Hacking doesn’t always rely on computers and malware: 82% of data breaches involve a human element. From the initial taking over of a target’s account to escalating privileges and moving laterally, social engineering is an important tool in the hacker’s toolbelt.
With confidence, a smile and a story, the adept social engineer can get almost anything they want, from a big fat check to the keys to someone’s house. However, it’s not easy. A good social engineer needs a sharp wit and a deep understanding of the human psyche. The ability to stay cool under pressure doesn’t hurt, either. Lying without shame is a plus as well.
Social engineering can be as easy as asking someone the right questions at the right time. It can also be incredibly complex, involving an elaborate plan and a web of unsuspecting marks. You trick each one into handing over information they probably shouldn’t, and all of a sudden you’ve got yourself the keys to the castle.
Today, we’ll take a look at some of the world’s best social engineers and how they’ve left an indelible imprint on the world of security—sometimes at the cost of their liberty.
Kevin Mitnick is one of the greats. Many of us in the industry are probably familiar with him already. He’s almost a folk hero of the cyber-realm, a former digital outlaw come good through consulting and an array of security businesses. Unfortunately, he recently passed from us and he’s somewhere up in the clouds trying to trick the gods out of their secrets.
Mitnick was once labeled the most wanted computer criminal in United States history and his journey from a precocious hacker to a reformed cybersecurity consultant reads like a Hollywood script. His exploits are impressive, not for their technical complexity but for their simplicity and human-centric tactics.
His early exploits include hacking the bus system in Los Angeles at the age of 12. He didn’t even know what social engineering was or have any idea that it existed. At the time, the bus system allowed passengers to buy a transfer ticket on top of their fare, which let them ride another bus by simply showing this ticket.
His idea was simple: if he could get the blank transfer slips and the puncher they used for it, he’d be able to ride the bus for free. All he had to do was ask the driver where he could get his hands on the puncher. He accompanied it with a lie, saying that he needed it for school. The bus driver freely dished out the information without questions. For the blank book of transfer slips, well, he just went through the dumpster next to the bus company garage.
Armed with the puncher and blank tickets, 12-year-old Mitnick was able to ride the bus for free without being caught. But that’s just the start. Mitnick’s other exploits include copying proprietary software, phreaking phone systems, infiltrating networks, and sidestepping security measures with his charm.
Of course, all of these actions had consequences. Captured by the FBI in 1995, Mitnick served five years in prison—four-and-a-half years' pre-trial and eight months in solitary confinement, because, according to Mitnick, law enforcement officials convinced a judge that he could "start a nuclear war by whistling into a pay phone."
This may sound like an exaggeration, but the officials were kind of right to be suspicious. Although he didn’t start a nuclear war, he was able to find a way to phreak a phone while he was in solitary confinement. And just like the bus system exploit, his idea was pretty simple. He didn’t need any advanced tools or codes, just his phreaking skills and a little social engineering.
Despite getting convicted for his hacking, Mitnick was able to turn his talents into legal pursuits. He became a leading voice in the industry, a consultant and an entrepreneur who helped organizations protect against the very tactics he once used to exploit them.
Mitnick’s social engineering was more of an intellectual pursuit rather than a malicious act. But many social engineers don’t see the practice the same way. A good example of the more sinister side is the Badir Brothers.
The siblings Muzher, Shadde, and Ramy Badir managed to set up an extensive phone and computer fraud scheme in Israel in the 1990s. Their scam involved stealing credit card numbers and breaking into the Israeli army radio station's telephone system to set up an illicit phone company. They were able to pull in $2 million from this scheme.
The most impressive part? They were able to run the whole thing despite each brother being blind since birth. They simply armed themselves with cellphones and Braille-display computers. Combined with their code-writing skills (yes, they were able to teach themselves how to code) and an uncanny ability to impersonate anyone, they became some of the world’s most notorious social engineers.
Frank William Abagnale Jr.
Of course, let's not forget about the most popular social engineer in the world, Frank William Abagnale Jr.. Hisexploits didn't just land in the news but became a worldwide movie sensation, Catch Me If You Can, starring Leonardo DiCaprio. Abagnale started young, and by 17 he was already a master forger and a chameleon-like impersonator.
He didn't just exploit loopholes—he waltzed right through them. He faked identities, from a Pan Am pilot to a legal prosecutor, without breaking a sweat. He even once printed his account number on blank deposit slips and placed them at the bank for unwitting customers to fill out. With these pre-filled slips, customers would unknowingly deposit money straight into his account.
It has been alleged that many of Abagnale’s exploits were really just legends that the man made up about himself. Even if this is true, isn’t getting a movie made about your fake crimes one of the greatest scams of all?