Gathering information to support social engineering exercises is much the same as research you do for anything else. You need a goal in mind when you start in order to keep the research focused. Having a clear objective helps you determine what information is relevant to the end goal and what can be ignored. This holds true not only for the information gathered but also for how it’s gathered.
The telephone provides an anonymous (to a point) way of obtaining information. The drawback to using the telephone is caller ID and tracing. Social Engineers need to blend in with their environment to be successful. A simple phone call can reveal the company’s name, the name of the person who answered the phone and so much more. After that phone call is completed, the social engineer can phone back and use the information obtained previously to obtain even more information.
False Websites – Phishing
Another way information can be obtained is to provide a website that looks legitimate for the company, possibly their own intranet site or a survey site that an employee would fill out. This site won’t take you to the real site, but will take you to a fake site that the social engineer owns (seePhishing). The answers provided by the employee can give the social engineer the information they need to attain their goal.
Also referred to as Piggybacking, is where a person gains access to a secured building even if they have smart card passes or biometrics. Normal these can prevent unauthorized personnel from gaining access to systems and networks. People, unfortunately, are sometimes too helpful and will allow the ‘employee’ to enter in a locked door behind them because they are still searching for a pass that wasn’t there to begin with. The ‘employee’ running up behind the door before it shuts works just as well and allows for access to otherwise inaccessible places. Here is a nice video (albeit a little goofy) showing how easy it would to piggyback into a building.
Social Networking Sites
Type in a name of a co-worker or friend and see how many hits or matches appear with their information. MySpace, Facebook, Twitter, LinkedIn and others help people get connected, but they also help social engineers collect information about you and about your friends and family. Social Engineering can be purely psychological, using information gathered about a person to obtain more information.
Intrusion is considered actually entering the building or property of the target and obtaining information. Posing as an employee, an outside contractor, or even an IT administrator, the social engineer can ask questions or offer to fix issues (see Pretexting and Elicitation)
Reverse Social Engineering
A social engineer can also plant a rogue access point or attempt to access authorized areas with information received earlier from the telephone, emails or websites. Reverse social engineering is the practice of having already accessed the goal machine or network and rendered it unusable; then offering to ‘fix it’. An excellent remote device is something like this device that sends audio or allows you to listen in through a standard GSM card.
One of the easier ways of social engineering, simply look over the targets’ shoulder and a plethora of information can be obtained, commonly called shoulder surfing. Information obtained can range from user id’s to passwords to secret data seen in plain text.
In the following is a video by European Network and Information Security Agency which shows how easy it is to shoulder surf: