[upl-image-preview uuid=0f55344d-071f-452c-b1ec-974ff0bb28ef url=https://hacklivly.com/assets/files/2025-08-10/1754834903-886724-file-000000001fd061f9a2ff4f39cbb07a8d.png alt={TEXT?}] # **1️⃣ Introduction to Social Engineering** Social engineering is the **art of manipulating human psychology** to trick people into revealing confidential information or performing actions that compromise security. Unlike hacking machines, **social engineering hacks people**, exploiting natural human traits like trust, fear, curiosity, greed, or helpfulness. **Core idea:** *The weakest link in cybersecurity is often the human element.* # **2️⃣ Why Social Engineering Works** Humans can be manipulated because of: * **Trust** → People tend to believe authority figures. * **Fear** → Urgent threats cause rushed decisions. * **Curiosity** → Suspicious links or gossip grab attention. * **Greed** → "Too good to be true" deals lure victims. * **Helpfulness** → Employees wanting to be helpful might bypass security. # **3️⃣ Types of Social Engineering Attacks** ### ## **1. Phishing** **Definition:** Mass emails or messages designed to trick users into revealing sensitive information or clicking malicious links. **Example:** **Target Breach (2013)** * HVAC vendor received a phishing email that looked like a legitimate business communication. * Credentials stolen → attackers infiltrated Target’s payment network. **Lesson:** Train employees to identify suspicious links, even from trusted-looking sources. ## **2. Spear Phishing** **Definition:** Highly targeted phishing directed at specific individuals or organizations. **Example:** **RSA SecurID Breach (2011)** * Customized email to a few RSA employees with an Excel attachment. * Exploited zero-day vulnerability to steal SecurID data. **Lesson:** Even a single well-crafted email can bypass defenses if employees aren’t trained. ## **3. Whaling** **Definition:** Targeting high-profile individuals (CEOs, CFOs) for large-scale fraud. **Example:** **Ubiquiti Networks Scam (2015)** * Attackers impersonated senior executives via email. * Convinced finance staff to wire $46.7 million to overseas accounts. **Lesson:** Always verify financial requests via a second communication channel. ## **4. Pretexting** **Definition:** Inventing a scenario to trick someone into revealing information or granting access. **Example:** **HP Pretexting Scandal (2006)** • Investigators pretended to be journalists and board members to get phone records. **Lesson:** Use strict verification procedures for any request involving sensitive data. ## **5. Baiting** **Definition:** Enticing a victim with a tempting offer or object that contains malicious code. **Example:** **Infected USB Drives at Stuxnet Incident (2010)** * USB drives with malware left in targeted areas of Iranian nuclear facilities. * When inserted, malware spread to air-gapped systems. **Lesson:** Never insert unknown devices into secure networks. ## **6. Quid Pro Quo** **Definition:** Offering a service in exchange for sensitive information. **Example:** **Tech Support Scam Cases** * Attackers called employees pretending to be IT staff. * Promised help but requested login credentials. **Lesson:** Legitimate support will never ask for passwords. ## **7. Tailgating (Piggybacking)** **Definition:** Physically following an authorized person into a restricted area without proper credentials. **Example:** **Data Center Breach Attempt (Multiple Incidents)** * Attackers dressed as delivery staff or maintenance workers to gain entry. **Lesson:** Implement badge access and security guard verification. ## **8. Watering Hole Attack** **Definition:** Compromising websites frequently visited by the target group. **Example:** **Council on Foreign Relations Website Hack (2012)** * Hackers infected the site with malware. * Visitors from targeted industries unknowingly downloaded malicious code. **Lesson:** Keep browsing isolated and monitor traffic to critical sites. ## **9. Vishing (Voice Phishing)** **Definition:** Using phone calls to trick people into revealing sensitive information. **Example:** **Twitter Bitcoin Scam (2020)** * Attackers called Twitter employees pretending to be IT support. * Convinced them to reveal admin credentials. **Lesson:** Verify caller identities before sharing any credentials. ## **10. Smishing (SMS Phishing)** **Definition:** Using text messages to lure victims into clicking malicious links. **Example:** **Bank Fraud Campaigns (Ongoing)** * Texts pretending to be from a bank, claiming account issues. * Victims clicked fake links and entered login details. **Lesson:** Never click links in unsolicited SMS messages. # **4️⃣ Stages of a Social Engineering Attack** 1. **Research (Reconnaissance)** – Gathering details from social media, websites, or public records. 2. **Hook** – Initiating contact with the target (email, phone, in-person). 3. **Play** – Building trust or applying pressure. 4. **Exit** – Extracting data or access and disappearing. 5. **Cover Tracks** – Removing evidence to avoid detection. # **5️⃣ Tools Used in Social Engineering** * **Maltego** – OSINT tool for mapping relationships and data. * **theHarvester** – Gathers emails, domains, and subdomains. * **Creepy** – Geolocation from social media. * **SET (Social Engineering Toolkit)** – Used for phishing, credential harvesting, etc. * **OSINT Framework** – Collection of intelligence gathering tools. * **LinkedIn / Facebook / X** – Information sources for target profiling. # **6️⃣ Defenses Against Social Engineering** * **Security Awareness Training** – Teach employees how to spot scams. * **Multi-Factor Authentication** – Reduces risk even if credentials are stolen. * **Email Filtering** – Block suspicious attachments and links. * **Verification Policies** – Always verify unusual requests through a second channel. * **Physical Security** – ID checks, access control, shredding policies. * **Simulated Phishing Tests** – Regularly test employees’ awareness. # **7️⃣ Real-World Case Studies** ### **1. The 2011 RSA SecurID Breach** **Method Used:** * Attackers sent spear-phishing emails to a small group of RSA employees. * Subject line was “2011 Recruitment Plan” with an Excel attachment. * The Excel file contained a malicious Adobe Flash object exploiting a zero-day vulnerability. **Impact:** * Stolen information related to RSA’s SecurID two-factor authentication system. * Led to security concerns for multiple defense contractors relying on SecurID. **Lesson Learned:** * Even high-tech security firms can be breached through human manipulation. * Limiting email access and using strong endpoint protection is crucial. ## **2. The 2013 Target Breach** **Method Used:** * Hackers compromised a third-party HVAC vendor’s credentials through phishing. * Used those credentials to access Target’s network. * Installed malware on POS (Point-of-Sale) systems. **Impact:** * 40 million credit and debit card numbers stolen. * Cost Target over $200 million in settlements and upgrades. **Lesson Learned:** * Supply chain vendors can be a weak security link. * Network segmentation is critical. ## **3. The 2014 Sony Pictures Hack** **Method Used:** * Employees received fake Apple ID verification emails (phishing). * Credentials stolen gave attackers access to Sony’s internal systems. **Impact:** * Gigabytes of internal data, unreleased films, and private emails leaked. * Severe reputational damage. **Lesson Learned:** * Spear-phishing can open the door for massive breaches. * Multi-factor authentication (MFA) for all accounts is essential. ## **4. The 2016 U.S. Presidential Election Spear-Phishing** **Method Used:** * John Podesta, chairman of Hillary Clinton’s campaign, received a fake Google security email. * Email directed him to a spoofed login page. * Attackers gained access to thousands of campaign emails. **Impact:** * Emails published by WikiLeaks. * Major political consequences. **Lesson Learned:** * MFA could have stopped the attack. * User training on verifying links is vital. ## **5. The 2020 Twitter Bitcoin Scam** **Method Used:** * Attackers used phone spear-phishing to target Twitter employees. * Gained admin access to internal tools. * Posted Bitcoin scam messages from verified accounts (including Elon Musk, Bill Gates). **Impact:** * $120,000 worth of Bitcoin stolen. * Massive public trust issues for Twitter. **Lesson Learned:** * Insider threat protection and access control are critical. * Social engineering can bypass even the best technical defenses.

Cybersecurity 101 - Day 10 : Social Engineering and Human Hacking

Varun

1️⃣ Introduction to Social Engineering

Social engineering is the art of manipulating human psychology to trick people into revealing confidential information or performing actions that compromise security.

Unlike hacking machines, social engineering hacks people, exploiting natural human traits like trust, fear, curiosity, greed, or helpfulness.

Core idea:
The weakest link in cybersecurity is often the human element.

2️⃣ Why Social Engineering Works

Humans can be manipulated because of:

Trust → People tend to believe authority figures.
Fear → Urgent threats cause rushed decisions.
Curiosity → Suspicious links or gossip grab attention.
Greed → “Too good to be true” deals lure victims.
Helpfulness → Employees wanting to be helpful might bypass security.

3️⃣ Types of Social Engineering Attacks

1. Phishing

Definition:
Mass emails or messages designed to trick users into revealing sensitive information or clicking malicious links.

Example: Target Breach (2013)

HVAC vendor received a phishing email that looked like a legitimate business communication.
Credentials stolen → attackers infiltrated Target’s payment network.

Lesson:
Train employees to identify suspicious links, even from trusted-looking sources.

2. Spear Phishing

Definition:
Highly targeted phishing directed at specific individuals or organizations.

Example: RSA SecurID Breach (2011)

Customized email to a few RSA employees with an Excel attachment.
Exploited zero-day vulnerability to steal SecurID data.

Lesson:
Even a single well-crafted email can bypass defenses if employees aren’t trained.

3. Whaling

Definition:
Targeting high-profile individuals (CEOs, CFOs) for large-scale fraud.

Example: Ubiquiti Networks Scam (2015)

Attackers impersonated senior executives via email.
Convinced finance staff to wire $46.7 million to overseas accounts.

Lesson:
Always verify financial requests via a second communication channel.

4. Pretexting

Definition:
Inventing a scenario to trick someone into revealing information or granting access.

Example: HP Pretexting Scandal (2006)

   • Investigators pretended to be journalists and board members to get phone records.

Lesson:
Use strict verification procedures for any request involving sensitive data.

5. Baiting

Definition:
Enticing a victim with a tempting offer or object that contains malicious code.

Example: Infected USB Drives at Stuxnet Incident (2010)

USB drives with malware left in targeted areas of Iranian nuclear facilities.
When inserted, malware spread to air-gapped systems.

Lesson:
Never insert unknown devices into secure networks.

6. Quid Pro Quo

Definition:
Offering a service in exchange for sensitive information.

Example: Tech Support Scam Cases

Attackers called employees pretending to be IT staff.
Promised help but requested login credentials.

Lesson:
Legitimate support will never ask for passwords.

7. Tailgating (Piggybacking)

Definition:
Physically following an authorized person into a restricted area without proper credentials.

Example: Data Center Breach Attempt (Multiple Incidents)

Attackers dressed as delivery staff or maintenance workers to gain entry.

Lesson:
Implement badge access and security guard verification.

8. Watering Hole Attack

Definition:
Compromising websites frequently visited by the target group.

Example: Council on Foreign Relations Website Hack (2012)

Hackers infected the site with malware.
Visitors from targeted industries unknowingly downloaded malicious code.

Lesson:
Keep browsing isolated and monitor traffic to critical sites.

9. Vishing (Voice Phishing)

Definition:
Using phone calls to trick people into revealing sensitive information.

Example: Twitter Bitcoin Scam (2020)

Attackers called Twitter employees pretending to be IT support.
Convinced them to reveal admin credentials.

Lesson:
Verify caller identities before sharing any credentials.

10. Smishing (SMS Phishing)

Definition:
Using text messages to lure victims into clicking malicious links.

Example: Bank Fraud Campaigns (Ongoing)

Texts pretending to be from a bank, claiming account issues.
Victims clicked fake links and entered login details.

Lesson:
Never click links in unsolicited SMS messages.

4️⃣ Stages of a Social Engineering Attack

Research (Reconnaissance) – Gathering details from social media, websites, or public records.
Hook – Initiating contact with the target (email, phone, in-person).
Play – Building trust or applying pressure.
Exit – Extracting data or access and disappearing.
Cover Tracks – Removing evidence to avoid detection.

5️⃣ Tools Used in Social Engineering

Maltego – OSINT tool for mapping relationships and data.
theHarvester – Gathers emails, domains, and subdomains.
Creepy – Geolocation from social media.
SET (Social Engineering Toolkit) – Used for phishing, credential harvesting, etc.
OSINT Framework – Collection of intelligence gathering tools.
LinkedIn / Facebook / X – Information sources for target profiling.

6️⃣ Defenses Against Social Engineering

Security Awareness Training – Teach employees how to spot scams.
Multi-Factor Authentication – Reduces risk even if credentials are stolen.
Email Filtering – Block suspicious attachments and links.
Verification Policies – Always verify unusual requests through a second channel.
Physical Security – ID checks, access control, shredding policies.
Simulated Phishing Tests – Regularly test employees’ awareness.

7️⃣ Real-World Case Studies

1. The 2011 RSA SecurID Breach

Method Used:

Attackers sent spear-phishing emails to a small group of RSA employees.
Subject line was “2011 Recruitment Plan” with an Excel attachment.
The Excel file contained a malicious Adobe Flash object exploiting a zero-day vulnerability.

Impact:

Stolen information related to RSA’s SecurID two-factor authentication system.
Led to security concerns for multiple defense contractors relying on SecurID.

Lesson Learned:

Even high-tech security firms can be breached through human manipulation.
Limiting email access and using strong endpoint protection is crucial.

2. The 2013 Target Breach

Method Used:

Hackers compromised a third-party HVAC vendor’s credentials through phishing.
Used those credentials to access Target’s network.
Installed malware on POS (Point-of-Sale) systems.

Impact:

40 million credit and debit card numbers stolen.
Cost Target over $200 million in settlements and upgrades.

Lesson Learned:

Supply chain vendors can be a weak security link.
Network segmentation is critical.

3. The 2014 Sony Pictures Hack

Method Used:

Employees received fake Apple ID verification emails (phishing).
Credentials stolen gave attackers access to Sony’s internal systems.

Impact:

Gigabytes of internal data, unreleased films, and private emails leaked.
Severe reputational damage.

Lesson Learned:

Spear-phishing can open the door for massive breaches.
Multi-factor authentication (MFA) for all accounts is essential.

4. The 2016 U.S. Presidential Election Spear-Phishing

Method Used:

John Podesta, chairman of Hillary Clinton’s campaign, received a fake Google security email.
Email directed him to a spoofed login page.
Attackers gained access to thousands of campaign emails.

Impact:

Emails published by WikiLeaks.
Major political consequences.

Lesson Learned:

MFA could have stopped the attack.
User training on verifying links is vital.

5. The 2020 Twitter Bitcoin Scam

Method Used:

Attackers used phone spear-phishing to target Twitter employees.
Gained admin access to internal tools.
Posted Bitcoin scam messages from verified accounts (including Elon Musk, Bill Gates).

Impact:

$120,000 worth of Bitcoin stolen.
Massive public trust issues for Twitter.

Lesson Learned:

Insider threat protection and access control are critical.
Social engineering can bypass even the best technical defenses.