The term social engineering, also known as “human hacking” or “social hacking”, originally had a horizon of meaning in the context of political science, before it now has a rather negative meaning in the context of information security.
Karl Popper first introduced the term in his 1945 work The Open Society and its Enemies. In his work, Popper criticized the general view that one could imagine an ideal society and then put this ideal into practice. In contrast to this, he advocates the form of social engineering, which only penetrates limited sub-areas of society through the creation of suitable institutions in order to solve specific problems there. His principle was based on the fact that a human can be improved in a similar way to a machine. And so, in the early 1970s, the term gained increasing popularity as an expression of optimism. At the time, this hope was based on the belief that social society could be positively reshaped through targeted, rational and engineering interventions. Contrary to Popper's attitude, manipulative methods to achieve this goal were generally not rejected.
In the context of information security and hacking, individuals who specifically exploit basic human characteristics and needs in order to be able to steal sensitive data are also referred to as "social engineers". However, this rather euphemistic and cynical term is now used less frequently for that group of people. These are predominantly labeled as “hackers” or “cyber criminals”.
The historical consideration of social engineering shows that it correlates to a high degree with the technical possibilities of the respective epoch. If you don’t just limit social engineering to today’s context, in the sense of targeted information technology data theft, you will quickly notice that the methods of malicious manipulation, persuasiveness and raving is as old as humanity itself. Already in ancient works, such as the defense speech of Socrates 399 BC (Apology), which Plato's teacher held before the Athenian people's court, it was all about convincing his listeners with rhetorical skill and thereby achieving the anticipated goal. In the case of Socrates, this sophistry was intended to prevent his own conviction and thereby save him from the death penalty. For the sake of completeness, it should be noted that all will and action came to nothing and Socrates was executed a little later.
This example makes it clear that the entire complex of social engineering issues is far too extensive and steeped in history to simply be reduced to hackers, phishing emails and malicious links.
Back to social engineering in the modern sociotechnical security context. One of the early forms was the so-called phreaking, which was practiced particularly in the 1980s. Phreaking refers to a subculture of hackers at the time that dealt with the security mechanisms of telephony, in particular with the manipulation of telephone connections. The aim of phreaking is to hack telephone systems using special signal tones for free use. This methodology dates back to the late 19th century, but it wasn't until the spread of mobile telephony that it became truly problematic. With advances in technology, this approach was not just limited to telephone connections, but also communication security techniques for electronic espionage. Thanks to Van Eck phreaking, fraudsters are now also able to receive unintentional electromagnetic emissions, which are caused, among other things, by computer screens.
At the latest, people such as Kevin Mitnick, Thomas Ryan or the fraud artist Frank Abagnale helped the genus of skillful manipulators to become more widely known in society. On the one hand, this can be explained by the fact that these people, who appear to have been morally purified, underwent a social metamorphosis from “gangster” to respected “white hat hacker” and are therefore still partly established experts in government circles or in important positions today. On the other hand, the media image of this group of people changed enormously after they were favorably staged in films such as Steven Spielberg's "Catch me if you can" and thus rose to become a significant part of pop culture.
What I did when I was young is a hundred times easier today. Technology breeds crime.
These examples once again make it clear how closely linked “online attacks” and attacks from the real world, which is mistakenly perceived as being safer (telephone calls, games, etc.), are related. It also becomes clear that the greatest gateway to these attacks is the human being and his or her manipulability.
In social engineering, the perpetrator, in the form of the hacker, uses human characteristics such as helpfulness, trust and respect or fear of authority to skillfully manipulate his victims. In this way, cyber criminals trick their victims into overriding security functions, disclosing confidential information, making transfers or installing malware on private or company-internal devices. As already mentioned, this form of interpersonal manipulation is as old as living memory. In the age of ever-advancing digital communication, however, there are new opportunities for fraudsters. The effect of technological advancement now offers them millions of potential victims who can fool them extremely effectively and lucratively.
The risks for companies and their employees, but also for private individuals are, among other things, that account information, e-mail accounts, passwords and login information can be stolen. In the private sector, for example, involuntary account transfers are tricked out. In the business environment, a single, often completely unnoticed mouse click on a defective link is often enough, which then injects malware, Trojans or malware into the company network. The consequences then range from minor problems and partial loss of data to complete loss of production, industrial espionage or sabotage. Not to mention the massive damage to the company's image.
At the turn of the year 2020, the information security expert Linus Neumann impressively addressed the current challenges, dangers, but also opportunities of social engineering in his lecture "Hacking the brain" as part of the largest European hacker conference, the 36th Chaos Communication Congress - C3 for short. In this he painfully demonstrated that not only state-of-the-art attack mechanisms play a role, but that tried and tested methods such as macro viruses are still very effective. These have existed since 1999 and since then have often been part of an attack in the context of phishing and malicious Office attachments to e-mails, for example when transporting ransomware or cryptotrojans. The macrovirus genus achieved notoriety at the time through a variant called "Melissa". Melissa is the fastest and most widespread computer virus of all time. It is a fake Word file, disguised as an alleged invoice, which overloaded numerous IT systems at the time.
In summary, the central feature of social engineering is often the deception of a victim by concealing or falsifying the identity of the perpetrator. This is done with the intention of the scammer, in the guise of a technician, handyman or support person, to trick the companies or internet service providers into giving up valuable information or tricking them into clicking on infected links which then install malware. Particularly perfidious in this context is the scam of a program that is propagated on the Internet as antivirus software and is supposed to help with cleaning the hard drive, but then turns out to be malware when it is installed.
If you are interested or need further general explanations, you can also find a lot of exciting and useful information on the BSI website as part of the "BSI for Citizens" campaign.
If you now take a closer look at the different fields of IT security, there are also different perspectives when classifying social engineering.
From the point of view of a white-hat hacker in a penetration test, one can understand social engineering as a possible test field together with three other perspectives. These include technical security, physical security and organizational security, which is often underestimated. A penetration test is an attempt to assess the security of an IT infrastructure by deliberately and securely exploiting security gaps. These risky vulnerabilities can exist in operating systems, services and application failures, misconfigurations as well as risky end-user behavior. These penetration tests are meaningful and useful for checking the effectiveness of the applied protection mechanisms and compliance with security policies by the end user.
As in all areas of IT security, two basic questions should be asked when it comes to social engineering: What do I want to protect? And who do I want to protect myself from? Regardless of whether it is a private person, a company or even a state institution, the non-technical areas such as fraud, imposture, rhetorical manipulation etc. should not be neglected.
When it comes to the question of who exactly you want to protect yourself from, it makes sense to divide the various attacker classes into groups according to the degree of danger and intention.
In the figure below, it quickly becomes clear that social engineering usually only plays a significant role with more experienced attacker groups. This is less of a concern for the now increasingly well-known class of so-called "script kiddies". This primarily refers to computer users who, despite a lack of basic knowledge, try to penetrate other computer systems and then possibly cause damage. In the case of industrial espionage, level attacks, targeted sabotage attempts or even attacks at the government level, social hacking is very often just one piece of the puzzle in the overall picture of the much more extensive attack. Nonetheless, it is also important here to protect oneself as well as possible.
In addition to classic examples of a social engineering attack, such as phishing or spear phishing via email, there are also some scenarios that not only describe pure interaction between people on the communication path, but are also combined with attacks of a physical nature ( Physical Access).
Examples include the systematic rummaging through the garbage (dumpster diving), spying on private individuals while they are typing (shoulder surfing) or even the violent or systematic intrusion into relevant premises.
In order to understand why social engineering was and probably will remain one of the most successful tactics then and now, it is advisable to take a look at the human psyche and socialization. Technological security systems can always be improved, but as long as it is people who operate them, they will always remain fallible. Social engineers have recognized the suggestibility of people as a glaring security gap, and IT experts often speak of “humans” in this regard hacking".
If you take the approach of the two psychologists Heather Goudey and Myles Jordan, who looked at a number of successful social engineering attacks from 2001 to 2004 as part of a study, 12 factors can be identified that have a significantly positive influence on social engineering. These include curiosity, greed, the desire for love or inexperience. Therefore, in principle, it is a question of fundamental human emotions and character traits, which, when combined, can also be mutually strengthened.
The basic goal of social engineering is to get people to experience these same emotions so that rational common sense no longer plays a role in decision-making. How strong these mental mechanisms actually are and what force they often exert on those affected can also be demonstrated in the famous experiment by psychologist Stanley Milgram. In this he tested the willingness of his subjects to obey the demands of the experimenter, even if they were in violent contradiction to their conscience. The overwhelming majority could not withstand the inner pressure to contradict the decisive authority in this regard and consequently exposed other people (although not real, which the test subjects did not know) to supposedly life-threatening electric shocks.
Social Engineering: Curiosity, greed, longing for love, authority, trust, haste, pressure
According to the Israeli-American psychologist and Nobel Prize winner in economics Daniel Kahneman, the basic principle of human and cognitive thinking can be divided into System1 and System2 (see figure).
At the 36C3 (36th Chaos Communication Congress) in Leipzig, the German graduate psychologist and press spokesman for the Chaos Computer Club transferred Kahneman's system to the reality of human hacking in his work "Hirne Hacken" and thus showed the weaknesses of the human factor in individual psychology points of view.
The System1 works automatically, quickly and intuitively. It supports us humans in all recurring tasks of daily routine. These include driving to work or motor skills when locking the front door. The System1 also becomes active whenever people are a) afraid or b) performing a boring and routine activity. It is precisely these weak points that the attacker exploits in a targeted manner and thus attempts to manipulate the individual. The actions are then no longer controlled rationally and are characterized by panic hectic.
The System2 would actually know exactly what to do in the event of a phishing mail that actually appears dubious or a mysterious caller asking for passwords. However, that doesn't help much if System1 already dominates the thought process.
According to Neumann, the fact that this problem does not seem to be solved can be explained by organizational psychology. The areas of technical security or physical security mentioned above are often implemented relatively well. The vulnerability is the person himself. The hacker therefore takes the path of least resistance and directly chooses the human factor in the sense of social engineering, as by far the simplest attack vector. Man is the weakest link in the chain. In addition, the protective measures in this area are being implemented training or user awareness are at worryingly low levels. This is partly due to the fact that in the areas of user awareness and employee training, there are no clearly defined standards, neither for private individuals nor for companies.
Every practically relevant problem of IT security is theoretically solved.
As in every area of information security, we actually know what effective countermeasures should look like in the area of human hacking - train, train and train again.
Practical training concepts are crucial here. A standardized training platform with theoretical examples to "click through" is neither didactically useful nor does it result in an effective increase in IT security. Anyone who is used to a corresponding standardized model from their own employer knows how tiring and demotivating this can be.
As an international penetration testing team, we have had a break-in success rate of 100% since the company was founded. Of course, this also has to do with successful social engineering and untrained staff. The best experience when learning human protection mechanisms is simulating actual attacks in changing scenarios together with the employees. This allows you to achieve the big common goal: information security, also for the human factor!
| Problem | Solution |
| Theoretical training platforms only | Active attack simulation through social engineering attack as part of a penetration testing |
| Abstract guidelines & concepts | Didactics, arouse enthusiasm for the topic, then training takes place |
