History of Social Engineering

Posted: September 9th, 2013

History of Social Engineering

Name:

Course:

Instructor:

Date:

History of Social Engineering

Through the years, people have always had the desire to obtain other people’s confidential information. They have used various methods to achieve their goals. These methods include tricking people, and using deception and manipulation to obtain the information that the person wants. Thus, the concept of social engineering has existed as long as humanity has been there. It has existed for as long as human beings have communicated with each other. This is evident through the legends, myths, and stories passed through the generations. People read how characters deceived each other for the sake of gain. Greek mythologies contain many stories, where the humans and the gods manipulated each other. Religion also contains stories of deception and manipulation.[1] These stories illustrate human ingenuity, as the creative and observant people persuade other more trusting and gullible people into giving them the information they need. The people used the available means during their time, to ensure that they got what they wanted. These were not necessarily technical means, and most of them involved the use of words, as sources of manipulation. As times continue changing, people continue using new ways of manipulation. As technology and innovation increases, so do the means of social engineering using technology. The term ‘social engineering’ however, is not as old as its meaning.

Hackers analyze people’s psychology when applying social engineering techniques. This includes observing people’s desire for greed and affection. The study of human behavior is essential for successful social engineering. They will entice people with the intention of promising them financial gain, hence the concept of greed. They send their victims cards with anonymous cards from loved ones, and they take advantage of people’s needs for interaction and acceptance. Many hackers use social engineering techniques for economic gain. However, others do it for revenge purposes. They analyze people’s desire to better their lives and to feel better about themselves. They will therefore entice people by telling them they have the means to make them younger, or the ability to make them lose weight effortlessly. These factors illustrate the changing nature of social engineering. The concept of social engineering has remained the same over the years, but the techniques have continued improving to suit with the times. [2]

The human element is the most important in social engineering. Social engineering exists because of the weaknesses in human beings. Human beings trust easily and this makes it easy to manipulate and deceive each other. Communication is the means by which people interact with each other, and which enables people to share information. Human communication has remained the same over the years, but the channels and means of communication have improved and undergone significant changes over the years. There was a time when people could only communicate when they met physically. There was limited information then, and it was easy for people to deceive and manipulate each other, since there was no immediate way of confirming whether the messages they received were genuine. People have continued to develop different means of communication. As the means of communication continue to change, so have the techniques of social engineering. People will not wait to meet with others physically to get the information they want from them. They will use modern communication methods, which include emails and the use of social networking sites when manipulating and deceiving people.

Social engineering does not only depend on computers and technology, but it can also be human based. These are the oldest techniques of social engineering, since they precede modern computer and internet technologies. For instance, a person may impersonate a known figure such as the company’s manager, or any other person in authority, and he will seek confidential office information from another person working in the company using this impersonation. This mostly happens with voice impersonations. The social engineer will call the office and impersonate the director when talking to the secretary. The hacker can also impersonate any other valid user of the system. This is a classical social engineering technique in companies. The hacker approaches lower ranking employees and uses intimidation to get the information he wants from them. He mostly asks for information to access the company’s system.[3]

Another social engineering technique that does not depend on technology is dumpster diving. This includes looking through the trashcans for information. This information can include confidential office information, which the office does not need. The hackers retrieve this information from the trashcans, as it contains information that they can use. Another social engineering technique that does not depend on technology is the use of the third person. Using this technique, the hacker uses deception by pretending to have authorized permission from another person to access information. Hackers use this technique when they are assured that the person whom they are claiming to have permission from, is not around, or if the employees cannot contact him or her easily. The hacker can act as an insider in the company when seeking ways of obtaining information. He interacts with other employees and asks information from them. As an insider, he can also use the means and resources available to the employees to enter the company systems. [4]

The Spanish prisoner con was common in the sixteenth century. It involved telling a victim concerning a Spanish prisoner who needed help in securing his freedom. The prisoner needed money to get out of prison and he enlisted the services of a con artist. The con artist told the victims a story, which made the victims, believe that they would benefit financially by helping the prisoner. Hackers capitalized on the story, and this led to the creation of the advanced fee fraud. Hackers have continued to deceive and manipulate many people today because they have realized their vulnerability when it comes to wealth. They have realized that people want to get rich quickly, and they approach them with this technique. The hackers contact their victims through emails, and promise them that they will get heavy financial returns with only a small investment. They entice the victims into sending them money or into revealing their private financial records, which enables the hackers to steal from them.[5]

One of the earliest forms involving social engineering is the Trojans, coined after the Greek mythology of the Trojan horse. It is one of the most effective social engineering techniques, and it began in the seventies. It began before the development of the internet, when people shared information using physical media. Hackers took advantage of this as they realized that they could manipulate people into executing malicious codes. They used things such as games, which attracted many people. The concept is simple, and it does not involve the use of advanced technology. All the hackers need to do is to identify something that will entice a user, such as music and videos, and then use it as a social engineering tactic. Despite increased knowledge and awareness of these techniques, and of computer use, many users continue to fall victim to the Trojans.[6]

Social engineering continued to develop in the early nineties, as the use of credit card increased. Hackers realized that they could entice their victims into releasing confidential information such as credit card numbers and passwords. The social engineering technique is commonly known as phishing. The technique enables the hackers to enjoy numerous benefits at the expense of their victims, who have to pay for all the expenses incurred. The hackers are able to do this since they have the financial and personal information of the victims’ accounts. Phishing has increased as more companies provide their services online, and request for online payments. The hackers have realized that they can target major companies who have thousands of enlisted clients, into sending them confidential information. They send email messages to their victims using email addresses that appear genuine. They develop websites that appear realistic and genuine and they entice the victims into sending information to these websites. Phishing is especially risky because it contributes to identity theft. Hackers realize people’s tendency to trust brand names. They use such brand names when seeking for people’s personal information.

Another technique that the social engineers use is shoulder surfing. The social engineers wait for someone to access any of the things requiring a password. They then look indiscreetly as the person is typing his or her password or pin numbers. This way, they are able to get the password, or get a clue on the password. The hackers then use the information obtained to access the victims’ accounts and any other financial information.[7] Some social engineers attach malicious programs and other executables on email attachments. Once a person receives and opens the email, he or she enables the hacker to access the system and develop other malicious programs.

Increase in internet use, digital gadgets such as smartphones and tablets, and lack of awareness and education has contributed to the development of social engineering. These are the latest trends within social engineering. The social networking sites include Facebook, twitter, and sites such as linked in. users of these sites share some of the most important information. Social networking sites are susceptible to phishing attacks.[8] They share information such as their place of employment, email contacts, home address, phone numbers, among other information. They update their contacts on the sites concerning their movements, and their lives. They befriend strangers and people they will probably never meet, without knowing the full intentions of such people. Social engineers only need access to little information concerning a person, and they can identify ways of seeking more information. Users lack awareness when they share such vital information on the internet sites. They can use this information to pretend that they know someone. They can also use such information to impersonate someone.

Social engineering has developed over time, and engineers have continued to improve their trade. There is a general perception that technologies are the weakest links within systems and organizations. People spend a lot of money developing and installing the latest security technologies for their organizations. They spend a lot of resources on providing a secure system for their employees and providing a secure means of operations using anti virus and other software that protect the computer against harm from worms, scams, and Trojans. These measures are important, and they benefit the company. They spend many resources teaching their employees how to use the security systems. However, organizations and individuals need to realize that the weakest links are the human beings. Human beings are susceptible to the measures used by the social engineers. They are too trusting, obedient, fearful, and gullible. They do not take the time to study their environment, and recognize any changes. Without education and awareness, humans will continue being susceptible to these techniques.

It is important to educate employees concerning the risks of social engineering, and measures to take to prevent themselves from being swindled, deceived, and manipulated. Developing longer and less obvious passwords acts as a countermeasure against security breaches, and it protects the individuals from the techniques used by the social engineers. People should not write their passwords, as this leads to them giving the information to strangers easily. People should learn how to use the internet and any digital equipment that uses technology in a responsible manner. They should not disclose any of their personal information on the internet, as this would reduce the information that a potential hacker can access.

The increased use of technology and the internet has led to the development and improvement of social engineering. It has provided more channels for the social engineers to locate and access the information they want. Social engineers spend more time preparing than executing their actions. They have a deep understanding of psychology, as relating to human behavior. This has enabled them to identify the attributes that make people susceptible to the techniques they use. They use different means of persuading the victims towards releasing their confidential information. Some will use Trojans, while others will phish for the information they want. Although the different social engineering techniques might have changed over the years, the concept is static. People continue deceiving and manipulating others for information, for the sake of economic gain. Others do it as a form of revenge, when they access a rivals system and destroy the information. Others do it as proof of their skills and knowledge.

Bibliography

Graves, Kimberly. CEH: Official Certified Ethical Hacker Review Guide: Exam 312-50. Hoboken: John Wiley & Sons, 2007

Sommer, Dan. McAfee Security Journal: Security Vision for McAfee. Last modified 2008. www.wired.com/…/mcafee_security_journal_fall_2008.pdf