Social Engineering
Social engineering is a method used to influence individuals with the ultimate goal to obtain sensitive information such as a computer password, banking information, or other private data. Also known as “social manipulation,” a person implementing social engineering techniques is able to survey the environment of the potential victim(s), and then use a plausible, but fake identity to gain secret or restricted information from the targeted individual(s). In many of the documented cases from the past several decades, social engineering has been used to gain access to third party computing systems to acquire or spy on sensitive information.
What is Social Engineering?
Social engineering has come to mean the art of manipulating other people into either divulging confidential information or performing possibly unauthorized actions. Although social engineering started as an act of psychological manipulation tailored to the social sciences, the usage has become more common in computer and information security circles in the past several decades. The act of social engineering differs from long-term cons in that it simply represents one step in a more complex fraud or con scheme.
Social Engineering Techniques
Every known social engineering technique is based on a specific attribute of cognitive bias or human-decision making. These biases can be exploited in a variety of ways to gain the desired information or behavior by the person being targeted.
Pretexting Attack
In the pretexting attack, the social engineer creates an invented scenario, or the pretext, to help start a conversation with the target in a way that will increase the odds the victim will provide information or conduct actions that are desired by the attacker. Known as bohoing or blagging in the United Kingdom, this elaborate lie requires a fair amount of setup or research and the use of this information to make the attacker more believable. The technique has been used in the past to trick a business into providing private customer information as well as by private investigators to obtain banking, utility, and phone records from customer service representatives. Once the pretext attack is used to obtain information, it can then be used to further establish the attacker as being legitimate to make banking account modifications, etc. In many cases of the pretext attack, all that has been required on the part of the attacker to establish legitimacy is to use a firm voice, look the part, and be quick to answer questions when queried.
Diversion Theft Attack
The diversion theft attack originated in London’s East End and is also known as the “Round the Corner Game” or simply “Corner Game.” This attack is normally exercised by a professional group against a courier or transport company. The primary objective is to persuade the individuals responsible for the delivery to make the delivery in an alternative location. This attack has been combined with the pretext attack in order to better establish the attacking group’s identity when trying to get the delivery sent to the desired location “Round the Corner.”
Phishing Attack
The phishing attack is a method of social engineering that primarily involves obtaining private information of individuals or companies online. The attacking conducting the phishing attack will send an email that appears to be from someone legitimate, a credit card company, bank, etc, that request validation of information from the end-user. To entice the person being attacked to provide the information, the phishing email will typically threaten some extreme consequence if the person does not respond to the request for information. Successful phishing attacks have targeted everything from social security numbers, to addresses, to one’s ATM pin number.
In the more modern variant of these attacks, rogues have gone as far as to create fake-looking websites of the purported company requiring the private information to be validated.
Phone Phishing Attack
Another form of social engineering is phone phishing, or vishing. This type of attack uses an IVR (interactive voice response) system to recreate a plausible sounding recording of a bank or other financial institution’s IVR. The victim will be prompted to call in to the system via a phishing email that lists a supposedly legitimate toll free phone number in order to verify their information. Most fake systems will reject the end-user’s log-in continually. This will ensure the PIN or password is entered a number of times which helps the attacker obtain a number of different passwords form the victim that can be used on other systems. The more advanced phone phishing attacks will even transfer the victim(s) to a fake customer service branch in order to obtain additional information.
Baiting Attack
The social engineering baiting attack is basically a real-world Trojan Horse. This attack makes use of physical media and the curiosity of the victim to work. The attacker will leave an infected USB drive, CD, or DVD somewhere that it will be found (parking lot, sidewalk, bathroom, library, etc), and will put a legitimate label on the media. The attacker then waits for the victim(s) to use the media. Once used, the media will have some type of computer malware or spyware that will install itself on the targeted machine with the goal of either stealing personal information or to do harm to the victim’s computer. In more advanced attacks, the attacker may put a fake company label for the intended victim relying on the “good Samaritan” to return the media to the real company to be used.
Quid Pro Quo Attack
In the Quid Pro Quo attack, the attacker will offer something in exchange for something else. In this case, the attacker will call random numbers at the targeted company or organization claiming to be from technical support or other alternative support organization. At some point, the attacker will find an employee with a legitimate issue and thankful that someone is calling to help them out. The person conducting the attack will assist the victim in solving the problem and along the way will have the individual enter commands which will launch computer spyware/malware or provide access to the attacker. Although this attack has been in existence for a number of years, office employees remain susceptible to the attack.
Tailgating Attack
In a tailgating attack, the attacker will try to obtain entry into a highly restricted area that is secured by RFID card entry or an unattended electronic access control system. The attacker will normally just try to walk in behind another person who hold legitimate access to the facility. In many cases, the legitimate user will even hold open the door for the person attempting to gain entry to the facility failing to ask for identification. If dressed appropriately for the organization, they may even accept a story that the attacker has lost their security badge, or may present a fake one that has “stopped” working.
Countering Social Engineering
Due to the amount of damage that a well-planned out social engineering attack can cause a business or organization, there are a number of “best practices” employed by companies today to keep IT and other resources safe. Some of these measures include:
- Establishing a framework of trust on a personnel or employee-level. This includes regularly training personnel on when, why, where, and how potentially sensitive information should be handled and / or shared.
- Conducting unannounced tests of the organization’s security framework to test the education and measures implemented within the security framework.
- Changing to a waste management company that uses dumpsters with locks that have restricted access. The dumpster should be located within view of normal security staff in order to detect any unauthorized attempts at entry to obtain paperwork with sensitive information.
- Establishing and enforcing security protocols, procedures, and policies for handling sensitive information at the business. As part of this process, training employees on what actually is defined as sensitive information as well as prudent security measures to prevent or mitigate social engineering attacks.
Famous Examples of Social Engineering
Kevin Mitnick
Kevin Mitnick is one of the most famous American hackers who became famous through his use of social engineering to gain access to a variety of computing, phone, and other systems. Reportedly, at the age of 12, he used social engineering to bypass the punch card system in use on the L.A. bus system. Once he found out where he could buy his own ticket punch, he was able to ride any bus in the Los Angeles area by using unused transfer slips that he found in the trash. This early lesson in social engineering would provide the foundation that Mitnick would use to gain access to computing systems.
In 1979, at 16, Mitnick was able to use a phone number for the Digital Equipment Corporation (DEC) to help him gain access to the DEC network and copy their software. In 1988, he would be sentenced to a year in prison followed by three years of supervised release for this crime.
Towards the end of his supervised release period, Mitnick would hack into various Pacific Bell voice mail computers and would be a fugitive for more than two and a half years before he was finally arrested in in Raleigh, North Carolina on February 15th, 1995. Today, Mitnick is a reformed social engineer who uses his skills to help companies guard against all manner of security vulnerabilities.
Badir Brothers
The Badir brothers, Ramy and Shadde, were able to setup an elaborate phone and computer fraud scheme in Israel during the 1990s for more than six years. Depsite each brother being blind from birth, they were able to leverage social engineering and voice impersonations to defraud companies to profit. All this, while using Braille-display computers!
Archangel, The White Hat Hacker
Archangel, also known as the “White Hack Hacker” was made famous by demonstrating social engineering techniques to gain advantages throughout the spectrum of businesses to include people’s passwords and even free pizza! Working as both a security consultant and writer for Phrack Magazine, he has been rumored to have taken part in a number of high visibility hacks throughout the 1980s and 1990s.
Steve Stasiukonis
Steve Stasiukonis is inventor of the USB thumb drive test to see if USB sticks containing exploits would b run by employees at work. The social engineered attack has become one of the most popular techniques used today.
JB Snyder
JB Snyder is one of the leading experts in banking cybersecurity in the world. Working as a principal consultant for Bancsec, Inc., he is credited with developing and testing one of the most efficient social engineering attacks in history at more than 50 banks. In his attack vector, Snyder primarily relied on email to allow a social engineer to make unauthorized and unauthenticated large cash withdrawals from the targeted banks. His technique enjoyed the advantages of a low probability of detection. Another successful social engineering test developed by Snyder included a combination of telephone and email pretexting to get people to wire transfer funds.
Shane MacDougall
Shane MacDougall has won the DEFCON Social Engineering Capture the Flag Contest three times. He is also the only contestant to get a perfect score at the time of this writing. During DEFCON 18, he was able to successfully social engineer the Ford Information Security Group. During DEFCON 19, he won the contest by convincing Oracle that they had been awarded an air traffic control contract with the United Nations. At DEFCON 20, he won the contest again by convincing a WalMart employee that the Canadian Army was sending a division to the store.
Mike Ridpath
Mike Ridpath is a security consultant for IOActive, and is a published author and speaker. He emphasizes various techniques for conducting social engineering cold calling. He become more well-known after talks where he would play back phone calls that he would stop to explain his thought process while attempting to obtain passwords over the phone.
|
|
Email spoofing occurs when an email is sent from one person or program that makes it appear as though it is legitimately from another. For example, user1@youremail.com creates an email, but when it is sent the “From” field has another person/organization’s email address such as fake@somecompany.com. When the person who receives the email clicks the “reply” button their email client will queue a response to the fake email address. Although email spoofing has been around for a long time, spammers commonly use it in phishing attacks to trick users into thinking they have received email from a trusted or known [...]
Shoulder surfing is a security attack that is implemented by observing a victim as he/she enters a PIN, fills out a form, or performs another activity that exposes their confidential information. A shoulder surfer may observe a victim by looking over their shoulder, taking pictures, or using binoculars from a distance. For example, credit card fraud is usually started by taking a picture of a victim’s credit/debit card as he/she is standing in line at a store and then using the numbers on the card to make purchases over the phone and on the Internet. How Shoulder Surfing Works [...]
What Are Social Networking Sites?
There are dozens of different social network sites on the Internet. Each one provides a different experience for the user and has a different purpose. A social network is a way for people to network with different people on the Internet. By creating a profile, a user can connect with people that might have a common interest or a common career. It makes communication between people so much easier. While there are so many, the three top ones that show the most promise are Facebook, Twitter and LinkedIn. Facebook Facebook is the absolute biggest social network on the Internet with [...]
Denial of Service (DoS) Attacks
A Denial of Service (DoS) attack is one that attempts to prevent the victim from being able to use all or part of his/her network connection. A denial of service attack may target a user to prevent him/her from making outgoing connections on the network. It may also target an entire organization to either prevent outgoing traffic or to prevent incoming traffic to certain network services, such as the organizations web page. Denial of service attacks are much easier to accomplish than remotely gaining administrative access to a target system. Because of this, denial of service attacks have become very [...]