• What is social engineering?

    Social Engineering or SE is the art of persuading someone to give you the data that you desire or getting people to let you take the data/equipment you want. Once mastered, SE can be used on a system despite the platform or the quality of the hardware and software present.

    Social engineering is usually easier and less risky than other forms of attacks, and unfortunately it is often successful.

    Social engineers attempt to gather information such as: sensitive information, authorisation details and access details.

    SE comes in different forms, but are all based on the principle of disguising oneself as one who needs or deserves the information. The two principal forms of social engineering are:

    Human-based.
    Computer-based.

    Human-based SE functions at a personal level and preys on qualities of human nature such as the desire to be helpful, the tendency to trust and the fear of getting into trouble. This can be done by pretending to be a fellow employee, senior manager or even a new employee needing help.

    Effectively, human-based SE is based on the concept of trust and the belief that it is not good to question authority. Any medium that provides one-to-one communications between people can be exploited; all it takes is a good actor/liar.

    Computer-based SE attacks employ software to retrieve data, but still requires a human input. It can function through a variety of media including pop-up windows that prompts the victim for data, e-mails with link or attachments flooding a large number of accounts.

    Social Engineering Techniques

    Social Engineers can exploit human nature using many different techniques:
    Impersonating a valid user – which may lead to gain physical access to a building and once inside, gather information from devices.
    Posing as an important user: intimidating lower-level employees.
    Calling technical support: support staff are trained to help.
    Using a third person: pretending to have permission from an authorised source to use a system.
    Eavesdropping: or unauthorised listening of conversations or reading of messages

    Attack step

    An attack will have certain identified goals and may be long and drawn out or as short as a single phone call. The steps in the attack will be determined by its goals, though the following structure is typical of a social engineering attack.

    The basic steps of a social engineering attack are:

    1. Research the company – get the lingo and inside knowledge on operational procedures, groups and individuals.
    2. Identify victim or victims possibly by their position(s) in the company (e.g. security guard, secretary, manager).
    3. Develop a relationship with the victim.
    4. Exploit the relationship for knowledge gain.
    5. Utilise the knowledge to move closer to goal.

    These steps are repeated as required.

    Who’s at risk?

    The answer to this question is simple: everyone. Everyone includes you: all the historical evidence points to it. We are all susceptible to SE to some degree. Even if we are aware of the problem, SE techniques, etc. there is always a moment in time when we are vulnerable. This is due to being busy, distracted, acting routinely and many other reasons.

    Large companies that are spread out over a several sites are particularly vulnerable. Since individuals can claim to be from another site often giving them a degree of plausibility (especially if they are well rehearsed).

    Who are the Social Engineers?

    Potentially anyone could be someone trying to exploit your trust. Typical examples include: ex-employees, competitors, and hackers claiming to be employees, support staff or vendors. Often they prefer to do their work remotely (email and telephone) or through phishing exercises.

    Social Engineers are adept at exploiting human behaviour, particularly by quickly building up trust. They listen closely and are quick to adapt as information and opportunities arise. They are personable and plausible. They keep relationships moving along fast making it difficult for victims to evaluate what is happening.

    They can be very patient slowly building trust, moving contacts between departments collecting small pieces of information (each of which is trivial but the totality of which could be devastating).

  • Types of Social Engineering Attacks

    Phishing

    The word "phishing" originates from the analogy that criminals used e-mail lures to "phish” for passwords and data from users. The practice often involves acquiring data fraudulently over the Internet by masquerading as a trustworthy business. Phishing employs 'spoofed' e-mails to lead users to counterfeit websites designed to obtain data via trickery.

    A phishing scam begins with an attacker sending out fraudulent e-mails that appear to come from trusted web sites (often using bait). Believing the e-mails to be legitimate, unsuspecting people respond to the requests for their personal information. A scammer often puts a link in a fake e-mail to a legitimate website, when actually it takes the victim to a spoofed site. Once at the spoofed site the user unwittingly enters personal data that will be transmitted directly to the attacker, enabling the attacker to steal the victim’s identity.

    What makes phishing successful is the ease with which seemingly authentic web sites and legit-looking e-mail can be reconstructed. They include official logos and other identifying information taken from legitimate sites. Once at the spoofed site it is difficult for a victim to notice the difference.

    Spear Phishing

    Spear Phishing is a targeted form of phishing. The attacker sends a message to a target making it look as if it was sent by a person the target trusts. This could be a member of their family or their boss. Either way spear phishing requires some form of research of the victim.

    Whaling

    Why bother with the small fish? Whaling is nothing else but spear phishing targeted at a big user. This is generally a senior manager, CEO, etc. who has all the information required by the social engineer. This attack is generally slow and methodical and requires the attacker profiling the target in order to attack at the right moment.

    Vishing

    Vishing is a type of phishing attack that targets VoIP or mobile phones. It is a relatively new technique used by criminals to harvest many personal details from victims. Particularly, credit card details are often targeted. Like most other social engineering exploits vishing relies on the 'hacking' of a common procedure that fits within the victim's comfort zone.

    Here is an example of vishing:
    A criminal configures a war dialer to call phone numbers in a given region.
    Victim(s) answers the call; an automated recording is played to alert the consumer that their credit card has had fraudulent activity or that their bank account has had unusual activity. The message instructs the consumer to call the following phone number immediately. The same phone number is often shown in the spoofed caller ID and given the same name as the financial company they are pretending to represent.
    When the victim calls the number, it is answered by automated instructions to enter their credit card number or bank account number on the key pad.

    Reverse SE

    Whereas SE relies on attackers identifying and approaching potential victims, reverse SE involves attackers creating an assumed air of authority or knowledge such that potential victims will actually approach them.

    Reverse SE is a unique form of social engineering that deals with the common difficulties (gaining trust) of normal attacks. In reverse social engineering the victim unwittingly goes to the attacker.

    It requires the social engineer to sabotage some equipment either locally or remotely, and then advertise themselves as being the person that can fix the damage, or pretend to be a support person assigned to make the repair.

    Due to the nature of reverse attacks and the development of trust, the hacker can receive much more information.

    The typical reverse social engineering attack consists of three major parts: sabotage, advertising and assisting.

    Impersonation

    Impersonation involves any act of pretending to be someone you are not. This could be a manager, a delivery driver, a support technician, etc. Impersonation can be done in person, over the phone or via email, chat, etc.

    Dumpster Diving

    What is going out in the trash? There is now a new edition for the security software so might as well chuck the old one in the bin. How different is the new manual from the old one that you are about to let pass outside your security perimeter into the rubbish. What about those out-of-date directories filled with names, positions and telephone numbers/extensions – most of that is still valid!

    Was that shredded document completely shredded – did I switch the machine off before it passed through? Perhaps the ‘shred’ can be put back together.

    What happens to the stuff in the waste paper bin? Who might have access to it – the cleaner?; somebody with out of hours’ access?; a night guard, etc.? Will it end up in a skip out the back of the building? The information that went into the bucket is only protected by the weakest link.

    Exploiting data in this way is called dumpster diving and it is always a potential source of data leakage.

    Shoulder surfing

    Who hasn’t come across someone on a train or bus using their device (mobile phone, laptop, etc.) to do some work? These people may check their e-mail, write some documents or be using some specialised software. Whatever the type of work being done, it can be quite easy in certain situations to have a visual of the person entering their password. This is shoulder surfing. Malicious social engineers could use this technique to their advantage to obtain passwords or other information.

    Tailgating

    One of the examples that we will talk about next is gaining physical access to buildings or other locations. Tailgating is a technique to achieve exactly that. Attackers are hoping on the kindness of someone just entering a building to keep the door open for them. It happens very often and can be especially effective if used in conjunction with impersonation (e.g. pretending to be a delivery driver, or even a disabled person).

  • Basic Principles of Social Engineering

    Authority

    One of the main principles that social engineers count on is submission to authority. By posing as a manager or an important user, attackers often gain what they want by intimidating the victims.

    Intimidation

    Often works in conjunction with authority but it could come simply in the form of a threat or just making someone feel guilty of something.

    Social Validation

    Conforming to the apparently expected behaviour. Often people are intimidated by the fact that something is being done by everyone. So, “if everyone does it, why shouldn’t I?” An attacker may take advantage of this way of thinking in many situations such as tailgating or simply putting confidential papers in the “normal” waste bin.

    Scarcity

    Often used by salesmen, scarcity implies that something is limited in supply, and therefore should be acquired now. A very effective SE technique for obtaining user details could be simulating a (fake) web sale of some sort (e.g. last minute holiday).

    Urgency

    “We need to get this done quickly!” How often have you heard this? If the attacker is able to trick the victim into thinking that time is of the essence then it is likely that s/he will obtain the information sought.

    Familiarity/Liking/Trust

    We are more likely to comply with a request if it comes from someone we like or trust – always keep a healthy scepticism to people you like, especially if you do not know them that well. Con men develop techniques for making themselves instantly likable and seemingly trustworthy.

    Reciprocity

    Many people try offering something with the expectation of something in exchange for it. The sophisticated SE will offer something that makes the reciprocation seem beneficial, helping towards gaining the victim’s trust.

  • Social Engineering examples

    Gaining Physical Access

    Who is that wandering around your premises?

    Crucial equipment should only be accessed by those with authorisation. The person on that secure floor may be a legitimate employee but does s/he have the authority to be in that location (a lot of network attacks are from insiders)?

    The social engineer starts off without authority and will attempt to gain it through either: claiming a lost token with plausible cover story; use a stolen or fake ID; or manipulating the system into giving him an appropriate authority.

    Hence, there should be a clear procedure for identifying to all security personnel the relevant lost/stolen IDs or other authentication tokens. Authentication should always be properly checked at appropriate check-points. Safeguards should be in place to ensure only valid personnel obtain authorisation (including temporary authority).

    To help security personnel make good judgments there should be procedures in place to deal with lost identification tokens – no exceptions; not even for the ‘suits’.

    What might they do?

    Once a social engineer has physical access to the premises the sky is the limit. They may be in a position to impersonate management; or have access to unsupervised machines (including devices left logged on). They can pick up data storage devices (or leave ‘bad’ ones).

    Who’s on the other end?

    Only a small quantity of business is done face-to-face. We often have to deal with emails, telephone calls, and remote logins.

    Trust and valuable information can be obtained through social media, allowing the person-on-the-other-end to become plausible. This could represent the first step in a larger exercise.

    Telephone

    There is a lot of trust given to people who phone your company and who know how your company works and who’s who. Even thought you might start out sceptical, a caller exhibiting knowledge and familiarity with the working of the company can win your trust. Even if they cannot win your trust they can always try again later.

    A: ‘I am in the … room carrying out an urgent repair and need the logon credentials.’

    V: ‘I’m sorry I can’t give that out’

    A: ‘I understand that’s normal procedure but this is critical the whole system is about to go down. Look, check my credentials my name is Joe Blogs, I work in the ERC (emergency repair centre) my authentication number is xyz [all valid information]. I know it’s out of hours but you can call my manager on mobile: abcdef to confirm.’

    You have no idea who is calling - just because he has the information identifying him as a valid member of staff does not mean that it is the claimant who is calling: this information may have been obtained through other means and is now being used to leverage a login capability. The ‘validation’ call that you are encouraged to make is a mobile number for an off-duty member of staff – do you really know who this is? [It might even be somebody who has phoned you on other pretexts to get your ‘acquaintance’]. Note that this ‘validation’ procedure is based on a common trust exploitation where both parties are using a supposed trusted intermediary.

    Suppose you are on your guard and refuse the information; the social engineer tries again later looking for a different victim; the whole defence is only as good as its weakest link.

    Some guidelines:
    Only use recognised telephone numbers for validation (even then be sceptical)
    Have authentication procedures in place for identifying callers requesting confidential information.
    Make any checking calls independent of the person you are checking (don’t use their recommendation!)
    Make questionable requests known to other staff that might have to deal with a similar call.

    Who’s contacting you?

    The source of an IP packet can easily be faked. The origin can be disguised by re-routing. Think of an IP address as a telephone number or licence plate; they identify the phone or the car, but they don’t identify the person.

    That supplied email address, who does it actually belong to?

    Where are you sending the data? Even faxed data that is sent to the front desk for pick up – where is it going? Mailed data – who has access to the mail room?

    Gaining Network Access

    There are many illegitimate ways to do this.

    Just Ask

    It seems incredible but just asking has often been an effective method for gaining access to resources. What has the asker got to lose? Probably the worst that will happen is that s/he will be told NO. If the asker is plausible with good insider knowledge allowing them to pass as genuine then asking might be enough to do the trick.

    I was so successful in that line of attack [social engineering] that I rarely had to resort to a technical attack. Companies can spend millions of dollars toward technological protections and that’s wasted if someone can basically call someone on the telephone and either convince them to do something on the computer that lower the company’s defences or reveals the information they are seeking.’ (Mitnik, to Congress, 2000)

    Exploit Human Behaviour

    That pen drive dropped in the lobby – I’ll just check to see who it belongs to so that I can return it –what have I just downloaded onto my machine?

    A program that will not close until a particular button is clicked (never happened before!). Pressing a ‘button’ on the screen activates some activity inside the PC. There is no requirement that the activity and the button title are related: Clicking that button could be running anything (wiping your hard drive, downloading malware, uploading secrets etc.)

    A new web site looks very attractive and requires you to set up an account. This account will require a username and password. How often have you used these before? Nearly half the population use the same passwords on all sites – have you just given away a password to a ‘secure’ location? This happens! It could have duped you (and you were sure you were security conscious). Make sure you use those important passwords only once.

  • Defending against Social Engineering

    How can you defend against social engineering? Unfortunately there is not an absolute answer for this question. Only by using a series of techniques, SE can be mitigated. In this section we will explain several solutions that could help in mitigating the problem.

    Defence

    As always the strength of a defence is its weakest link. Unfortunately when it comes to security the weakest link is the employee. There are many examples of leveraging information or network access through small victories against a series of individuals. Each individual gives out some ‘minimally’ risky information unaware of its possible significance in a larger security context (this could be as small as the name of the person to get in touch with outside normal working hours when there is a problem with such and such a system).

    Employees need to understand that that small piece of apparently trivial information they are handing out may well be used as part of a larger threat to their company.

  • The Security Policy

    The best help a company can give an employee is a set of procedures that tell them how to handle ‘difficult’ situations. These can be embodied in a security policy (or the policy makes clear where the required information is to be found).

    We have already discussed security policies in previous classes and this will not be covered again here. However, a security policy should take into account social engineering and in particular it should address:
    Data classification and handling.
    Access control – physical and electronic.
    Incidence response.
    Security awareness training.
  • Training

    An efficient training program should be part of a security policy and should provide methods to increase awareness on social engineering.

    Consider what Bruce Schneier wrote in his book Beyond Fear:

    Social engineering will probably always work, because so many people are by nature helpful and so many corporate employees are naturally cheerful and accommodating. Attacks are rare, and most people asking for information or help are legitimate. By appealing to the victim’s natural tendencies, the attacker will usually be able to cozen what she wants.

    If we look at it from the victims’ perspective:

    S/he might be in some lower rank job and may know to look out for attacks but s/he really doesn’t understand the system or have that much idea about sophisticated attacks. Being a team player s/he wants to help and wants to see that the company gets the job done. Do you think s/he is really going to stand in the way of plausible well-researched requests, especially when they appear to come from someone in the company who really needs help to get ‘the job’ done? Can s/he stand up to ‘senior managers’ demanding some information or else! The answer is probably NO.

    The best way to minimise the risk for such an employee is to ensure that there are robust procedures in place for dealing with ‘unusual’ requests and that the employee is clearly trained in using them as well as understanding the importance of following them.

    Employees should have safety of knowing that if they follow procedures they will not be at risk from any form of come-back.

  • Things to look out for

    People

    It’s a fact of life that unusual requests will occur – it might be valid but requires caution. If someone calls with an unusual (suspicious) request but refuses (by some excuse) to give a number for calling back then they are not to be trusted.

    Watch out for someone claiming authority. Anyone can do this – not only over the telephone, but in person. [How many movies show an infiltrator turning up at a secure base with faked rank – good guards are trained to deal with this. For the period of the check they should have temporary authority]

    Claims of urgency – if it’s that urgent it needs to be dealt with higher up.

    The caller uses threats to enforce compliance. These threats could be against the victim (demotion/loss of job) or against the firm’s effective operation.

    The caller seems to be uncomfortable when questioned (or avoids tricky questions with glib answers). A software engineer who has done his research will be prepared for this, but s/he only needs to slip once to create a warning signal.

    The caller ‘claims’ familiarity with important members of the organisation – we can all do that. If the attacker is well researched he will know details about the dropped names making the claim plausible.

    Beware individuals you haven’t known for long and are interested in information about the operation of the organisation; or, who are using you to make further friends (potential future victims).

    Documents that have headers that look dodgy. This can be almost impossible to spot but if something looks slightly wrong it should set off alarms. Just because a document looks authentic doesn’t mean that it is.

    Beware of the caller, visitor who appears overly friendly, boastful, threatening. Or those who flatter, are familiar or flirtatious. Whether we like it or not, many of us have susceptibility to these traits. A good social engineer will soon suss out your weaknesses.

    Beware people who know things that they shouldn’t know; e.g. specialist terms and lingo or knowledge of company operation. And those that ask strange questions.

    Contract termination

    Either employees or contractors

    Ensure that there are procedures in place for handling sacked employees:
    they may need to be escorted off the premises
    their name may need to be removed from authorisation lists
    collect all their authorisation tokens
    ensure guards know they are no longer an employee
    all ‘related’ employees should change their passwords.

    The same rules can apply to employees that have lost privileges.

    The Trash

    Treat the rubbish with respect: overlooking its potential significance could result in an ‘in’ for an attacker.

    Establish procedures for discarding the trash (include in the security policy - later); ensure that cross-shredding of confidential documents occurs. Use a separate system for the disposal of confidential information.

    Confidential information will also be on storage devices and some and this data needs to be erased (completely). The software delete option may not be enough!

    Lock up the rubbish at least the confidential stuff.

    Other

    What exploitable information are you leaking? What is on your phones automatic reply or your out-of-office email response?

    Talking about confidential information in public places; either to workmates or over the telephone (this is particularly dangerous leakage point - the caller is often oblivious to their surroundings).

    Make sure you leave unattended terminals logged out.

    Testing

    The staff may well have been through a security awareness course; but how long ago was it? The lessons are soon forgotten. Keep training up-to-date and relevant.

    It does no harm to test the system – get an outside team to do this. A fresh set of ideas on attacks will really test your security policies. Just trying yourself will not get you thinking outside the box.

  • References & Further Reading

    [1] – E. Dulaney, C. Easttom, CompTIA Security+ Study Guide: SY0-401, 6th Edition, Sybex, 2014.

    [2] – B. Schneier, Social Engineering Notes, Schneier on Security, 2007. Available at: 🔗 https://www.schneier.com/blog/archives/2007/04/social_engineer_4.html

    [3] – Get Safe Online, Social Engineering. Available at: 🔗 https://www.getsafeonline.org/protecting-yourself/social-engineering/

    [4] – L. Criddle, What is Social Engineering? Webroot.com. Available at: 🔗 http://www.webroot.com/gb/en/home/resources/tips/online-shopping-banking/secure-what-is-social-engineering

    [5] – Sarah Granger, Social Engineering Fundamentals, Part I: Hacker Tactics, 2001. Available at: 🔗 http://www.symantec.com/connect/articles/social-engineering-fundamentals-part-i-hacker-tactics

    [6] – Sarah Granger, Social Engineering Fundamentals, Part II: Combat Strategies, 2002. Available at: 🔗 http://www.symantec.com/connect/articles/social-engineering-fundamentals-part-ii-combat-strategies

    [7] – Social Engineering, CSO. Available at: 🔗 http://www.csoonline.com/category/social-engineering

    [8] – S. Ragan, Chinese scammers take Mattel to the bank, Phishing them for $3 million, 2016. Available at: 🔗 http://www.csoonline.com/article/3049392/security/chinese-scammers-take-mattel-to-the-bank-phishing-them-for-3-million.html

    [9] – A. Henry, Why Social Engineering Should Be Your Biggest Security Concern, 2014. Available at: 🔗 http://lifehacker.com/why-social-engineering-should-be-your-biggest-security-1630321227

    [10] – K. Beaver, A Case Study in How Hackers Use Social Engineering. Available at: 🔗 http://www.dummies.com/how-to/content/a-case-study-in-how-hackers-use-social-engineering.html

  • Quiz

    1. Define the two principal forms of social engineering and describe the differences.

    Reveal Answer

    Answer:

    The two principal forms of social engineering are human-based (person-to-person) and computer-based. Human-based social engineering works on a personal level. It works by impersonation—posing as an important user, using a third-party approach, masquerading—and can be attempted in person. Whereas computer-based social engineering uses software to retrieve information. It works by means of pop-up windows, email attachments, and fake websites.

    Close

    2. In the context of password cracking what can be achieved by dictionary, hybrid and brute force attacks.

    Reveal Answer

    Answer:

    Seven types of behaviours for a positive response to social engineering are as follows:
    Scarcity—Works on the belief that something is in short supply. It’s a common technique of marketers, “buy now; quantities are limited.”
    Authority/Intimidation—Works on the premise of power. As an example, “hi, is this the help desk? I work for the senior VP, and he needs his password reset in a hurry!”
    Liking—Works because we tend to do more for people we like than people we don’t.
    Consistency—People like to be consistent. As an example,” why should I badge in? Everyone else just walks in once someone opens the door.”
    Social validation—Based on the idea that if one person does it, others will too.
    Reciprocity—If someone gives you a token or small gift, you feel pressured to give something in return.
    Urgency – e.g. Last minute Deal! Hurry

    Close

    3. In the context of Social Engineering, explain the term Spear Phishing.

    Reveal Answer

    Answer:

    Spear Phishing is a targeted form of phishing. The attacker sends a message to a target making it look as if it was sent by a person the target trusts (e.g. Family member, co-worker). It requires some form of research of the victim.

    Close