Social Engineering / Hacking Ticks: How They Do It!
What is social engineering, or social hacking ? What is the meaning of this, how do social engineers work and what are examples of this? Read along…
The meaning of social engineering: hacking not with computers, but with psychology
The most common definition of social engineering is that criminals impersonate someone else – usually a trusted person – and then gain sensitive information . Fishing is also a form of social engineering. For example, the criminals pretend to be your bank – and thus hack your psychology. Another word for social engineering is social hacking.
In addition, social engineering is also sometimes used to indicate more innocent activities, whereby the same principle is not applied for crime, but for prank shows or party crashing.
Social engineering examples
- For example, criminals who use social engineering use the telephone to impersonate someone’s boss or colleague from another branch and then request sensitive company information from the victim.
- The ‘funny questionnaires’ on social media are also used to obtain personal information and answers for the secret password recovery questions of certain accounts. “What was the name of your first pet? In which city was your mother born? Combine the two and you have generated your own sexy name. Funny huh! Post your answer in the comments!”
How do social engineers work?
- Social engineers will call a few times first because ‘a customer from my branch wants to get a DVD of Rocky 5 from your branch’. If the social engineer calls again, they already ‘know’ him and he may ask for sensitive company information.
- Social engineers can also pretend to be happy customers. “I am a fan of your good service, what is your address? And of the head office? For a letter of thanks.”
- Social engineers can pose as researchers who are conducting a survey, containing innocent questions and questions for the release of sensitive information.
- Social engineers never end the conversation after they have received the desired information. They continue to chat or ask other questions for distraction. In between, they also do a little small talk based on their preliminary research about the company, using the ‘inside terminology’ and for example knowing what kind of CRM system is used: ‘Are you in building 4d or 6h?’ ‘Can you look up the telephone number of customer x in Hubspot?’
- They pretend they are “just a conduit”: “Hey, I spoke to someone from HQ. They asked…’
- They pretend they had been called before – and now call back for that one info.
Using social engineering for fun – not crime
Party crashes and pranks are the best-known ways to use social engineering in a casual way. Many YouTube prank shows also use social engineering to get in or pretend they belong to the organization and they let participants do / write funny things. It is still a bad act , but it is not a serious crime.
Let’s look at some tips on how to achieve this …
Wearing a suit or costume = authority
- For example, you can skip the queue at parties if you look like the DJ.
- If you’re ‘techy’, wear a slightly dirty black t-shirt with black pants while slinging some XLR cables over your shoulder. Also put some black on your hands, such as eyeliner. Walk smoothly and with a clear intention past the security.
- Pointless, but funny examples: You can check train tickets if you have a conductor costume. If you have a guard suit – for example with a V ‘on it – you can let people pick things up.
Your creative skills also come in handy
- Remember the details: for example, let your tie hang over one shoulder to give the impression that you are in a hurry and that trivial things like your tie are not important because of your rush.
- If you are at a concert and you have the cheapest possible tickets, you can try your hand at a better course by putting the end of your ticket in your mouth, holding two beers in your hands and passing by maneuver around security.
- If some smokers are smoking outside, go inside with them through that smokers’ entrance.
- Make friends right away to fit in. In any case, ask for their name and occupation. And ask, “So what brings you here?” “Get the name again.
- If necessary, have a chat with a guard and ask, “Do you get along with your boss. Sounds like a tough man, what’s his name?” Then you can use the boss’s name if you want to enter one of his colleagues through another entrance.
Everything is attitude
- Of course people are not stupid, but they believe more than you think, especially when you take it seriously, with a straight face.
- Pretend you are the manager. If you feel like security is still watching you, talk to some servers to pretend you’re the manager. Ask them random questions and point at all kinds of things to make it look like you’re giving them instructions. Also ask other people in the room if they are okay, if everything is as desired, if they need anything, etc.
- If someone does end up questioning you, just turn your card over and say “I’m just looking for X” or “I just had to get Y for Mr. X”.
- Ask questions. Whoever asks the questions is the boss. If they stop you, look at them and say, ‘really? I have to bring these cables to the technology or we will lose the music in 2 minutes. ‘
- Speak the lie as if you were saying something trivial and ordinary. Also, say something embarrassing about yourself, which puts you in a bad light. This disarms the skepticism of the other. The best liars convince the other that they are bad liars.
- Pretend you own the place. When someone speaks to you about this, say “shh” and point to your mobile. Or say “” hey, the boss is on the phone you don’t know how long the first table is, I have to check. “” Don’t stare around, don’t even stop for a second and don’t look confused. Nine times out of ten, no one will question your presence. You can get away with a lot of things this way.
- This is all part of a much bigger life hack. Always pretend you belong somewhere. Keep your head up, your back upright, and walk with intention. If you look nervous or fuzzy, people won’t trust you. If you act confidently, people will rarely wonder why you are in a place where you don’t actually belong.
Act as if even the craziest circumstance is routine for you and people won’t suspect a thing.
Indispensable props to enter somewhere
- Clipboard with papers that look important – via Microsoft Word templates.
- A bunch of keys that you wave for a while.
- Wear a suit and hold a newspaper and / or a cup of coffee. Now you can get away with everything.
- Yellow vest.
- Name cards, wristbands and fake cards.
- A tray with glasses, straws, napkins and drinks.
- A cafetiere … to complement the bar … or just two cups of coffee … to take to the bar staff.
- Bring two bags full of ice cubes to take to the bar. ‘I am the ice cube replenisher. From the ice cube taxi. ‘
- Wine glass with, for example, apple juice in it, together with a napkin or tissue. So buy a wine glass for one euro and take it with you, fill it with water before entering and hold a napkin.
- Do the above in combination with you on the phone to pass security. Your cell phone is your great friend in this process. It’s the perfect relapse when something out of the ordinary happens.
Badges, lanyards, name cards and straps …
- Collect and buy different colored straps and badges, name tags on lanyards. Hide it a bit under your jacket, and even if it is a different color, there are usually versions for private access, VIP access, organization access and all access … all with a different color.
- If you run into trouble somewhere because you don’t belong, do the ‘Jedi wave’ with a laminated card in your hand with your photo on it, name and company.
- You can also leave the badge visible on your pants / belt, for example in combination with a white shirt.
- Press badges work surprisingly well. Pretend you are reporting on behalf of a well-known blog or newspaper. If necessary, say that you are working on a book. As a writer or filmmaker you often come in because you don’t belong to the normal audience.
- Create a laminated ‘pass’ with your photo and the name of your website on it. It is directly a press card.
- Or pretend you’re an influencer coming to write a review. Create a website with ‘reviews’ and show that this event is also on it. You are a reviewer of clubs, bars and events. Go to the bouncer. When they ask to pay, say, “It’s okay, I’m x.” If the bouncer doesn’t know who you are, show your website on your phone.
- Via Google Chrome you can use the function ‘inspect element’ and replace complete texts and images to show someone the site with text you have written yourself. You can even have a nu.nl article about you. However, once the page is reloaded, it no longer works.
You’d be amazed what you can do with a simple press pass. I used to run a music blog and leveraged that to get me into a few festivals and concerts, free food, back-stage access…
Social engineering books
Christopher Hadnagy is the # 1 authority. Vince Reynolds and Kevin Mitnick have also written well-known books about this.
Social engineering forum
Reddit has a very nice community around social engineering. You can find great tips, ask questions and participate in discussions. Here you will find this community.
Social engineering training and vacancies: ‘ethical hacking’
Many companies need ‘ethical hackers’. These are people who use the exact same skills as the criminals, but to discover and point out security leaks. There are therefore vacancies and training courses related to this profession.
Social engineering movies
The films below are recommended if you are interested in social hacking:
- Catch me if you can
- Now you see me
- Matchstick Men
- The Thomas Crown Affair
Good luck protecting yourself from social engineering … or have fun party crashing!