Social Hacking, or Social Engineering, is a method for breaking into a network or organization. The phrase is often used as a short hand for a wide variety of actions, but simply it means to try and manipulate how a social interaction will play out through specific actions. Namely, taking advantage of perceived flaws in a system. Preventing a Social Hack is one of the hardest parts to locking down a network, but it’s likely the most important.
Even though Social Hacking might seem like a new dangerous method of breaking into a network, it’s actually one of the oldest methods of manipulation. Really, Social Hacking is an advanced form of a con or ruse. As a (historically) fairly recent example, Ted Kaczynski used a flaw in the Postal Service to deliver home-made bombs to his targets. He would purposefully put a bad address as the recipient, but his actual targets address as the return. He would drop off his packages, and when the USPS realized they had a bad address, they would “return” it to the actual target, where the bomb would go off.
So, What are the Popular Techniques
There are a variety of Social Hacking methods an attacker might use to break into your network. Here are some of the most common, and how they work:
- Spear Phishing – Slightly different from regular Phishing, Spear Phishing targets a specific network or users. An attacker will typically spoof an email address of someone in the organization, then try and gain information from other users pretending to be that person. We’ve seen these attacks range from asking for money directly(yes it worked), to gathering log-in information and passwords(yes, that worked too.)
- USB Drop – An old stand-by. The attacker will take USB sticks and leave them around offices, parking lots, and anywhere else they have access to. Someone will see it, get curious, and plug it into their computers. Naturally, the USB drive has malware on it that gives the attacker access into the network. People have started to get wise to this one, but attackers have started putting the logo of the company they are attacking on the drives, and are seeing up to a 60% increase in successful attacks this way.
- Vishing – This is an interesting one. Similar to Spear Phishing, except using your telephone. Attackers spoof a telephone line, pretend to be either a bank or a bill collector or anything else, and trick targets into giving up vital information or even transferring money. Most commonly, this method is used to target individuals, but this attack would be very dangerous to any organization.
- Social Media Sharing – Any rising technology or fad will attract scumbags. And as social media has become a greater and greater part of our everyday lives, so too have the threats generated by those scumbags. One of the most common methods here is to hop onto current trends or fads online, and exploit them. For example, when Robin Williams passed 2 years ago, fake links to a “Good Bye” video that Williams had supposedly recorded before he committed suicide were passed around, but you couldn’t view the content unless you shared it with 5 friends. Of course, there was no video, only a virus. So not only did the scumbags get one target, but they have potentially 5 more.
- Fake Online Profiles – Attackers are using Social Media in more ways than one to get at their targets. Fake profiles are made who are used to contact other users. Usually a precursor to a deeper attack, the fake profile will ask for more information about the target. On LinkedIn, for example, they might try and get work email addresses, or more information about a target company.
- Tailgating – This “attack” is fully physical in nature. Simply, an attacker will follow closely behind someone with more physical access to a building than they do. When the target uses a keycard or badge to access an area, the Tailgater just moves in right behind them before the door closes. From here, the attacker will have greater access to information that they otherwise wouldn’t be able to get. Netting them closer to their end goal.
These are just a few of the many methods attackers might use to break into an organization. The really tricky part though, is that because each organization works a little differently, there are methods that would only work in your business. Whether that’s because of the way the phone system works, the keycards, or even just the layout of desks can affect how an attacker might gain information. To be sure of your security, you need to get an outside source to view your network and business. Have someone come on-site to check for break-in possibilities, check for ways someone could get through, and give you in-sights on how to improve. Then, as with all assessments, test, improve, and test again. Remember, the attackers are always improving their methods, we have to as well.