The Art of Human Hacking

Muhammad Usman
6 min readNov 24, 2019

--

You are passing by a road and you see a bunch of people gathered at a point. What is the first question that pops up in your mind? “Why is there so much crowd?” Yeah?

You are meeting a person for the first time. You both are sitting opposite to one another at a coffee shop table. The person is talking to you, while continuously maintaining eye contact. How do you feel? Of course, good. Because you think the person is paying you attention.

Consider you get a phone call. The speaker says he is from a telephone company and he would like to verify your contact details. He says “Is this 123466?”. If he is incorrect, you immediately say, “No, it’s 565535” just to correct him. You told him your number even when he didn’t know and TADA! If that person has some malicious intent, he would definitely use this contact information against you. So, this is how the human psyche works. Human beings show similar behavior most of the time and social engineers trick them making most of this psyche.

The process of taking advantage of this human psychological behavior to make that person pull out sensitive information and use it for malicious purpose is called “Social Engineering” and the people who do this are called “Social Engineers”.

Image taken from https://www.abacustechnologies.com/

Let me tell you that “Computer Hacking is nothing without social engineering”. A person also has to perform social engineering tricks to gather information related to his target.

There can be multiple types of social engineering techniques to trick a target. Consider the following:

CASE- I: Jenny received an email in her official email inbox that her bank account has been hacked. For restoring her account back, she has to immediately enter some relevant information to help bank authorities against hackers. Jenny immediately clicked the provided link and entered her credit card/debit card information, ATM Pin and other information on that site. Jenny was not hacked before but she was hacked later!

Yes, and this called Phishing.

CASE- II: Marina is a mother of an infant and a house wife. She, when home alone along with her child one day, received a telephone call from her husband’s mobile number, and a person saying “He is one of the close friends of her husband and that her husband is in emergency ward of a hospital because he has met a serious accident so she has to provide bank account information for money withdrawal so that his husband’s treatment at the hospital can be started. Marina, in a panic state, considering that the phone call is not fake because it’s from her husband’s number, told the account information to the caller. Account was hacked after this call.

Caller used spoofing to call Marina. The trick is called “Vishing” i.e. a voice phishing.

Image taken from https://www.minnesotagoodage.com/

CASE- III: Lena took part in a beauty contest at her college fun festival for which she had to fill out the participation form asking for her name and cell number so that she can be informed on that contact number if she wins. Lena, one day, received a SMS, stating that she has won a prize in a luck draw associated with that beauty contest. For receiving her reward, she has to login to provided URL and enter some personal information required for proceeding her application. Lena did so. Later on, she received a bill from a RENT A CAR company for paying her dues. She was shocked to know that her information was used to rent a car from a company she knows nothing about.

Technique used was Smishing i.e. SMS Phishing.

Image taken from https://www.yucatan.com

CASE — IV: John is not a very good student and doesn’t complete assignments on time. He cannot ask the toppers of the class for assignment every time so he thought to play some trick. In university cafeteria one day, he heard his topper of the class Steve, saying to his fellow that he has filled out the accommodation application form and soon he is going to get confirmation email. John generated a similar email with a URL and sent it to Steve. The email looked like as if it has been sent from administration department. Steve, in his excitement, clicked the malicious URL which at the backend, installed a trojan horse into his system (that trojan horse provided secret access to Steve’s computer). Steve was redirected to a fake website as result and he didn’t know that his system’s privacy has been compromised. John picked assignments and sent to his own computer. Steve fell an easy victim of social engineering.

Image taken from https://blog.malwarebytes.com/

CASE — V: Laura was having a cup of coffee at a coffee shop along with her friends. She saw two guys coming and sitting on a table on the other side. Laura heard that they were talking about “Rick Tan” a famous footballer and a celebrity. A guy in white shirt appeared to be Rick’s body man from his conversation. Laura, a fan of Rick, thought to approach that guy to ask him if she can meet Rick. The two guys were talking about Rick’s schedule of the week and other personal details only a body man would know. One of the two guys pulled out a USB flash drive from his pocket and told the other guy that this contains all of the scheduled meetings and contact details of Rick which he has to transfer into his computer once he reaches home. The other nodded his head. Some minutes passed and the two guys left the coffee shop after paying their bill. Laura saw that the they had forgotten the USB on the table.
She rushed to get that USB back to them but she thought to copy the contact details of Rick in her laptop first. So, she inserted that USB into her laptop and copied contact details (The contact was fake and her computer was compromised as a result). This is called “Baiting”.

Image taken from https://www.informationsecuritybuzz.com/

As the world is growing fast in technology, one need to be careful of his information to whom he provides it to. The emails, SMS, MMS or other messages you get via any source of information, don’t rush into telling your information rather take a deep breath and think of its authenticity first. Make sure you give your information in save hands. Never provide unnecessary details and only provide data that is essentially required. These are the ways to save yourself from being hacked. Because, human hacking is surely a great art for malicious people to target their goals.

We are all a little damaged, Bee. Some of us more than others. — T.M. Frazier

To sum up all the above discussion in to four stages as,

--

--

Muhammad Usman
Muhammad Usman

Responses (1)