Social Engineering is a technique used by hackers to try and gain sensitive information about a system by tricking people into giving them restricted information. For example, a hacker may try and gain the system administrator password for access to a Help Desk so that he can gain privileged access to data.
Social Engineering can be used during penetration testing engagements for clients when social engineer is clearly defined in the test plan and the Statement of Work. The statement of work is a legal contract between the penetration testing company and the client to execute a specific work plan during a specified period of time.
After gaining legal authorization from the client, the scope and the objectives of the social engineering must be defined. An example of this could include testing the Help Desk employees of a specific company and attempting to get access to a privileged account.
The testing could start by doing basic research about the company on the corporate website. A basic understanding of what products and services the company supplies is important information to a hacker. Additional information about the company should be reviewed, such as what is the Help Desk number, who are the executives in charge, where are the locations of the company, what operating systems are they likely to be running. One technique is to do a search on Usenet and look for companies that messages posted by the system administrators of the company. This could provide useful information when the administrator requests for troubleshooting help.
If the hacker knows what type of Help Desk system is running, then he or she can target the attack based on the application. Hackers often pose as employees of the company in authoritative roles. This could include acting as the IT Security of the company. In one scenario, a hacker could expect to have IT security from one of the work locations and state that he noticed some problems with the Help Desk system and he is investigating. After talking to the Help Desk employee, he or she may ask for a password to the system. Sometimes the employees give out information that they should not give out, such as their own username and password, or a privileged username and password. This could be used as a basic way of setting up accounts on the system and helping customers.
Hackers often use intimidation while social engineer. For example, a hacker may pose as an administrative assistant of a high level executive and call the Help Desk. The hacker states that the high level executive is on travel and needs help recall his password. A password reset may provide just enough access to download the contents of his mailbox and run away with proprietary information.