March 28, 2023
If you're concerned with IT security, you can't miss the OWASP Top 10. The non-profit organization Open Web Application Security
The term social engineering, also known as "human hacking" or "social hacking," originally had a horizon of meaning in the context of political science before its now rather negative connotation in the context of information security.
Karl Popper first introduced the term in 1945 in his work The Open Society and its Enemies. In his work, Popper criticized the general view that one can imagine an ideal society and then put this ideal into practice. In contrast, he advocated the form of social engineering, which, through the creation of appropriate institutions, penetrates only limited subsections of society in order to solve specific problems there. His principle was based on the idea that a human being can be improved in a similar way to a machine. And so the term experienced increasing popularity in the early 1970s as an expression of optimism. At the time, this hope was based on the belief that social society could be positively reshaped through targeted rational and engineering interventions. Contrary to Popper's attitude, manipulative methods to achieve this goal were generally not rejected.
In the context of information security and hacking, individuals who deliberately exploit basic human characteristics and needs in order to steal sensitive data are also referred to as "social engineers. This rather euphemistic and cynical term, however, is rarely used for this group of people nowadays. They are mainly labeled as "hackers" or "cybercriminals.
A historical analysis of social engineering shows that it is highly correlated with the technical possibilities of the respective epoch. If social engineering is not limited to today's context, in the sense of targeted information technology data theft, it quickly becomes clear that the methods of malicious manipulation, persuasion and rabble-rousing are as old as mankind itself. Already in ancient works, such as Socrates' defense speech in 399 B.C. (Apology), which Plato's teacher delivered before the Athenian People's Court, the sole purpose was to convince his listeners with rhetorical artistry and to achieve the anticipated goal. In Socrates' case, this sophistry was intended to prevent his own guilty verdict and thus save him from the death penalty. For the sake of completeness, it should be noted that all wanting and doing was of no avail and Socrates was executed a short time later.
This example illustrates that the entire topic of social engineering is far too extensive and steeped in history to be simply reduced to hackers, phishing e-mails and malicious links.
Back to social engineering in the modern sociotechnical security context. One of the early forms was phreaking, which was practiced in the 1980s in particular. Phreaking refers to a subculture of hackers at the time who were concerned with the security mechanisms of telephony, in particular with the manipulation of telephone connections. The aim of phreaking is to hack telephone systems using special signal tones, for their free use. This methodology dates back to the late 19th century, but only really became problematic with the expansion of mobile telephony. As technology advanced, this approach was not limited to telephone connections, but also included communication security techniques for electronic espionage. Van Eck phreaking now makes it possible for fraudsters to receive unintentional electromagnetic emissions caused by computer screens, among other things.
At the latest, people such as Kevin Mitnick, Thomas Ryan or the fraud artist Frank Abagnale helped the genre of skilled manipulators to gain a broader social reputation. On the one hand, this can be explained by the fact that these seemingly morally purified individuals underwent a social metamorphosis from "gangster" to respected "white hat hacker," and some of them are still sitting in government circles or important positions today as established experts. On the other hand, the media image of this group of people changed enormously after they were favorably portrayed in films such as Steven Spielberg's "Catch Me If You Can" and thus became a significant part of pop culture.
What I did when I was young is a hundred times easier today. Technology brings about crime.
These examples show once again how closely "online attacks" and attacks from the real world (telephone calls, games, etc.), which are erroneously perceived as safer, are intertwined. It also becomes clear that the greatest gateway to these attacks is the human being and his or her ability to be manipulated.
In social engineering, the perpetrator, in the form of the hacker, exploits human characteristics such as helpfulness, trust, and respect or fear of authority to skillfully manipulate his victims. In this way, the cyber criminals entice their victims to bypass security functions, disclose confidential information, make bank transfers, or install malware on their private or corporate end devices. This form of interpersonal manipulation is, as already mentioned, as old as time immemorial. However, in the age of ever-advancing digital communication, new opportunities arise for fraudsters. The effect of technological progress now offers them millions of potential victims, whom they can deceive extremely effectively and lucratively.
The risks for companies and their employees, but also for private individuals, include the possibility of account information, e-mail accounts, passwords, and login credentials being stolen. In the private sector, this is how involuntary account transfers are obtained, among other things. In the corporate environment, a single, often completely unnoticed mouse click on a malicious link is often enough to introduce malware, Trojans or malicious software into the corporate network. The consequences then range from minor problems and partial data loss to complete production downtime, industrial espionage or sabotage. Not to mention massive damage to the image of the affected company.
At the turn of the year 2020, information security expert Linus Neumann impressively addressed the current challenges, dangers, but also opportunities of social engineering in his talk "Brains Hacking" at Europe's largest hacker conference, the 36th Chaos Communication Congress - C3 for short. In it, he painfully demonstrated that not only do state-of-the-art attack mechanisms play a role, but that it is precisely tried-and-tested methods such as macro viruses that are still very effective. These have existed since 1999 and have since been frequent components of an attack in the context of phishing and malicious office attachments to e-mails, for example when transporting ransomware or crypto Trojans. At that time, the genus macro virus came to sad fame due to a variant called "Melissa". Melissa is the fastest and most widespread computer virus of all time. It is a fake Word file disguised as a supposed invoice, which overloaded numerous IT systems at the time.
In summary, the central feature of social engineering is often the deception of a victim, by concealing or falsifying the perpetrator's own identity. This is done with the intention of the fraudster, in the guise of a technician, craftsman or support employee, to persuade companies or Internet service providers to hand over valuable information or to entice them to click on infected links, which then install malware. Particularly perfidious in this context is, for example, the scam of a program that is promoted on the Internet as anti-virus software and is supposed to help clean the hard drive, but then turns out to be malware when installed.
If you are interested or need further general explanations, you can also find a lot of exciting and useful information on the BSI site, as part of the "BSI for citizens" campaign.
If we now take a closer look at the different fields of IT security, there are also different perspectives on the classification of social engineering.
From the perspective of a white-hat hacker in penetration testing, social engineering can be seen as a possible testing area along with three other approaches. These include technical security, physical security and the often underestimated organizational security. A penetration test represents an attempt to assess the security of an IT infrastructure by deliberately and safely exploiting security vulnerabilities. These risky vulnerabilities can exist in operating systems, services and application flaws, incorrect configurations, and risky end-user behavior. These penetration tests are meaningful and useful for monitoring the effectiveness of applied protection mechanisms as well as end-user compliance with security policies.
As in all areas of IT security, two basic questions should be asked about social engineering as a matter of priority: What do I want to protect? And who do I want to protect myself from? Regardless of whether you are a private individual, a company, or even a government institution, you should not neglect non-technical areas such as trickery, imposture, rhetorical manipulation, and so on.
When considering who exactly to protect against, it is useful to divide the various attacker classes into groups based on threat level and intent.
The figure below quickly shows that social engineering generally only plays a significant role for more experienced attacker groups. This is less of a concern for the now increasingly well-known class of so-called "script kiddies". These are primarily computer users who, despite a lack of basic knowledge, attempt to penetrate other people's computer systems and then, if necessary, cause damage. In the case of industrial espionage, level attacks, targeted sabotage attempts or even attacks at the government level, social hacking is very often only one piece of the puzzle in the overall picture of the much more extensive attack. Nevertheless, it is also important to arm oneself against these attacks in the best possible way.
In addition to classic examples of a social engineering attack, such as phishing or spear phishing via e-mail, there are also some scenarios that not only describe a pure interaction between people on the communication channel, but are also combined with attacks of a physical nature (physical access).
Examples include the systematic rummaging through garbage (dumpster diving), spying on private individuals while they are typing (shoulder surfing), or even the forcible or systematic entry into relevant premises.
To understand why social engineering is and probably remains by far one of the most successful tactics, it is worth taking a look at the human psyche and socialization. Technological security systems can become better and better, but as long as it is humans who operate them, they will always remain fallible. Social engineers have recognized the influenceability of humans as a glaring security gap, which is why IT experts often speak of "human hacking" in this context.
If we take the approach of the two psychologists Heather Goudey and Myles Jordan, who looked at a series of successful social engineering attacks from 2001 to 2004 as part of a study, 12 factors can be identified that have a significant positive influence on social engineering. These include curiosity, greed, the desire for love, and inexperience. In principle, these are fundamental human emotions and character traits which, when combined, can also be mutually reinforced.
In social engineering, the basic goal is to grab private individuals by their emotions so that rational common sense no longer plays a role in decision-making. The strength of these psychological mechanisms and the force they often exert on the person concerned can also be demonstrated by the famous experiment conducted by psychologist Stanley Milgram. In this experiment, he tested the willingness of his test subjects to comply with the demands of the experimenter even if they were in violent contradiction to their conscience. The overwhelming majority could not withstand the inner pressure to contradict the deciding authority in this respect and consequently preferred to expose other fellow human beings (even if not real, which the test persons did not know) to supposedly life-threatening electric shocks.
Social engineering: curiosity, greed, desire for love, authority, trust, haste, pressure
According to the Israeli-American psychologist and Nobel Prize winner in economics Daniel Kahneman, the basic principle of human and cognitive thinking can be divided into System1 and System2 (see figure).
At the 36C3 (36th Chaos Communication Congress) in Leipzig, the German graduate psychologist and press spokesman of the Chaos Computer Club transfers Kahneman's system into the reality of human hacking in his work "Hirne Hacken" (Hacking Brains) and hereby shows the weaknesses of the human factor from an individual psychological point of view.
The system1 works automatically, quickly and intuitively. It supports us humans in all recurring tasks of daily routine. This includes, for example, driving to work or the motor function when locking the front door. The system1 also becomes active whenever people are a) afraid or b) performing a boring and routine activity. It is precisely these weak points that the attacker exploits in a targeted manner and thus attempts to manipulate the individual. The actions are then no longer rationally controlled and are characterized by panicked hecticness.
System2 would actually know exactly what to do in the case of a phishing e-mail that actually seems dubious or a mysterious caller asking for passwords. However, this is of little help if System1 already dominates the thought process.
According to Neumann, the fact that this problem does not seem to be solved can be explained in terms of organizational psychology. Often, the areas of technical security or physical security already mentioned above are relatively well implemented. The security gap is represented by the human being himself. Therefore, the hacker takes the path of least resistance and directly chooses the human factor in terms of social engineering, as by far the easiest attack vector. Humans are the weakest link in the chain. In addition, protective measures in this area through training or user awareness are at a worryingly low level. This is partly due to the fact that there are no clearly defined standards in the areas of user awareness and employee training, either for private individuals or companies.
Every practically relevant problem of IT security is theoretically solved.
As in any area of information security, we actually know it in the area of human hacking what effective countermeasures should look like - train, train and train again.
Practical training concepts are crucial here. A standardized training platform with theoretical examples to "click through" makes no didactic sense, nor does it result in an effective increase in IT security. Anyone who is used to a corresponding standardized model from their own employer knows how tiring and demotivating this can be.
As an internationally operating penetration testing team, we have had a 100% intrusion success rate since the company was founded until today. Of course, this is also related to successful social engineering and untrained personnel. The best experience in learning human protection mechanisms, is simulating actual attacks in changing scenarios together with employees. This can help achieve the big common goal: Information security, also for the human factor!
| Problem | Solution |
| Theoretical training platforms only | Active attack simulation through social engineering attack in the context of a penetration test |
| Abstract guidelines & concepts | Didactics, arouse enthusiasm for the subject, then training is provided |
If you're concerned with IT security, you can't miss the OWASP Top 10. The non-profit organization Open Web Application Security
Burp Suite by Portswigger and OWASP ZAP are both programs with a proxy server that run on your local device. With
Our co-founder Immanuel was a guest at Radio Bonn/ Rhein-Sieg and told the presenter team Nico Jansen and Jasmin Lenz and