Attacker: "I was able to call you because of the personal data form you filled when creating your account."

Alice: "My pers.. oh, yes"

Attacker: "I have to inform you that we had a mail server crash tonight, and we are trying to restore all corporate users' mail. Since you are a remote user, we are clearing your problems first."

Alice: "A crash? Is my mail lost?"

Attacker: "Oh no, Ma'am, we can restore it. But, since we are data center employees, and we are not allowed to mess with the corporate office user's mail, we need your password; otherwise we cannot take any action"(first try, probably unsuccessful)

Alice: "Er, my password? Well..."

Attacker: "Yes, I know, you have read on the license agreement that we will never ask for it, but it was written by the legal department, you know, all law stuff for compliance. (effort to gain victim's trust)

Attacker: Your username is AliceDxb, isn't it? Corporate sys dept gave us your username and telephone, but, as smart as they are, not the password. See, without your password nobody can access your mail, even we at the datacenter. But we have to restore your mail, and we need access. You can be sure we will not use your password for anything else, well, we will forget it." (smiling )

Alice: "Well, it's not so secret (also smiling! It's amazing...), my password is xxxxxx"

Attacker: "Thank you very much, Ma'am. We will restore your mail in a few minutes" Alice: "But no mail is lost, is it?"

Attacker: "Absolutely, Ma'am. You should not experience any problems, but do not hesitate to contact us just in case. You will find contact numbers on the Intranet"

Alice: "Thanks"

Attacker: "Goodbye"