Social engineering explained: how criminals exploit human behaviour
Train yourself to spot the signs
26 September 2019 |
Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data.
For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.
Famous hacker Kevin Mitnick helped popularise the term ‘social engineering’ in the 90s, although the idea and many of the techniques have been around as long as there have been scam artists.
Even if you have got all the bells and whistles when it comes to securing your data centre, your cloud deployments, your building’s physical security, and you have invested in defensive technologies, have the right security policies and processes in place and measure their effectiveness and continuously improve, still a crafty social engineer can weasel his way right through (or around).
Social engineering techniques
Social engineering has proven to be a very successful way for a criminal to ‘get inside’ your organisation. Once a social engineer has a trusted employee’s password, he can simply log in and snoop around for sensitive data. With an access card or code in order to physically get inside a facility, the criminal can access data, steal assets or even harm people.
In the article Anatomy of a Hack a penetration tester walks through how he used current events, public information available on social network sites, and a $4 Cisco shirt he purchased at a thrift store to prepare for his illegal entry. The shirt helped him convince building reception and other employees that he was a Cisco employee on a technical support visit. Once inside, he was able to give his other team members illegal entry as well. He also managed to drop several malware-laden USBs and hack into the company’s network, all within sight of other employees.
You do not need to go thrift store shopping to pull off a social engineering attack, though. They work just as well over e-mail, the phone, or social media. What all the attacks have in common is that they use human nature to their advantage, preying on our greed, fear, curiosity, and even our desire to help others.
Criminals will often take weeks and months getting to know a place before even coming in the door or making a phone call. Their preparation might include finding a company phone list or org chart and researching employees on social networking sites like LinkedIn or Facebook.
1. On the phone
A social engineer might call and pretend to be a fellow employee or a trusted outside authority (such as law enforcement or an auditor).
2. In the office
“Can you hold the door for me? I don’t have my key/access card on me.” How often have you heard that in your building? While the person asking may not seem suspicious, this is a very common tactic used by social engineers.
Social networking sites have made social engineering attacks easier to conduct. Today’s attackers can go to sites like LinkedIn and find all the users that work at a company and gather plenty of detailed information that can be used to further an attack.
Social engineers also take advantage of breaking news events, holidays, pop culture, and other devices to lure victims. In the article, ‘Woman loses $1,825 to mystery shopping scam posing as BestMark, Inc.’ you can see how criminals leveraged the name of a known mystery shopping company to conduct their scam. Scammers often use fake charities to further their criminal goals around the holidays.
Attackers will also customise phishing attacks to target known interests (e.g., favourite artists, actors, music, politics, philanthropies) that can be leveraged to entice users to click on malware-laced attachments.
Famous social engineering attacks
A good way to get a sense of what social engineering tactics you should look out for is to know about what has been used in the past. We have got all the details in an extensive article on the subject, but for the moment lets focus on three social engineering techniques – independent of technological platforms – that have been successful for scammers in a big way.
Offer something sweet
As any con artist will tell you, the easiest way to scam a mark is to exploit their own greed. This is the foundation of the classic Nigerian 419 scam, in which the scammer tries to convince the victim to help get supposedly ill-gotten cash out of their own country into a safe bank, offering a portion of the funds in exchange. These ‘Nigerian prince’ e-mails have been a running joke for decades, but they are still an effective social engineering technique that people fall for: in 2007 the treasurer of a sparsely populated Michigan county gave $1.2 million (€1.1 million) in public funds to such a scammer in the hopes of personally cashing in.
Another common lure is the prospect of a new, better job, which apparently is something far too many of us want. In a hugely embarrassing 2011 breach, the security company RSA was compromised when at least two low-level employees opened a malware file attached to a phishing e-mail with the file name “2011 recruitment plan.xls.”
Fake it till you make it
One of the simplest – and surprisingly most successful – social engineering techniques is to simply pretend to be your victim. In one of Kevin Mitnick’s legendary early scams, he got access to Digital Equipment Corporation’s OS development servers simply by calling the company, claiming to be one of their lead developers, and saying he was having trouble logging in; he was immediately rewarded with a new login and password.
This all happened in 1979, and you would think things have improved since then, but you would be wrong: in 2016, a hacker got control of a US Department of Justice e-mail address and used it to impersonate an employee, coaxing a help desk into handing over an access token for the DoJ intranet by saying it was his first week on the job and he did not know how anything worked.
Many organisations do have barriers meant to prevent these kinds of brazen impersonations, but they can often be circumvented easily. When Hewlett-Packard hired private investigators to find out which HP board members were leaking info to the press in 2005, they were able to supply the PIs with the last four digits of their targets’ social security number – which AT&T’s tech support accepted as proof of ID before handing over detailed call logs.
Act like you’re in charge
Most of us are primed to respect authority – or, as it turns out, to respect people who act like they have the authority to do what they are doing. You can exploit varying degrees of knowledge of a company’s internal processes to convince people that you have the right to be places or see things that you should not, or that a communication coming from you is really coming from someone they respect. For instance, in 2015 finance employees at Ubiquiti Networks wired millions of dollars in company money to scam artists who were impersonating company executives, probably using a lookalike URL in their email address.
On the lower tech side, investigators working for British tabloids in the late 00s and early 10s often found ways to get access to victims’ voicemail accounts by pretending to be other employees of the phone company via sheer bluffing; for instance, one private investigator convinced Vodafone to reset actress Sienna Miller’s voicemail PIN by calling and claiming to be “John from credit control”.
Sometimes people comply with external authorities demands without giving it much thought. Hillary Clinton’s campaign manager during her failed presidential run, John Podesta, had his e-mail hacked by Russian spies in 2016 when they sent him a phishing e-mail disguised as a note from Google asking him to reset his password. By taking action that he thought would secure his account, he gave his login credentials away.
Social engineering prevention
Security awareness training is the number one way to prevent social engineering. Employees should be aware that social engineering exists and be familiar with the most commonly used tactics.
Fortunately, social engineering awareness lends itself to storytelling. And stories are much easier to understand and much more interesting than explanations of technical flaws. Quizzes and attention-grabbing or humorous posters are also effective reminders about not assuming everyone is who they say they are.
But it is not just the average employee who needs to be aware of social engineering. Senior leadership and executives are primary enterprise targets.
CSO contributor Dan Lohrmann offers the following advice for defending against social engineering:
1. Train and train again when it comes to security awareness
Ensure that you have a comprehensive security awareness training program in place that is regularly updated to address both the general phishing threats and the new targeted cyberthreats. Remember, this is not just about clicking on links.
2. Provide a detailed briefing ‘roadshow’ on the latest online fraud techniques to key staff
Yes, include senior executives, but do not forget anyone who has authority to make wire transfers or other financial transactions. Remember that many of the true stories involving fraud occur with lower-level staff who get fooled into believing an executive is asking them to conduct an urgent action – usually bypassing normal procedures and/or controls.
3. Review existing processes, procedures and separation of duties for financial transfers and other important transactions
Add extra controls, if needed. Remember that separation of duties and other protections may be compromised at some point by insider threats, so risk reviews may need to be reanalysed given the increased threats.
4. Consider new policies related to out of band transactions or urgent executive requests.
An e-mail from the CEO’s Gmail account should automatically raise a red flag to staff, but they need to understand the latest techniques being deployed by the dark side. You need authorised emergency procedures that are well-understood by all.
5. Review, refine and test your incident management and phishing reporting systems.
Run a tabletop exercise with management and with key personnel on a regular basis. Test controls and reverse-engineer potential areas of vulnerability.
Social engineering toolkit
Several vendors offer tools or services to help conduct social engineering exercises, and/or to build employee awareness via means such as posters and newsletters.
Also worth checking out is social-engineer.org’s Social Engineering Toolkit, which is a free download. The toolkit helps automate penetration testing via social engineering, including spear phishing attacks, creation of legitimate-looking websites, USB drive-based attacks, and more.
Another good resource is The Social Engineering Framework.
Currently, the best defence against social engineering attacks is user education and layers of technological defences to better detect and respond to attacks. Detection of key words in e-mails or phone calls can be used to weed out potential attacks, but even those technologies will probably be ineffective in stopping skilled social engineers.
IDG News Service