GRD Journals- Global Research and Development Journal for Engineering | Volume 5 | Issue 10 | September 2020

ISSN- 2455-5703

Social Engineering: A Ninja Approach to Human

Consciousness
Vismit Sudhir Rakhecha
Sr. Security Analyst
Department of Information Technology
Evolent Health International

Abstract
No matter how secure is the company, how advanced is the technology used or how much up to date their software is, there's still
a vulnerability in every sector known as ‘Human'. The art of gathering sensitive information from a human being is known as
Social Engineering. Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust
than it is to discover ways to hack your system. Social engineering attacks are increasing day by day due to lack of awareness
and knowledge. In this paper, we are going to discuss Social Engineering, its types, how it affects us and how to prevent these
attacks. Also, many proofs of Concepts are also presented in this paper. Famous hacker Kevin Mitnick helped popularize the
term “social engineering” in the ‘90s, but the simple idea itself has been around for ages. Social engineering is the art of gaining
access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking
techniques.
Keywords- Social Engineering, Phishing, Vishing, Eavesdropping, Phishing Audit, Phishing Scams, Social Engineering
Audits

I. INTRODUCTION
The term "Social Engineering" can be defined in various ways, relating to both physical and cyber aspects of that activity.
Wikipedia defines social engineering as: “..the art of manipulating people into performing actions or divulging confidential
Information.”
The goal for many social engineers is to obtain personal information that can either directly lead them to financial or
identity theft or prepare them for a more targeted attack. They also look for ways to install malware that gives them better access
to personal data, computer systems or accounts, themselves. In other cases, social engineers are looking for information that
leads to competitive advantage. Items that scammers find valuable include the following:
1) Passwords
2) Account numbers
3) Keys
4) Any personal information
5) Access cards and identity badges
6) Phone lists
7) Details of your computer system
8) The name of someone with access privileges
9) Information about servers, networks, non-public URLs, intranet

II. HOW SOCIAL ENGINEERS WORK

There are an infinite number of social engineering exploits. A scammer may trick you into leaving a door open for him, visiting a
fake Web page or downloading a document with malicious code, or he might insert a USB in your computer that gives him
access to your corporate network. Typical ploys include the following:

A. Information Gathering
This involves gathering information about the person that the social engineer is targeting, or other information about the
organization or personnel that will convince the target individual to divulge the required information. A variety of techniques can
be used to gather information about the targets; this information can then be used to build a relationship with either the target or
someone of influence or important to the success of the attack. Typical information that may be gathered could be an internal
phone directory; birth dates; organizational charts, personnel records, social activities, relationships etc.

All rights reserved by www.grdjournals.com 1

 Social Engineering: A Ninja Approach to Human Consciousness
(GRDJE/ Volume 5 / Issue 10 / 001)

B. Development of Relationship
Developing a rapport with the target makes it easier to obtain the information in the next step. The social engineer will capitalize
on the psychological aspect of trust. They may feely exploit the willingness of a target in order to develop an element of trust
from them; often by presenting themselves as amore senior member of the organization who will share a confidence with the
target to further strengthen the element of trust.

C. Exploitation of Relationship
This refers to the manipulation of the target resulting in the social engineer obtaining the information e.g. username and
password; or, perform an action which they may not normally do e.g. creating an account.

D. Execution to Achieve the Objective

Having obtained the required information, the social engineer is able to use this to access the system; and the steps or stages are
complete.

Fig.1: How Social Engineering Works

III. BEHAVIOR VULNERABLE TO SOCIAL ENGINEERING

Social Engineering has always been prevailing in some form or the other. The Social engineer exploits these behavior patterns to
drive the target towards becoming a VICTIM. There are some common human exploits used by the social engineers.

Fig. 2: Behavior Vulnerable to Social Engineering

All rights reserved by www.grdjournals.com 2

 Social Engineering: A Ninja Approach to Human Consciousness
(GRDJE/ Volume 5 / Issue 10 / 001)

IV. EXPLOITATION OF HUMAN BEHAVIOR

Types of Social Engineering
There are two main categories under which all social engineering attempts could be classified.

A. Computer or Technology based

The Technology based approach is to deceive the user into believing that he is interacting with “real” application or system and
get him to provide confidential information.

B. Human based
Attack based on non-technical approach that means, by taking an advantage of victim’s human behavior weakness.

Fig. 3: Types of Social Engineering Attacks

– Technical Attack

1) Phishing
“Hi, This is Maria. It’s really a long time to see you. Hope you remember me. What you are doing these days? Let’s plan
something. Please add me in your friend list.

2) Click here
“http://www.faceboook.x9.com” Hackers distributes emails presenting themselves to be from a legitimate organization (e.g
Bank). A URL is supplied (directing them to a spoof website) and the target is informed that they are required to confirm their
personal information (such as username and password).

3) Vishing
It is difficult to ignore a ringing telephone. While fraudulent emails and junk mail can be deleted or tossed in the trash, telephone
calls are tougher to tune out. And because telephone calls are still considered a secure form of communication, voice phishing
scams take advantage of consumers’ trust to steal money and personal information. In voice phishing - or “vishing” - scams,
callers impersonate legitimate companies to steal money and personal and financial information. Vishing calls are made via
Voice over Internet Protocol (“VoIP”). Thousands or millions of VoIP calls can be made around the world in an instant. And

All rights reserved by www.grdjournals.com 3

 Social Engineering: A Ninja Approach to Human Consciousness
(GRDJE/ Volume 5 / Issue 10 / 001)

because these calls are made over the Internet, they are nearly untraceable. Vishing scammers also use recordings and caller ID
“spoofing” (falsifying caller ID information) to further avoid detection.

4) Pop-Up Window
A false window will appear in front of user notifying that their internet connection/program registration has dropped out and are
required to re-enter their details (User-name and Password). This information is redirected to “Scammer”.

Fig. 4: Pop-up Windows

5) Spywares
As the name suggest, these software’s are used to spy and get personal information of the user. For Example: Credit card, Bank
Details, etc. Most common software used for spying is “Keylogger”.

6) Spam Mail
“If you own a business related website, why not submit your site to our directory. Just select the appropriate category and
subcategory and enter your title and description.
Click here to start: “http://www.holprop-directory.com” When an employee click on this link it will redirects to some
other site or may install Virus, Trojan or Keyloggers. These types of mail always motivate you to open the mail because it
appears like an important message or notification. But the outcome can range in destruction of network, corruption of files,
system slow down.

7) Surveys

Fig. 5: Survey’s

All rights reserved by www.grdjournals.com 4

 Social Engineering: A Ninja Approach to Human Consciousness
(GRDJE/ Volume 5 / Issue 10 / 001)

“Earn $140 per week! Earn $560 a week ! Earn $6,270 a year ! All by just sitting home, sipping coffee, and filling out surveys.”
Surveys that are left in the mail (usually advertising a cash prize) asking some silly questions that cause the individual to
unknowingly enter their personal information that may later be used by the “Scammer”.

8) Baiting
Baiting technique is like the real-world Trojan horse which depends upon the greed and curiosity of the victim.
In this attack, the attacker usually feeds malware or spyware into a CD or Flash drive and writes a legitimate looking curiosity-
piquing label on it. He then leaves it on locations surely to be found (for example:- Bathrooms, Elevators, Sidewalks or Parking
Lots, etc.) and then simply waits for the victim to use the device.
For Example: The attacker will make a disk with the logo of a corporate website easily available from the target’s
website and the write something catchy like “Employer Records 2013” and then leave it on the elevator or lobby of the target
company. When a curious employer’s eyes catch the disc, he’ll insert the disc into his computer and look at its content. Even
while he’s looking at the contents in the disc, the user will unknowingly trigger the malware or spyware and it’ll start quietly
monitoring its activities. Later, the program sends all this collected information to the attacker at selected hours. Unless a
computer blocks the infection, PCs set to “Auto-run” feature will be compromised as soon as they’re plugged in.

9) Smishing
A technique grounded in social engineering-remains an effective way for attackers to trick people into giving up sensitive
information. Potential victims can be contacted by SMS text messages. Below is an example of such a scam sent through SMS.
The SMS message stated -
“V.erizon.wireless.update. Please click on http:// verizon.vtext-1.com and proceed.”
“You have an incoming MMS with text “ I love you!”. To view: http:// [redacted].org/9560.htm”
“Indu invited on FACEBOOK. Learn more: http://fb.com/l/1FEbs5KJyLA2rJZ”
– Non-Technical

1) Dumpster Diving
This refers to individuals sorting through a company’s trash in an attempt to retrieve helpful documents. Dumpster diving may
also provide old computer equipment for ‘forensic analysis’ such as old hard drives, CDs, memory sticks etc.

2) Technical Support
Tring…Tring…
Mr. X - “Hello Maria. My name is Mr. X and I’m from the IT department. We are currently attempting to install a new security
update on your computer, but we can’t seem to connect to the user database and extract your user information. Would you mind
helping me out and letting me know your password before my boss starts breathing down my neck ? It’s one of those days, ya’
know ?”
Maria would probably feel bad for Mr. X and let him know her password without any hesitation.
BANG-BANG…..She got social engineered. Now the hacker can do whatever he pleases with her account.
This is the case where intruder pretends to be support technician and request the user to let him access the database and
“install” the security updates. The unsuspecting user, especially if not a tech savvy, will not ask him a single question and let
share the information.

3) Eavesdropping or Shoulder surfing

An intelligent or you can say clever “Social Engineer” can get users password or pin number. How ?????
All that needs to be done is to be there behind the user and able to see, what he/see is typing. A social engineer may place
themself at a known “place” for employees of a particular company, to be able to hear “work chat” over lunch.

4) Hoaxing
Term used to describe anything that is not real. For example, many hoax e-mails are distributed to cause false fears. A good
example of a hoax virus is the "Bad Times" virus, which claimed to be a virus capable of erasing everything on your computer
hard drive as well as any disks or other magnetic media around your computer.

5) Support Staff
A man dressed like the cleaning crew, walks into the work area, carrying the cleaning equipments. In the process appearing to
clean your desk area, He can snoop around and get valuable information.

6) Authorities Voice
The attacker can call up the company’s computer help desk and pretend to have trouble in accessing the system. He/ She claims
to be in a very big hurry, and need his password reset immediately and demand to know the password over the phone.

All rights reserved by www.grdjournals.com 5

 Social Engineering: A Ninja Approach to Human Consciousness
(GRDJE/ Volume 5 / Issue 10 / 001)

7) Quid pro quo

Something for something, that is what this Latin saying means. In this technique, the attacker calls random numbers at a
company, claiming to be calling back from technical support. Eventually, this attacker will call a legitimate person who is really
expecting a call from the technical support. The attacker will “help” solve the person’s problem and, in the process, will have the
user type some commands that will trigger a malware and then give complete access to the user’s PC to the hacker.

8) Tailgating
Tailgating describes the practice of gaining access to a restricted area without authorization by following another (legitimate)
employee into the area. For many scammers this removes the need to acquire access cards or keys and presents a potential
serious breach of security for the company involved.

V. SOCIAL ENGINEERING TACTICS

Social Engineers mostly used these psychological tactics to gain trust and get what they want.
– Social engineers convey confidence and control
– Social engineers offer free gifts or favors
– Social engineers use humor
– Social engineers can always state a reason.

VI. SOCIAL ENGINEERING IN ACTION

A. On Social Networking
“Someone has a secret crush on you! Download this application to find who !”
How it works: Facebook has thousands of applications users can download, but not all are safe. Some may install adware that
launches pop-up ads, while others expose personal information to third-parties. Users need to be judicious about which
applications they use.
“I’m traveling in London and I’ve lost my wallet. Can you wire some money ?”
– How it works
The scammer poses as a “friend” and sends a mail claiming to be stuck in a foreign city with no money (due to a robbery, lost
wallet or other problem) and asks the recipient to wire money.
In the Office
“This is Chris from tech services. I’ve been notified of an infection on your computer.”
– How it works
Posing as technical support people, scammers call business users, tell them their PCs are infected and then offer to help them get
rid of it. Playing on the user’s vulnerability and fear, the scammer purposefully ratchets up the technical difficulty of the “fix,”
and as the user grows more nervous, they offer to fix it themselves which of course requires the user to reveal his or her
password. The strategy exploits people’s discomfort with technology.
“Can you hold the door for me? I don’t have my key/access card on me.”
– How it works
Fraudsters wait outside one of the facility’s entryways the front door or the smoking area, for instance and pose as a fellow office
mate. Workers hold the door open, allowing them to gain access, never thinking to ask for an ID card proving they have
permission to enter. Even when credentials are required, criminals are getting better at using high-end photography to print
authentic looking ID.

B. Phishing Attacks
“Check out this link !”
– How it works
An email or other message sometimes seeming to originate from a friend encourages users to click on a link that lands them on a
bogus site and asks them for personal information, such as their password or account number. The site may look authentic, but it
is actually designed to capture such information for the scammers’ gain. An example is a Twitter spam campaign that asked
recipients, “Did you see this video of you?” The link led to a fake Twitter Web site that asked for the user’s password.
“You have not paid for the item you recently won on eBay. Please click here to pay.”
– How it works
Users receive emails impersonating companies like eBay, claiming they have not yet paid for a winning bid. When they click on
the provided link, it leads to a phishing site. The ploy plays to people’s concerns about a negative impact on their eBay score.
Rather than clicking on this type of email, experts recommend that users go directly to the Web site of the business involved by
typing the URL into the browser bar.

All rights reserved by www.grdjournals.com 6

 Social Engineering: A Ninja Approach to Human Consciousness
(GRDJE/ Volume 5 / Issue 10 / 001)

C. Targeted attacks
Social engineering tactics are becoming increasingly specific, with criminals targeting individual people and dedicating more
time to gaining personal information, with hopes of a larger payoff.
Some Examples:
“@Twitterguy, what do you think about what Obama said on #cyber security ? http://shar.es/HNGAt”
– How it works
Social engineers are observing Twitter trends to launch attacks. One example is the hijacking of legitimate hash tags with the
purpose of embedding malicious links into the tag. Once tweeted, the malware redirects users to a phishing Web page with
nefarious intent, whether it’s stealing Twitter account information or launching even more malware. Scammers are also targeting
individuals by learning about their interests and then sending a legitimate sounding tweet that invites them to click through to
what turns out to be a phishing site.
“This is Microsoft support -we want to help.”
– How it works
Scammers pose as a Microsoft tech support person and claim to be calling all licensed Windows users whose PCs are generating
an abnormal number of errors due to a software bug. Victims are instructed to go to the event log, which can be particularly
alarming to inexperienced users because, in fact, most Windows event logs do record many small errors. Many people at this
point will be ready to do whatever the alleged support person instructs which in this case is to go to a remote access service,
Teamviewer.com, that gives the scammer control of the machine. From there, the criminal installs malware that will grant him or
her continual access to the PC.
“Donate to the hurricane recovery efforts !”
– How it works
Shortly after a major earthquake, tsunami or other disaster, fake Web sites pop up, targeting people concerned about loved ones
in the affected region and claiming to have specialized resources, such as government databases and rescue effort information, to
help find victims. The sites collect names and contact information and use it to solicit charitable donations. The caller takes
advantage of the victim’s heightened emotions to obtain his or her credit card number. With all this information-name, address, a
relative’s name and a credit card- they are armed to commit identity theft. In some cases, criminals launch secondary attacks,
such as posing as a bank representative, asking for the victim’s Social Security.
There is no effective way to protect against a Social Engineering attack because no matter what controls are
implemented, there is always that „human factor‟ which influences the behavior of an individual.
But, there are certain ways to reduce the likelihood of success of the attack. It is also important for organizations to
establish a clear and strong security policy and processes to reduce the threat of social engineering.
The following are some of the steps to ensure protection against Social Engineering attack:

A. Security Awareness Trainings

Security Awareness is the simplest solution to prevent Social Engineering attacks. Every person in the organization must be
given basic security awareness training on timely basis that he/she should never give out any information without the appropriate
authorization and that he/she should report any suspicious behavior.

B. Background Verification
There is many a chance that attacker may join the company as an employee so as to gather insider information about the
company. This makes background screening a really important part of company policies to counter Social Engineering attack. It
should not only be limited to internal employees but must also be extended to vendors and other contractual workers too before
they become the part of the organization or are given access to the organization network.

C. Physical security
There should be proper access control mechanism in place to make sure that only authorized people are allowed access to
restricted sections of the organization. There should be no tailgating.

D. Limited data leakage

There should be constant monitoring as to what all information about the organization is floating on the World Wide Web. Any
kind of irregularity should be immediately taken care of. This will make passive information gathering difficult for the attacker.

E. Mock Social Engineering drills

Special Social Engineering activities should be performed on the internal employees of the organization by either the security
team or by the vendor so as to keep track of the security awareness levels in the organization.

F. Data Classification policy

There should be proper classification of data on the basis of their criticality levels and the access personnel. Data classification
assigns a level of sensitivity to company information. Each level of data classification includes different rules for viewing,
editing and sharing of the data.

All rights reserved by www.grdjournals.com 7

 Social Engineering: A Ninja Approach to Human Consciousness
(GRDJE/ Volume 5 / Issue 10 / 001)

It helps to deter social engineering by providing employees a mechanism for understanding what information can be disclosed
and what cannot be shared without proper authorization.
Some of the other controls that should be taken care of, to reduce the success of a Social Engineering attack are listed below:
1) Install and maintain firewalls, anti-virus, anti-spyware software’s, and email filters.
2) Never allow people to tailgate with you.
3) Usage of corporate ID’s on public domain, blogs, discussion forums etc should be restricted.
4) Pay attention to the URL of a web site. Though malicious web sites generally look identical to a legitimate site, but the URL
may use a variation in spelling or a different domain.
5) Confidential and critical online details like corporate mail box should not be accessed in public places, cafes, and hotels etc.
where Internet security cannot be trusted.
6) Don't send sensitive information over the Internet before checking a web sites security.
7) Don't reveal personal or financial information in email, and do not respond to email solicitations requesting this information.
8) Ensure all physical entry and exit points are secured at all times.
9) Do not provide personal information or information about your organization to anyone unless you are certain of the person’s
authority to have that information.
10) Use virtual keyboard where applicable.
11) Be very careful what is provided on your company web site. Avoid posting organizational charts or lists of key people
wherever possible.
12) Make sure to shred any document that is discarded that may contain sensitive data.

VII. CONCLUSIONS
Through this article we can understand that, however secure your application is, it is always vulnerable to one thing “The Human
Factor”. This human factor is the weakest link in security which can be patched not by one time training but only by an ongoing
process of improvement. Many times it’s rather the interaction between the data and the person has to be secured rather than the
interaction between data and server.

REFERENCES
[1] www.wikipedia.com
[2] https://www.webroot.com/in/en/home/resources/tips/online-shopping-banking/secure-what-is-social-engineering
[3] http://www.infosectoday.com/Norwich/GI532/Social_Engineering.htm#.WFBlHtV96Ul
[4] https://www.redspin.com/it-security/penetration-testing/social-engineering/
[5] https://www.smartfile.com/blog/social-engineering-attacks/
[6] https://www.praetorian.com/penetration-testing/social-engineering-testing
[7] http://searchsecurity.techtarget.com/tip/Social-engineering-penetration-testing-Four-effective-techniques
[8] https://www.us-cert.gov/ncas/tips/ST04-014

All rights reserved by www.grdjournals.com 8