Human hacking for newbies, a nontechnical primer on social engineering.

Trading chocolate for diamonds.

We're in 2006, Carlos Hector Flomembaum is a customer of a bank in the diamond quarter of Antwerp. Two-thirds of the diamonds in circulation globally are transiting through this small area.

Our friend is a regular customer for about a year at the time. He's small talking with the bank employees, earning their trust over time. On certain occasions, he even offered them boxes with fine belgian chocolate. On 2 March 2007, the routine visit to the bank included an unexpected twist.

He found himself alone in the vault without any surveillance. Of course, when the bank reopened on Monday, 28 million dollars' worth of diamonds had been stolen. Carlos was in fact a fake identity he had for years. He vanished with the money and never resurfaced, him nor the money.

This is a perfect example of what social engineering is. Combining Open Source Intelligence (OSINT), persuasion, influence and seduction to achieve one's end. The end goal is to make someone do something he wouldn't do if not incentivized.

Even though this example is from the physical realm, the principle at play in cyberspace are similar.

Your package has been flooded. Click here (evil URL) to have it repackaged and sent again.

In the world of information security, the issues at hand are more or less the same. Fake SMS from your bank, emails presumably sent from the Social Security Office or a phone call explaining that you have to pay customs tax on an Amazon delivery.

Making a distinction between the physical and the cyber realm is artificial especially when in this case, the dollars in stake are real ones. Social engineering is the cornerstone of a successful cyberattack. Nudging without forcing or coercing is the best way to achieve one's end, be it benevolent or malevolant.

To summarize it:

1. Without OSINT, no believable pretext.
2. Without a pretext and some persuasion, no one is clicking on your phising link.
3. If no one clicks on it, no money.

We could say that the technical part is closing a process that was started way earlier first because the victim was a human being.

A "Pathé" worth 20 million dollars. Top quality.

Textbook case. Social engineering opens the door. Employees trust is earned and a substantial amount of confidental data is collected. The key here is that the identity of the headquarters was spoofed.

This CEO fraud allowed attackers to steal more than 20 million dollars. They sent emails to the directors of the Dutch subsidiary asking them to transfer funds to secure an acquisition in Duba? with an ulterior refund.

Once trust is earned and the legitimacy of the sender is not questioned anymore, anything's possible!

Especially for companies where the potential gains for attackers are massive. They have time to craft tailored-fit pretexts and target the right people (spear-phishing) using the right triggers. In these cases, any employee could pull the trigger on his own company. Finding the professionnal email pattern and having an org chart is way more than enough to steal in this case 20 million dollars.

Human hacking, regular hacking minus security to bypass.

Still today, companies are mostly spending money on flashy software and shiny endpoint protection but training and awareness seems out of the question. If hacking is not seen as first a human endeavor and a mind's game, advances in technical capabilities have no use.

If you have a hundred locks on your door but you leave it open because it's too hot inside, what's the point? Maybe having just a couple locks but an extra window would do the trick. If someone knew the hours on which you opened the front door (by for example, walking by your place) he could effortlessly rob you and these locks wouldn't help.

Awareness is the name of the game. Every attacker wants the most in the shortest time possible. Make it at least a little difficult for them and they will go somewhere else (plenty of careless companies to be pwned). As for spear-phishing, the top executives need to have in-depth training on these types of attack and how to check for fraudulent communications.

Until robots take over, humans might be something worth spending on.