Great Social Engineering Techniques for Hackers - Get People to Do What You Want

I am having this "hacking/security" blog for more then a year now. Beside cyber security, ethical hacking and technology, I am also interested in some social/natural science fields, like philosophy, and psychology. In this article I would share some manipulation techniques that i know about from my previous knowledge, and experience. Now these techniques can be used in many different ways and I will leave it up to the individual to decide what those ways are. Please realize this isn't mind control and it will not make you able to convince people to do extreme things but maybe change a simple idea in someones mind and make them favor your ideas more. This methods can come in handy for many hackers. Lets start:


Sympathy/Empathy - Believe it or not making someone feel sorry for you can wield great results. You can convince people to do many things with just a simple guilt trip. Examples include a family members death, recent job loss, an scarring event such as being robbed at gunpoint, losing money, or even a simple bad day. Using this can make somebody not only do what you want but they won't feel regret over doing it.

Split Personalities - No this does not mean be nice one second and mean the next. This tactic is great for pressuring someone into something from two fronts. The basic idea of this is to act as two people. This cannot be done in person and is best done online. An example of this methods usefulness is to maybe convince someone to sell something at a cheaper price by having one side of you as friend saying great deal while the other says that they can barely do this and they're unsure if they should. The trick here is to play opposites in a way that pushes the person you want to trick into doing something they wouldn't otherwise do.

If you don't then someone else will - Nothing puts more pressure on someone then giving them the idea of loss if they do not take advantage of the situation. This can be great for selling items. The general idea behind this is to make the person feel as if they will lose a once in a lifetime opportunity if they give up on this offer. You can even use the Split Personalities in mixture with this.

Being Over Understanding - Nothing softens the heart than making a person feel that they're doing a good job. If a situation comes where you have been wrong pretending to be completely understanding can go a long ways. This can general make the person feel more entitled to give you a better experience.

That is all I can come with at the current moment. Please throw suggestion and feedback. This is technically Social Engineering, an art of getting people to tell you stuff that they usually wouldn’t disclose, through the use of words and your appearance. I personally hate these type of people. A good Social engineerer (or as I love to call these types of people, “Bullshit artists”), can make people believe nearly anything. It is always a good idea to be aware of people who you don’t know, but it is also good practice to watch people you DO know. Don’t be getting paranoid about things, because that isn’t what i mean, but Social Engineering is the EASIEST way to hack anything. Hope this helps people gain the upper hand in a poorly setup situation.

Why You Shouldn't Phish, Keylog, or Social Engineer on Facebook

I've been writing a lot about Facebook Hacking on this blog. I began to think to myself that I should write another tutorial considering that even if you do eventually acquire the password and e-mail, you will still be stuck with the problem that I spoke about on my other post regarding the situation of "Logging in from another Location"

I won't waste your time and I will go straight to the point. I won't go into deep details since I already did on my old post. I will merely display some other problems when acquiring or taking over a Facebook account.

Why not Phish on Facebook?

Well, as stated on my old post... A problem appears showing that you are logging in from a different location, so even if you have a password and the e-mail. You will still have the problem and you won't be able to log in. This problem happens when you attempt to change their passwords manually by having the URL sent to their e-mails.

Once again, you would need to spoof their IPs to bypass that.

Why not Keylog?

Well, again... Keylogs only record keystrokes executed on the person's keyboards. You will have access to text and nothing else. By text, I am referring to whatever you seek such as e-mail and password. The same problem will happen here about logging in from another location.

Once again, you would need to spoof their IPs to bypass that.

Why not Social Engineer?

Well, you might be able to eventually get access to their e-mail and password info, but the problem of Logging in from another location will still be there, so you'll still be screwed.

So, what you may wonder, what should I do then?

Personally, I would highly suggest to ONLY RAT the person if you are attacking them from a different location. However, if you know the person personally, I would suggest keylogging since there is a possibility that you might be able to have access to the computers they use and the problem of Logging in from another location will go away. I explained more into locations and situations on my old post: here. Read my old post for more details as to when you should keylog or phish.

To wrap it up, I would suggest RATing only if you don't know your slave to a personal level since you will essentially have complete access to their computers and allowing you to do things on their computers rather than your own.

Keylogging, Phishing, and SE are good methods for acquiring the info, but bypassing Facebook is where the problem comes.

Keylogging, Phishing, and SE are still good methods to attack other websites, but Facebook became smart enough to make it a bit more difficult for "hackers" to take over accounts.

Shut Up and Be Secure - Power of Social Engineering

Human is the most weakest part of the Information Security chain. Psychologists have identified many benefits people receive when they help others. Helping can make us feel empowered. It can get us out of a bad mood. It can make us feel good about ourselves. Hackers find many ways of taking advantage of our inclination to be helpful.

Because Hackers often target people who don’t know the value of the information they are giving away, the help may be seen as carrying little cost to the helper. Most of Humans tend to explain their behavior and of others, while doing this we give away alot of information about us.

Security is too often merely an illusion, an illusion sometimes made even worse when gullibility, naivety, or ignorance come into play. The world’s most respected scientist of the twentieth century, Albert Einstein, is quoted as saying, “Only two things are infinite, the universe and human stupidity, and I’m not sure about the former.” In the end, social engineering attacks can succeed when people are stupid or, more commonly, simply ignorant about good security practices.

With the same attitude as our security-conscious homeowner, many information technology (IT) professionals hold to the misconception that they’ve made their companies largely immune to attack because they’ve deployed standard security products – firewalls, intrusion detection systems, or stronger authentication devices such as time-based tokens or biometric smart cards.

Anyone who thinks that security products alone offer true security is settling for. the illusion of security. It’s a case of living in a world of fantasy: They will inevitably, later if not sooner, suffer a security incident.

How to Detect Fake Emails

Yesterday one of my readers asked me about the way to detect a fake mail. I thought that this can become a good point for writing an article. So, I am mentioning some tips to detect fake/fraud/spam mails.

How to Detect Fake Mails:

1. Lets get back to the example I illustrated in my article Fake Mailer. I had used "support@gmail.com" as the sender email address. No doubt, this was fake and the receiver will get the fake email sent by me.

2. Suppose you are the receiver. Now, I will tell you how to recognize this mail as fake. Open the email and hit on "Show Details".

3. Something you must know:



Whenever Google sends you any email, the email details will contain fields like:

- Mailed by
- Signed by (optional)

Also, most of the times, "Mailed by" field will have value:

*.bounces.google.com or
*.google.com

depending on the type of your mail. This is true for every genuine email from every mail provider.

4. But, these two fields will not be present in the details of Fake Mail. Also, if the mail details contain these fields, the value of these fields will not be *.google.com

Fake Mail without "Mailed by" field:



Fake Mail with "Mailed by" field.



As you can see, the "mailed by" field shows the hosting server's name and not the Google server. This means, this server is used to send you the fake email and most probably, the fake mailer is hosted on the same server.


You can also check out the header field to detect fake mails. Follow the steps:

- Open the mail. Hit on down arrow next to "Reply" and click on "Show Original".



- Now, check out "Received" fields. This field will show you the name of server from which the mail is sent. As you can see, we have used "emkei.cz" as our fake mailer. So, it has appeared in "Received" field.

More Tips:

- Fake Mail usually have attractive titles.
- Such mails address receiver as "Dear Customer" or such and do not use your real name.
- Never click on any link in emails. Instead, open such links manually in new tab. Refer my article Anti-Phishing measures for more information.

Follow these tips and you will be able to recognize fake, spoof, spam emails. If you know any other useful tip to detect fake or spam emails, please share it with us in comments.

What is Social Engineering?

Social Engineering is the art of Hacking In Real Life. Social engineering is the art of getting people to tell you stuff that they usually wouldn’t disclose, through the use of words and your appearance.

A good Social engineerer (or as I love to call these types of people, “Bullshit artists”), can make people believe nearly anything.

I will use the example of someone trying to get someone’s password:

Now the most important thing is having a believable story. If you go to someone and say “hotmail have requested i get your password for account checking”, then they will most likely tell you to piss off.

One of the most common ways that i use, is “I’m doing a survey”. Make a fake survey, attach it to a clip board, and just walk up to the person and start asking him questions.

For example:
Hi, my name is Alexander, and I am doing a survey on how strong peoples passwords are. You will be surprised at how insecure most people’s passwords are, and you may find it extremely worrying about how insecure your password may be. If you don’t mind, would you allow me to ask you a few questions?

The person will think “insecure personal information” and 9 times out of 10 will agree to talk to you.

Ask them questions like “does your password contain letters numbers and symbols”, “how long is your password” (when they are counting, watch their lips to see if they spell the words/numbers out), etc.

You may also be able to give them the “i also have a good way of calculating how strong your password is. This isn’t necessary but you can give me a password you use most frequently and i can calculate how strong it is”, but that sometimes pushes the bar a little too much.

Prevention of Social Engineering

As you can probably see above, the power of SE can EASILY be used against people. It is always a good idea to be aware of people who you don’t know, but it is also good practice to watch people you DO know. Don’t be getting paranoid about things, because that isn’t what i mean, but SE is the EASIEST way to hack anything.

Here are some tips of keeping safe:

I cant have a complete list, because Social Engineers are constantly changing the ways in which they gain trust.
A few things to look out for:

Something that is too good to be true

If its too good to be true, then it probably is. Always make sure that the person is trusted, or is well known. Hey, don’t just go on that, the person may have fooled everyone, but it is always good to ask yourself “If this is such a good offer, how can he/she be offering it.”

Someone who you never usually talk to has started being really interested in you

They might just have become really interested in you, but what for? If they start asking really strange/personal questions, I would recommend you play the “Playing it hard” game. Ask them the same question as your answer, and refuse to tell them until they tell you. Then just be like “I don’t believe you”. Doesn’t matter if its true or not, but what you have just done is proven to them they aren’t as trusted as they believed they were, even if its only psychological. Then just make up an excuse so you need to go. There are plenty of ways to just get out of something, but i prefer the method where you beat them at their own game. Make it SO much more entertaining =)

Someone you don’t know asks you for your details

Obviously you don’t give them out, you would have to be stupid to do that.

As a rule of thumb, just make sure that the person isn’t trying anything. You will find it hard to pick a real good Social engineerer, but just remember that there are always people out there who aren’t that good, trying it.

Remember: Never give out details, or secure information such as your passwords. Use passwords that aren’t anything to do with your age/DOB/FirstName/Surname etc. All of that can be found too easily.

This Post was written with the beginner in mind, and just defines the basics of the Social Engineering techniques.