Social Engineering And The Masters Of Manipulation

photo by Victor Nuño via Flickr 

Being manipulative isn’t usually a trait most would readily embrace. But what if it helped you advance your career? Find a mate? Obtain valuable information? Would you intentionally and covertly bend the whim of others?

  •  Social engineers with bad intent have simple tricks to steal your digital information- including credit card information
  • Even those who take precautions can be vulnerable to malicious life hackers

This is a moral question that would give most functioning members of society pause.

It’s also a question that those who practice the art of social engineering would answer with an emphatic “yes.”

But what exactly is a social engineer?

In its most distilled form, a social engineer is one who manipulates others in order to achieve a desired goal.

“The manipulation of the social position and function of individuals in order to manage change in a society – Dictionary.com

Sounds evil, right? In some cases social engineering can be just that. The engineers, also known as “life-hackers,” have garnered a reputation as being threats to security–sleuthing their surroundings for a vulnerable target whose personal information they can mine to their advantage.

These types of life hackers are known in the community as malicious social engineers.

A popular (and perfect) example of such engineering appeared more recently on Jimmy Kimmel.

In the video below, a trustworthy reporter dupes unsuspecting passerby into divulging their personal passwords through a few seemingly inert questions.

As creepy as stunts like this can be, not every example of social engineering is quite so nefarious.

Despite their reputation as manipulative sneaks, the fact of the matter is that social engineering is a discipline that most engage in–maybe even unconsciously–on a semi-regular basis.

In fact, social engineering–in its broadest definition–has grown to mean slightly different things to different people.

Below is a variant definition from Reddit’s r/socialengineering.

Screen Shot 2015-01-29 at 12.03.48 PM

photo from r/socialengineering via reddit

Whether it’s nabbing that raise you’ve been trying to get, impressing a girl you’ve scored a date with, or absconding with valuable information, social engineering can be applied to just about any situation, and directed at any type of person.

But definitions aside, just how effective can social engineering be?

From the benign to downright duplicitous, below are some of history’s most famous (or infamous) social engineers, and how exactly they’ve used their skill sets.

The social engineers

1. ) Chris Hadnagy, social engineering celebrity

One of the most prominent figures in modern day human hacking is Chris Hadnagy, who helped both literally and figuratively write the book on social engineering.

In one of Hadnagy’s most eye-opening schemes he tricked a CEO into unwittingly compromising the security of not only his own personal information, but that of his entire company.

The game:

Hired as a social engineering auditor, Hadnagy was tasked with absconding with a printing company’s proprietary information–info that was of great value to the company and more importantly, its direct competitors.

Rather than attempting to leverage a little guy, Hadnagy went straight for the top, targeting the CEO of the company himself.

[contextly_sidebar id=”9sE0stpF9AVqw8mfDiv0ZR7w5L4Qzf9M”]After doing some sleuthing (gathering IP addresses, email addresses, location of servers), Hadnagy learned that a family member of the CEO had fought and beaten cancer, and as a result he was directly invested in donating to cancer research.

Using this personal information, Hadnagy called the CEO posing as a fundraiser from a charity for cancer research.

Employing more personal information gleaned from Hadnagy’s research, he explained that the money would be going to a raffle in which the winner would win tickets to a sporting event (the CEO’s favorite sports team) as well as a few restaurants (one of them being the CEO’s favorite spot).

The catch:

Believing Hadnagy, the CEO agreed to read a PDF which Hadnagy alleged contained more information about the fundraiser. Hadnagy sent the document, the CEO downloaded, and before the CEO knew it, Hadnagy’s malware infected the computer, giving access to the full gamut of secrets.

Hadnagy and his partner later explained to the CEO what they had done–needless to say, he was less than pleased.

The lesson:

Some social engineers will use just about any information that they can in order to achieve an end to their means–this includes extremely personal information.

2.) Anonymous social engineer doops both PayPal and GoDaddy

The Game:

In Jan. 2014 a developer for the social integration app Echofon, named Naoki Hiroshima, fell victim to a plot perpetrated by a social engineer. The target? Hiroshima’s low character Twitter account, titled @N, which according to Hiroshima was worth at least $50,000.

In this scheme, the social engineers focused their deceptive prowess onto both GoDaddy (the web hosting site) and PayPal.

By scamming a PayPal representative into giving them Hiroshima’s last four credit card digits, the engineer was able to gain access to Hiroshima’s email account via a GoDaddy representative who used the digits to change Hiroshima’s login information.

The catch:

By leveraging both PayPal and GoDaddy representatives the social engineer was able to take control of Hiroshima’s account–at least until GoDaddy representatives were able to rectify the situation.

Though all is now well with Hiroshima’s account, the developer doesn’t plan on using PayPal or GoDaddy anytime in the near future.

Wire writer Mat Honan befell an eerily similar fate in 2012 when a social engineer compromised Honan’s iCloud by fooling an Apple support person. Honan’s whole digital life was turned upside down by the attack.

Hiroshima details a firsthand account of his story here.

The Lesson:

In order to gain access to your information social engineers don’t have to exploit you directly. Sometimes they may take advantage of third parties who also have access to your information.

3.) Kevin Mitnick, the grandfather of social engineering

When it comes to Kevin Mitnick, it’s much easier to enumerate the things that he hasn’t hacked than the things he has.

Mitnick can boast a laundry list of hacks and feats of social engineering, from probing telephone companies for information that allowed him to make free long-distance calls, to  more serious offenses like hacking into the Department of Defense.

The game:

His seminal social engineering stunt came at the age of 12. As a teen growing up riding the Los Angeles bus system, Mitnick was intent on subverting the operation’s pay-to-go system through just a simple conversation.

The catch:

By merely asking the bus driver a set up carefully planned questions, Mitnick was able to ascertain where the bus conductors bought their specially designed hole punches.

Using this punch and blank cards which he had scavenged from the garbage, Mitnick was then able to punch his own tickets free of charge–giving him unlimited access to anywhere he desired to go.

The lesson:

Even the slightest bit of information–the likes of which most would deem frivolous–can be used by a social engineer to reach their desired goal.

The takeaway

Social engineering, much like computer hacking, is a double-edged sword. While some are invested in improving their lives for the purposes of dating and career advancement, others are out to siphon your personal information.

Whether you’re a hero, villain, or somewhere in between, there’s one facet of social engineering that stands tried and true in just about any scenario:

When it comes to hacking–life-hacking included–the computer, the system, or any other device in question aren’t the most vulnerable targets–it’s the people that are using them.

We measure success by the understanding we deliver. If you could express it as a percentage, how much fresh understanding did we provide?
James Pero