Scribd
Upload
16 views1 page

Gray Hat Hacking 106

The document discusses how human emotions are exploited in social engineering attacks to bypass security measures. Common emotions like greed, lust, empathy, curiosity, and vanity are manipulated to lead users into performing actions that compromise their security. More complex emotions, such as the desire to be helpful or authority conflict avoidance, are also targeted to gain sensitive information or access within organizations.

Uploaded by

digapo7593
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
16 views1 page

Gray Hat Hacking 106

The document discusses how human emotions are exploited in social engineering attacks to bypass security measures. Common emotions like greed, lust, empathy, curiosity, and vanity are manipulated to lead users into performing actions that compromise their security. More complex emotions, such as the desire to be helpful or authority conflict avoidance, are also targeted to gain sensitive information or access within organizations.

Uploaded by

digapo7593
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

78
At the heart of every SEA is a human emotion, without which the attacks will not
work. Emotion is what derails security policy and practices, by leading the human user
to make an exception to the rules for what they believe is a good reason. Commonly
exploited simple emotions, and an example of how each is exploited, include:

• Greed A promise you’ll get something very valuable if you do this one thing
• Lust An offer to look at a sexy picture you just have to see
• Empathy An appeal for help from someone impersonating someone you
know
• Curiosity Notice of something you just have to know, read, or see
• Vanity Isn’t this a great picture of you?

These emotions are frequently used to get a computer user to perform a seemingly
innocuous action, such as logging into an online account or following an Internet URL
from an e-mail or instant messaging client. The actual action is one of installing mali-
cious software on their computer or divulging sensitive information.
Of course, there are more complex emotions exploited by more sophisticated social
engineers. While sending someone an instant message with a link that says “I love this
photo of you” is a straightforward appeal to their vanity, getting a secretary to fax you
an internal contact list or a tech support agent to reset a password for you is quite a dif-
ferent matter. Attacks of this nature generally attempt to exploit more complex aspects
of human behavior, such as

• A desire to be helpful “If you’re not busy, would you please copy this file
from this CD to this USB flash drive for me?” Most of us are taught from
an early age to be friendly and helpful. We take this attitude with us to the
workplace.
• Authority/conflict avoidance “If you don’t let me use the conference room
to e-mail this report to Mr. Smith, it’ll cost the company a lot of money and
you your job.” If the social engineer looks authoritative and unapproachable,
the target usually takes the easy way out by doing what’s asked of them and
avoiding a conflict.
• Social proof “Hey look, my company has a Facebook group and a lot
of people I know have joined.” If others are doing it, people feel more
comfortable doing something they wouldn’t normally do alone.

No matter what emotional button the attacker is attempting to push, the premise is
always the same: the intended victim will not sense the risk of their action or guess the
real intentions of the attacker until it’s too late or, in many cases, not at all. Because the
intended victims in these cases most often are working on computers inside of the tar-
get company network, getting them to run a remote access program or otherwise grant
you remote access directly or indirectly can be the fast track to obtaining targeted sensi-
tive data during a penetration test.

You might also like