Social hacking describes the act of attempting to manipulate outcomes of social behaviour through orchestrated actions. The general function of social hacking is to gain access to restricted information or to a physical space without proper permission. Most often, social hacking attacks are achieved by impersonating an individual or group who is directly or indirectly known to the victims or by representing an individual or group in a position of authority. This is done through pre-meditated research and planning to gain victims’ confidence. Social hackers take great measures to present overtones of familiarity and trustworthiness to elicit confidential or personal information. Social hacking is most commonly associated as a component of “social engineering”.
Although the practice involves exercising control over human behaviour rather than computers, the term "social hacking" is also used in reference to online behaviour and increasingly, social media activity. The technique can be used in multiple ways that affect public perception and conversely, increase public awareness of social hacking activity. However, while awareness helps reduce the volume of hacks being carried out, technology has allowed for attack tools to become more sophisticated.
Social Hacking Techniques
Carrying out a social hacking attack involves looking for weaknesses in user behaviour that can be exploited through seemingly legitimate means. Three popular methods of attack include dumpster diving, role playing, and spear-phishing.
Sifting through garbage is a popular tactic for social hackers to recover information about the habits, activities, and interactions of organizations and individuals. Information retrieved from discarded property allows social hackers to create effective profiles of their targets. Personal contact information such as employee titles and phone numbers can be appropriated from discarded phone books or directories and used to gain further technical information such as login data and security passwords. Another advantageous find for social hackers is discarded hardware, especially hard drives that have not properly been scrubbed clean and still contain private and accurate information about corporations or individuals. Since surfing through people's curbside garbage is not a criminal offence and does not require a warrant, it is a rich resource for social hackers, as well as a legally accessible one. Dumpster diving can yield fruitful, albeit smelly results for information seekers such as private investigators, stalkers, nosy neighbours, and the police.
Establishing trust by fooling people into believing in the legitimacy of a false character is one of the main tenets of social hacking. Adopting a false personality or impersonating a known figure to trick victims into sharing personal details can be done in person or via phone conversation.
By posing as third party maintenance workers in an office building, medical practitioners in a hospital, or one of many other forms, social hackers can get past security personnel and other employees undetected. In both examples, uniform apparel is associated with specific job functions, giving people reason to trust impersonators. A more complicated manoeuver would involve a longer planning cycle, such as taking up employment inside an organization that is being targeted for an attack.
In the movie Ocean's Eleven, a sophisticated crew of con artists plot an elaborate heist to rob three popular Las Vegas casinos by assimilating themselves in the everyday activities of the casinos' operations. Although the heist is executed in less than a day, the planning cycle is long and notably fastidious. An imperative function of the attack is to present credibility in the roles being impersonated, to which attention to detail is inevitably required.
Tailgating is the act of following someone into a restricted space, such as an office building or an academic institution. Third party maintenance workers, or medical personnel, as mentioned above, often have limited cause to justify their credibility because of their appearances. Similar to role playing, tailgating functions around the assumption of familiarity and trust. People are less likely to react suspiciously to anyone who appears to fit into the surrounding environment, and will be even less liable to question individuals who don't call attention to themselves. Following behind someone in an unassuming fashion may even eliminate the need to establish a rapport with authorized personnel.
Online social hacks include “spear phishing” in which hackers scam their victims into releasing sensitive information about themselves or their organization. Hackers will target individuals within specific organizations by sending emails that appear to come from trusted sources including senior officials within the organization who hold positions of authority. To appear convincing, a social hacker's email message has to establish a tone of familiarity that belies any suspicion from its recipient. The email is designed to put forth a request for information that ties logically to the person sending it. Often, company employees will fall prey to these emails and share personal information such as phone numbers or passwords, thinking that the information transfer is taking place in a secure environment. In more sinister scenarios, the emails from hackers may be embedded with malware that infects victims’ computers without their knowledge and secretly transfers private data directly to hackers. From October 2013 to December 2016, the FBI investigated just over 22,000 of these incidents involving American businesses. In total, they saw losses approaching $1.6 billion.
A successful example of spear phishing was highly publicized in the news media in January 2014, when Target, a U.S.-based retailer, experienced a security breach that allowed hackers to steal customers’ credit card and personal data information. Later, it was revealed that the cyber criminals were able to access Target's financial and personal data files by targeting a third party mechanical company that had access to Target's network credentials. The social implications of such a high-profile social hack affect Target's popularity as a retailer, but also consumers’ trust and loyalty towards the brand.
Another example of Spear Phishing happened in June 2015 to Ubiquiti Networks Inc, a network technology company based in the United States. During this act of Spear Phishing Ubiquiti Networks reportedly lost over 46.7 million dollars. The hacking group sent Spear Phishing emails to employees in the finance department. These hackers sent spear phishing emails directly to the finance department's employees posing as company executives. The hackers managed to trick the employees into transferring funds to third party groups over seas. Fortunately for Ubiquiti Networks, 8.1 million dollars were recovered from the hackers.
Although Target may not have been slacking in its security, the hackers were able to infiltrate Target's network indirectly, by identifying a third party company with by access to Target's credentials. The social hack was in defrauding employees of the third party to divulge sensitive information, while the cybercrime was conducted by means of a malware infected email phishing attack. The need for vigilant online security is highlighted by cyber-attacks against corporations like Target as well as other global businesses and high-traffic websites. Even small websites are vulnerable to attacks, specifically because their security protection is presumed to be low. In Target's case, the third party mechanical company had inadequate security software which left them open to a malware attack.
In a similar incident, Yahoo Mail also announced in January 2014 that their system had been hacked and a number of user email accounts had been accessed. While the origin of the cause was unclear, poor security was again at the centre of the trouble. In both cases, large corporations with assumed understanding of security policies were compromised. Also in both cases, consumer data was stolen.
In a study by Orgill et al., an observation is made that “it is important that each person responsible for computer security ask if their system is vulnerable to attacks by social engineers, and if so, how can the effect of a social engineering attack be mitigated.”  Using strong passwords is one simple and easy method that assists in such mitigation, as is using reliable and effective anti-virus software. Other preventative measures include using different logins for services used, frequently monitoring accounts and personal data, as well as being alert to the difference between a request for help and a phishing attempt from strangers.
To counter security breaches at the hands of social hackers as well as technical hackers, companies employ security professionals, known as ethical hackers, or more popularly, white hat hackers, to attempt to break into their systems in the same manner that social hackers would employ. Ethical hackers will leverage the same tools methods as hackers with criminal intent but with legitimate objectives. Ethical hackers evaluate security strengths and weaknesses and provide corrective options. Ethical hacking is also known as penetration testing, intrusion testing and red teaming.
Impacting Social Media
The internet affords social hackers the ability to populate content spaces without detection of suspicious behaviour. Social hacking can also occur in environments where user-generated content is prevalent. This includes the opportunity to influence opinion polls and even to skew data beyond a point of validity. Social hacking can also be used to provide favourable reviews e.g. on product websites. It can also be used to counter negative feedback with an influx of positive responses ("like button") e.g. on blog or news article comment sections. Social hacking can cause damage to the online profile of a person or a brand by the simple act of accessing information that is openly available through social media channels.
Technology appropriation can be perceived as a type of social hacking in that it involves social manipulation of a technology. It describes the effort of users to make sense of a technology within their own contexts beyond adopting its intended use. When this happens, the use of the technology can change. Adaptation of a technology can incorporate reinterpretation of its function and meaning, to the effect that the technology itself can take on a new role. Appropriation accentuates that the user adjusts the technology for his own best practice, while adaptation advises that the use sometimes changes in general. For example, advances in today's technology make it easier than ever to portray another person. This method is known as creating a "deepfake". A deep fake is where someone can recreate somebody else's face and voice with a computer program. It is used to fake people saying and doing things they have never done or said before. "Public figures may be more “fakeable” through this method than private ones. Visually routine situations, like a press conference, are more likely to be faked than entirely novel ones." Deepfakes can be very dangerous in the sense that they can be used to fake what people with high authority have said such as, the president and politicians. There have been many articles and discussions over the new discovery of deepfakes such as Youtuber Shane Dawson's video, "Conspiracy Theories with Shane Dawson" where he talks about the conspiracy of deepfakes and what they could mean for the world today.
Social hacking is also affiliated with social enterprise. Social enterprise can be represented in the form of for-profit or non-profit organizations that encourage socially responsible business strategies for long-term environmental and human well-being. The concept of socially hacking new enterprises within the existing capitalist structure is a human endeavour that encourages people to re-evaluate the social systems that we are accustomed to, in order to identify the problems that are not being addressed. New enterprises can then be created to replace the old with systems that reinforce sustainability and regenerative growth.
- Certified Social Engineering Prevention Specialist (CSEPS)
- Internet Security Awareness Training
- IT risk
- Penetration test
- Perception management
- Piggybacking (security)
- "Archived copy" (PDF). Archived from the original (PDF) on April 14, 2014. Retrieved April 3, 2014.CS1 maint: archived copy as title (link)
- Hodson, Steve (August 13, 2008). "Never Mind Social Media, How About Social Hacking?". Mashable.
- Peter Wood. "Social hacking: The easy way to breach network security". Computerweekly.com. Retrieved 2016-07-05.
- Heary, Jamey. "Top 5 Social Engineering Exploit Techniques". PCWorld. Retrieved 2016-07-05.
- Kalwa, Jason (18 February 2014). "Phishing just got personal – avoiding the social media trap". TechRadar. Retrieved 2016-07-05.
- Rouse, Margaret. "What is spear phishing? - Definition from WhatIs.com". Searchsecurity.techtarget.com. Retrieved 2016-07-05.
- Mathews, Lee. "Phishing Scams Cost American Businesses Half A Billion Dollars A Year". Forbes. Retrieved 2019-03-25.
- "Massive Target Hack Traced Back To Phishing Email". Huffingtonpost.com. 2014-02-12. Retrieved 2016-07-05.
- Honan, Brian (2015-08-06). "Ubiquiti Networks victim of $39 million social engineering attack". CSO Online. Retrieved 2019-03-25.
- White, Mr. "Tech Firm Ubiquiti Suffers $46M Cyberheist — Krebs on Security". Retrieved 2019-03-25.
- "Email Attack on Vendor Set Up Breach at Target — Krebs on Security". Krebsonsecurity.com. 2014-02-12. Retrieved 2016-07-05.
- Mackensie Graham (2014-04-02). "How to Stop Social Hackers Before they Attack". Thenextweb.com. Retrieved 2016-07-05.
- "Yahoo Hacked And How To Protect Your Passwords". Forbes.com. Retrieved 2016-07-05.
- Ribeiro, Ricky (2014-01-07). "Snapchat's Data Breach Should Be a Wake-Up Call for Startups — BizTech". Biztechmagazine.com. Retrieved 2016-07-05.
- + flyoverContents + (2004-10-28). "The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems". Proceedings of the 5th conference on Information technology education - CITC5 '04. Dl.acm.org. p. 177. doi:10.1145/1029533.1029577. ISBN 978-1581139365. S2CID 7239602. Retrieved 2016-07-05.
- "Analysis of a social site hack: Do feds need a 'higher standard' for social networking?". GCN. 2012-05-23. Retrieved 2016-07-05.
- Melanie Pinola. "How Can I Protect Against Social Engineering Hacks?". Lifehacker.com. Retrieved 2016-07-05.
- Farsole, Ajinkya A.; Kashikar, Amruta G.; Zunzunwala, Apurva (2010). "Ethical Hacking". International Journal of Computer Applications. 1 (10): 14–20. Bibcode:2010IJCA....1j..14F. doi:10.5120/229-380.
- John Shinal, Special for USA TODAY (2014-01-03). "Snapchat hack should be wake-up call". Usatoday.com. Retrieved 2016-07-05.
- "The future of the deepfake — and what it means for fact-checkers". Poynter. 2018-12-17. Retrieved 2019-03-25.
- "The future of the deepfake — and what it means for fact-checkers". 17 December 2018.
- shane (2019-01-30), Conspiracy Theories with Shane Dawson, retrieved 2019-03-25
- Claudia Cahalane (21 February 2014). "Simple ideas, big impact – in pictures | Social Enterprise Network". The Guardian. Retrieved 2016-07-05.