Social engineering

Social engineering: 3 examples of human hacking


Become An Insider

Sign up now and get free access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content from the best tech brands on the Internet: CIO, CSO, Computerworld, InfoWorld, IT World and Network World Learn more.

Social engineering expert Chris Hadnagy shares juicy tales of successful cons he's seen as a security consultant, and six prevention tips

Chris Hadnagy gets paid to fool people, and he's gotten pretty good at it over the years. A co-founder of and author of Social Engineering: The Art of Human Hacking, Hadnagy has been using manipulation tactics for more than a decade to show clients how criminals get inside information.

Hadnagy outlines three memorable stories of social engineering tests that he's included in his new book (you can also read a short excerpt), and points out what organizations can learn from these results.

The Overconfident CEO

In one case study, Hadnagy outlines how he was hired as an SE auditor to gain access to the servers of a printing company which had some proprietary processes and vendors that competitors were after. In a phone meeting with Hadnagy's business partner, the CEO informed him that "hacking him would be next to impossible" because he "guarded his secrets with his life."

Hadnagy started his test by calling the park, posing as a software salesperson. He was offering a new type of PDF-reading software, which he wanted the park to try through a trial offer. He asked what version they were currently using, got the information easily, and was ready for step two.

The next phase required on-site social engineering, and Hadnagy used his family in order to ensure success. Heading up to one of the ticket windows with his wife and child in tow, he asked one of the employees if they might use their computer to open a file from his email. The email contained a pdf attachment for a coupon that would give them discount admission.

"The whole thing could have gone south if she said 'No, sorry, can't do that,'" explained Hadnagy. "But looking like a dad, with a kid anxious to get into the park, pulls at the heart strings."

The employee agreed, and the park's computer system was quickly compromised by Hadnagy's bad PDF. Within minutes, Hadnagy's partner was texting him to let him know he was 'in' and 'gathering information for their report.'

To continue reading, please begin the free registration process or sign in to your Insider account by entering your email address:
Insider: How a good CSO confronts inevitable bad news
View Comments
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies