In past blog posts it has been discussed how developers could be targeted, especially with the level of access they would generally have. However, some of these areas of attack wouldn’t be possible if it wasn’t for another technique which doesn’t technically require any use of electronic communication, although can play a large part in it. This technique is called Social Engineering.
Social Engineering is the term for human hacking. The main purpose is to manipulate individuals to get them to divulge sensitive information which could then be used further. This technique can be used anywhere, but we’ll be continuing the focus on the developer. Social Engineering could be used against developers in a few different ways and most of these would normally require the use of an electronic device of some sort. However, trying to keep away from the electronic side here, how could this be used to psychologically manipulate developers?
One situation can be while attending a conference for instance. Due to the social nature of conferences the potential for being manipulated here could be great, and in most cases people might not be aware.
The information that can be gained from a conference could seem to be basic, however this could provide leverage to further discovery. The most common information would be the person’s name, which then could lead onto the place of work. By obtaining this small piece of information, social media could be used to find out more, and may even result in soliciting connection requests from the target in order to gain even more information.
There can be the potential that the person carrying out Social Engineering can listen in on discussions about technology which the developer (target) and their employer may have during the conference. This could then lead onto persuading the developer to use certain libraries for example which the attacker has created.
If the developer then introduces the items (which could be nefarious) into the organisation, the risk would be great, which in turn may lead to loss of proprietary and/or personal information.