Social Engineeringhigh

Kevin Mitnick: The Art of Social Engineering at Motorola, Nokia, and Fujitsu

Kevin Mitnick, the most wanted hacker in the US, used phone impersonation and pretexting — not technical exploits — to obtain source code from Motorola, Nokia, and Fujitsu. His tools were confidence and a convincing story.

Motorola / Nokia / Fujitsu·1995·2 min read

Background

Kevin Mitnick was arrested in February 1995 after a two-and-a-half year manhunt. His criminal career spanned companies including Digital Equipment Corporation, Pacific Bell, Motorola, Nokia, and Fujitsu. Mitnick's genius was not in writing exploits — it was in social engineering: calling employees, impersonating colleagues, and simply asking for what he wanted.

The Attack

Mitnick's typical approach: research a target company's org chart and internal processes through dumpster diving and public records, then call an employee pretending to be a colleague from another office. He would establish credibility with specific details (employee names, project names, internal jargon) and then make a request that seemed routine — a password reset, a copy of source code for a "development server," or remote access credentials. Most employees complied without question. At Motorola, he obtained source code for cellular phones. At Nokia, he obtained proprietary mobile operating system code.

Response

Mitnick was arrested after computer security researcher Tsutomu Shimomura helped the FBI trace him. He was sentenced to five years in prison. Upon release, he became a sought-after security consultant and speaker, writing seminal books on social engineering. He died in 2023.

Outcome

Mitnick's career established that human psychology — not technical vulnerability — is the primary attack surface. His books "The Art of Deception" and "The Art of Intrusion" became foundational texts in security education. His approach is replicated daily by attackers worldwide.

Key Takeaways

  1. Employees should verify the identity of anyone requesting sensitive information, regardless of how convincing they sound
  2. Internal jargon and specific knowledge of company processes are easily acquired through OSINT and do not prove identity
  3. Requests for source code, credentials, or access from unfamiliar contacts should always require manager approval
  4. Social engineering works because humans are wired to be helpful — formalising verification overrides this instinct
pretextingimpersonationKevin Mitnickphone hackingsource code theft

More in Social Engineering

2020high

The Twitter Bitcoin Hack

2 min readSocial Engineering
2023critical

MGM Resorts Social Engineering Attack

2 min readSocial Engineering
2022critical

Lapsus$: Teenagers Bribe Telecom Employees to Breach Microsoft, Nvidia, and Uber

2 min readSocial Engineering