what is social engineering?
Its an art of manipulating humans.
In more easy words 'tricking people so, they do what YOU want from them or get done by them'.
Lets take one example:
suppose you go to some toyshop with your child, and your child want a toy car, so he asks to the sales person to show a car or any one he has may be seen from the display. So that sales person shows that car or always starts with a costly car so when the boy saw the car he asks for to take that car only because the sales person showed some features like lights and remote and all. But the toy car is too costly for your this month's budget and boy wants it anyhow, so you try to divert the child to some other little more in your budget car, as he is a small child so he does not listens to you and at the end of all this,
either you buy that costly car child wanted or he didn't get anything or some other car.
Now you might ask me “So whats new in this? Its very normal every child does it right???”
but my point of this example is to explain a perfectly crafted and executed 'social engineering attack' in our day to day life.
In above example the social engineer was the shop's sales person who used the child to sell a costly car and have more money from you.
Basically the sales person targeted the nature of that child because he knows that once it is showed what a child wants than its very difficult for the parents to divert the child so he can sell as HE wanted.
So if you understand basic exploitation terms than,
Attacker = the sales person
Vulnerability (weakness) = child (actually the obvious nature)
Exploit (trick) = showing more costly car and showing more features of it to gain more attention of the child
Payload (purpose) = more money from you
Target = yes you guessed it right its YOU :)
Lets take another example:
This one is simple but real world example from Facebook,
a person shared this image of a quote from honorable Mr. APJ Abdul kalam.
Its good right ?? he is proud of him or liked the quote right ??
but lets now try to understand it by SE point of view.
there are some things to note down in the photograph
1. on the image - one website address is there
2. below the image again the website address is written
First let me tell you that the web address was not from any government site but a private product trading site which is totally unrelated to what the image is and marking the image with it is such a disrespect done by the person, anyways
so why anyone would do like this ??
a very simple but cleaver kind of SE here
Attacker = who initially edited this photo with web address
Vulnerability (weakness) = human nature of sharing and liking good photos/quotes
Exploit (trick) = the edited photo which has quote
Payload (purpose) = marketing of his web site, and reaching some more audience for business for FREE
Target = any one on Facebook who shares this photo
Another noticeable point is that if you see anything which is liked by your mind, it gets stored somewhere in your mind so when anyone around you ask or talk about any property or trading things, your mind might flashes about this site.
now after this example lets refine and add to our previous simple definition of SE.
"Its an art of manipulating people so that they do as you want or give you what you want from them. Without any kind of physical offense, Its a whole psychological process of targeting other peoples mind to gain their TRUST and exploiting it and using human weaknesses against target by crafting SE attacks by the kind of work we want to get done by others"
Hopefully now you must have got the idea of social engineering (SE), and some things to start understanding and observing it.
but yes every human and its psychological behavior will be different, by studying your target and crafting attack according to you goal will going to give more success.for this one of the key thing is observation and quick responsive abilities if the attacker or social engineer.
So who can be considered as social engineers??
it can be anyone from your relative/friend, convincing you to do or believe what they say even if you don't want do do it or believe it.
It can be sales person, marketing parsons, thief/con artist, your boss, penetration testers, forensics experts or anyone around you !!
More on it, its not a new thing but it used from centuries by different people, even if you consider any historical persons from your nation.
Think on it, might be you had been social engineered by someone??? some where ??
Thats all for this first introductory tutorial.
If you have any Questions or want to give any feedback or anything you want to get explained in this tutorial series than please post in comments.
Article author: Ashish Mistry