Real Cases
RE: Reverse Social Engineering May 18 2007 10:29AM
Troy, Tony (tony troy capgemini com) (2 replies)


Do we really have to modify an already lousy description?

"Social Engineering" is yet another example of the IT community bastardising
established terms used perfectly well for decades in other disciplines (eg
pyschology,sociology and political science), and in doing so confusing the
meaning. Authoritarian states conduct Social Engineering in order to coerce
the masses into thinking or behaving differently.

Hackers, crooks and spies con their way in to organisations in order to do
naughty stuff, or to get information. They do not use social engineering. As
for "reverse social engineering", can't somebody just think up a completely
new word? Suggestions please!!


Tony Troy

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Christopher Meyer
Sent: 03 May 2007 17:02
To: realcases (at) securityfocus (dot) com [email concealed]
Subject: Re: Reverse Social Engineering

On 3/9/07, Snoopy Brown <freefalled (at) gmail (dot) com [email concealed]> wrote:
> I might be very wrong, but wasn't hp's recent fiasco prime for your
> As I understand it, they did all sorts of illegal stuff.
> Amongst them (useful to you), they portrayed themselves (the
> "investigators") as other people to get information from the company
> employees/executives.

That's normal social engineering, not reverse. Reverse is pretending
to be the authority and getting someone to contact you for help. For
example, you trick people into calling your number for Help Desk
password resets instead of calling the actual number.

To answer the original poster... I don't know if this one technically
fits the definition but maybe if you stretch it a bit- Kevin Poulsen's
redirecting old or shut down escort service phone numbers (google it
if you aren't familiar). I'm not sure if that is more of a hack than
reverse social engineering, it has elements of both. It does have
sabotage, advertising, and assisting - all considered elements of
reverse social engineering.

I think you could also include some phishing scams in reverse social

I'm trying to rack my brain for better examples, because I could swear
I've heard of some, but none are popping to mind at the moment.

Christopher Meyer - CISSP, GCIH

Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini UK plc, a company registered in England and Wales (number 943935) whose registered office is at No. 1 Forge End, Woking, Surrey, GU21 6DB.

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

[ reply ]
RE: Reverse Social Engineering May 22 2007 03:32PM
David Gillett (gillettdavid fhda edu)
RE: Reverse Social Engineering May 22 2007 07:34AM
David Harley (david a harley gmail com)


Privacy Statement
Copyright 2010, SecurityFocus