Social
Engineering Tactics by Riku Juurikko
The purpose of this report is to describe some
of the social engineering tactics I found most useful,
that were described by Riku Juurikko,
whom held a lecture for my Penetration Testing course
taught by Tero Karvinen during Spring
of 2020.
-------------------------------------
On April 14th 2020, we had a guest lecture held
by Riku Juurikko who (at
the time of this report) works
at Elisa as a Senior Security Manager
and has worked as a physical penetration tester in the past.
Mr. Juurikko, with examples from his real-life
experiences explained to us that just like computers,
people can be hacked too.
This art is called Social Engineering.
Investopedia
defines Social Engineering as:
"[The] act of exploiting human weaknesses
to gain access to personal information and protected systems.
Social engineering relies on manipulating individuals rather than hacking
computer systems to penetrate
a target's account."
During his
presentation, Mr. Juurikko told us about the six key
principles of social engineering:
1. Reciprocity – The human tendency to
return a favor
2. Commitment and consistency – People
tend to stick with whatever their choice
3. Social proof – People will do things
that they see others are doing (we all technically lied to our parent
or teacher when answering the question "Would you jump off a bridge if
everyone else did?")
4. Authority – The tendency to obey
authority
5. Liking – People are more easily
persuaded by people they like. Attractiveness is a key aspect of this.
6. Scarcity – The basic principle of
supply and demand. If there's a limited amount of something, the demand rises.
Out of all of them, two key principles
stick out for me: "Reciprocity” and "Social proof":
Reciprocity, the tendency to return a favor is concept that also exists
in physics,
pop-culture
and business.
This is a philosophy that applies day-to-day life, and a concept we do not
normally think about.
But nevertheless, people tend to give back when given something because we
stand to
gain something from it.
It doesn't matter if it's the good feeling of getting rid of some sort of
mental debt, or just trying to get more out of the
exchanges that happen, a social engineer is just trying to exploit this human
behavior.
An excellent example of this is what Mr. Juurikko
told us, when holding open a door for a person, that person will likely
hold the next one open for you, which can get an attacker to a place one would
not have access to otherwise.
Another example would be sexpionage (which for the record I am not encouraging),
where the target is given sex,
along with a sense of intimacy and security that comes with it. As a result,
the target might speak more openly to the spy,
revealing crucial information or simply giving the person an access to an
"off-limits" area, like their apartment as a result.
Social proof, on the other hand is another highly
exploitable key principle of social engineering for me.
I consider it one due to the Social Proof Theory
by Robert Caldini and combined with poor training in
an organization,
could lead to catastrophic consequences. If person A is unsure of something,
they will look unto others in order to find
a solution. This phenomenon can be seen in simple things, like fashion, or in
darker things: like copycat serial
killers or suicides.
This makes unsure individuals, like people who need constant validation in
their actions, zealous followers of trends – and
other countless similar personalities the most vulnerable to this aspect of
social engineering. Where a fake Wikipedia article or
website could serve as proof of an attacker being someone else, or to steer to
victim to some otherwise unwanted action.
-------------------------------------
This concludes my report about the social engineering
presentation by Riku Juurikko.
I enjoyed writing about this topic, due to my interest in psychology and human
behavior and learned a lot during my research
process.
Return to Main Page