Networks --- Security --- Technology --- Blogging

Wednesday, December 27, 2006

A final, more advanced method of gaining illicit information is known as “reverse social engineering”. This is when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around. If researched, planned and executed well, reverse social engineering attacks may offer the hacker an even better chance of obtaining valuable data from the employees; however, this requires a great deal of preparation, research, and pre-hacking to pull off.

According to Methods of Hacking: Social Engineering, a paper by Rick Nelson, the three parts of reverse social engineering attacks are sabotage, advertising, and assisting. The hacker sabotages a network, causing a problem arise. That hacker then advertises that he is the appropriate contact to fix the problem, and then, when he comes to fix the network problem, he requests certain bits of information from the employees and gets what he really came for. They never know it was a hacker, because their network problem goes away and everyone is happy.


Ameritech Consumer Information “Social Engineering Fraud,”,3086,92,00.html

Anonymous “Social engineering: examples and countermeasures from the real-world,” Computer Security Institute

Arthurs, Wendy: “A Proactive Defence to Social Engineering,” SANS Institute, August 2, 2001.

Berg, Al: “Al Berg Cracking a Social Engineer,” by, LAN Times Nov. 6, 1995.

Bernz 1: “Bernz’s Social Engineering Intro Page”

Bernz 2: “The complete Social Engineering FAQ!”