Social engineering is a method used to influence individuals with the ultimate goal to obtain sensitive information such as a computer password, banking information, or other private data. Also known as “social manipulation,” a person implementing social engineering techniques is able to survey the environment of the potential victim(s), and then use a plausible, but fake identity to gain secret or restricted information from the targeted individual(s). In many of the documented cases from the past several decades, social engineering has been used to gain access to third party computing systems to acquire or spy on sensitive information.
What is Social Engineering?
Social engineering has come to mean the art of manipulating other people into either divulging confidential information or performing possibly unauthorized actions. Although social engineering started as an act of psychological manipulation tailored to the social sciences, the usage has become more common in computer and information security circles in the past several decades. The act of social engineering differs from long-term cons in that it simply represents one step in a more complex fraud or con scheme.
Social Engineering Techniques
Every known social engineering technique is based on a specific attribute of cognitive bias or human-decision making. These biases can be exploited in a variety of ways to gain the desired information or behavior by the person being targeted.
In the pretexting attack, the social engineer creates an invented scenario, or the pretext, to help start a conversation with the target in a way that will increase the odds the victim will provide information or conduct actions that are desired by the attacker. Known as bohoing or blagging in the United Kingdom, this elaborate lie requires a fair amount of setup or research and the use of this information to make the attacker more believable. The technique has been used in the past to trick a business into providing private customer information as well as by private investigators to obtain banking, utility, and phone records from customer service representatives. Once the pretext attack is used to obtain information, it can then be used to further establish the attacker as being legitimate to make banking account modifications, etc. In many cases of the pretext attack, all that has been required on the part of the attacker to establish legitimacy is to use a firm voice, look the part, and be quick to answer questions when queried.
Diversion Theft Attack
The diversion theft attack originated in London’s East End and is also known as the “Round the Corner Game” or simply “Corner Game.” This attack is normally exercised by a professional group against a courier or transport company. The primary objective is to persuade the individuals responsible for the delivery to make the delivery in an alternative location. This attack has been combined with the pretext attack in order to better establish the attacking group’s identity when trying to get the delivery sent to the desired location “Round the Corner.”
The phishing attack is a method of social engineering that primarily involves obtaining private information of individuals or companies online. The attacking conducting the phishing attack will send an email that appears to be from someone legitimate, a credit card company, bank, etc, that request validation of information from the end-user. To entice the person being attacked to provide the information, the phishing email will typically threaten some extreme consequence if the person does not respond to the request for information. Successful phishing attacks have targeted everything from social security numbers, to addresses, to one’s ATM pin number.
In the more modern variant of these attacks, rogues have gone as far as to create fake-looking websites of the purported company requiring the private information to be validated.
Phone Phishing Attack
Another form of social engineering is phone phishing, or vishing. This type of attack uses an IVR (interactive voice response) system to recreate a plausible sounding recording of a bank or other financial institution’s IVR. The victim will be prompted to call in to the system via a phishing email that lists a supposedly legitimate toll free phone number in order to verify their information. Most fake systems will reject the end-user’s log-in continually. This will ensure the PIN or password is entered a number of times which helps the attacker obtain a number of different passwords form the victim that can be used on other systems. The more advanced phone phishing attacks will even transfer the victim(s) to a fake customer service branch in order to obtain additional information.
The social engineering baiting attack is basically a real-world Trojan Horse. This attack makes use of physical media and the curiosity of the victim to work. The attacker will leave an infected USB drive, CD, or DVD somewhere that it will be found (parking lot, sidewalk, bathroom, library, etc), and will put a legitimate label on the media. The attacker then waits for the victim(s) to use the media. Once used, the media will have some type of computer malware or spyware that will install itself on the targeted machine with the goal of either stealing personal information or to do harm to the victim’s computer. In more advanced attacks, the attacker may put a fake company label for the intended victim relying on the “good Samaritan” to return the media to the real company to be used.
Quid Pro Quo Attack
In the Quid Pro Quo attack, the attacker will offer something in exchange for something else. In this case, the attacker will call random numbers at the targeted company or organization claiming to be from technical support or other alternative support organization. At some point, the attacker will find an employee with a legitimate issue and thankful that someone is calling to help them out. The person conducting the attack will assist the victim in solving the problem and along the way will have the individual enter commands which will launch computer spyware/malware or provide access to the attacker. Although this attack has been in existence for a number of years, office employees remain susceptible to the attack.
In a tailgating attack, the attacker will try to obtain entry into a highly restricted area that is secured by RFID card entry or an unattended electronic access control system. The attacker will normally just try to walk in behind another person who hold legitimate access to the facility. In many cases, the legitimate user will even hold open the door for the person attempting to gain entry to the facility failing to ask for identification. If dressed appropriately for the organization, they may even accept a story that the attacker has lost their security badge, or may present a fake one that has “stopped” working.
Countering Social Engineering
Due to the amount of damage that a well-planned out social engineering attack can cause a business or organization, there are a number of “best practices” employed by companies today to keep IT and other resources safe. Some of these measures include:
- Establishing a framework of trust on a personnel or employee-level. This includes regularly training personnel on when, why, where, and how potentially sensitive information should be handled and / or shared.
- Conducting unannounced tests of the organization’s security framework to test the education and measures implemented within the security framework.
- Changing to a waste management company that uses dumpsters with locks that have restricted access. The dumpster should be located within view of normal security staff in order to detect any unauthorized attempts at entry to obtain paperwork with sensitive information.
- Establishing and enforcing security protocols, procedures, and policies for handling sensitive information at the business. As part of this process, training employees on what actually is defined as sensitive information as well as prudent security measures to prevent or mitigate social engineering attacks.
Famous Examples of Social Engineering
Kevin Mitnick is one of the most famous American hackers who became famous through his use of social engineering to gain access to a variety of computing, phone, and other systems. Reportedly, at the age of 12, he used social engineering to bypass the punch card system in use on the L.A. bus system. Once he found out where he could buy his own ticket punch, he was able to ride any bus in the Los Angeles area by using unused transfer slips that he found in the trash. This early lesson in social engineering would provide the foundation that Mitnick would use to gain access to computing systems.
In 1979, at 16, Mitnick was able to use a phone number for the Digital Equipment Corporation (DEC) to help him gain access to the DEC network and copy their software. In 1988, he would be sentenced to a year in prison followed by three years of supervised release for this crime.
Towards the end of his supervised release period, Mitnick would hack into various Pacific Bell voice mail computers and would be a fugitive for more than two and a half years before he was finally arrested in in Raleigh, North Carolina on February 15th, 1995. Today, Mitnick is a reformed social engineer who uses his skills to help companies guard against all manner of security vulnerabilities.
The Badir brothers, Ramy and Shadde, were able to setup an elaborate phone and computer fraud scheme in Israel during the 1990s for more than six years. Depsite each brother being blind from birth, they were able to leverage social engineering and voice impersonations to defraud companies to profit. All this, while using Braille-display computers!
Archangel, The White Hat Hacker
Archangel, also known as the “White Hack Hacker” was made famous by demonstrating social engineering techniques to gain advantages throughout the spectrum of businesses to include people’s passwords and even free pizza! Working as both a security consultant and writer for Phrack Magazine, he has been rumored to have taken part in a number of high visibility hacks throughout the 1980s and 1990s.
Steve Stasiukonis is inventor of the USB thumb drive test to see if USB sticks containing exploits would b run by employees at work. The social engineered attack has become one of the most popular techniques used today.
JB Snyder is one of the leading experts in banking cybersecurity in the world. Working as a principal consultant for Bancsec, Inc., he is credited with developing and testing one of the most efficient social engineering attacks in history at more than 50 banks. In his attack vector, Snyder primarily relied on email to allow a social engineer to make unauthorized and unauthenticated large cash withdrawals from the targeted banks. His technique enjoyed the advantages of a low probability of detection. Another successful social engineering test developed by Snyder included a combination of telephone and email pretexting to get people to wire transfer funds.
Shane MacDougall has won the DEFCON Social Engineering Capture the Flag Contest three times. He is also the only contestant to get a perfect score at the time of this writing. During DEFCON 18, he was able to successfully social engineer the Ford Information Security Group. During DEFCON 19, he won the contest by convincing Oracle that they had been awarded an air traffic control contract with the United Nations. At DEFCON 20, he won the contest again by convincing a WalMart employee that the Canadian Army was sending a division to the store.
Mike Ridpath is a security consultant for IOActive, and is a published author and speaker. He emphasizes various techniques for conducting social engineering cold calling. He become more well-known after talks where he would play back phone calls that he would stop to explain his thought process while attempting to obtain passwords over the phone.