Social Engineering or SE is the art of persuading someone to give you the data that you desire or getting people to let you take the data/equipment you want. Once mastered, SE can be used on a system despite the platform or the quality of the hardware and software present.

Social engineering is usually easier and less risky than other forms of attacks, and unfortunately it is often successful.

Social engineers attempt to gather information such as: sensitive information, authorisation details and access details.

SE comes in different forms, but are all based on the principle of disguising oneself as one who needs or deserves the information. The two principal forms of social engineering are:

Human-based.
Computer-based.

Human-based SE functions at a personal level and preys on qualities of human nature such as the desire to be helpful, the tendency to trust and the fear of getting into trouble. This can be done by pretending to be a fellow employee, senior manager or even a new employee needing help.

Effectively, human-based SE is based on the concept of trust and the belief that it is not good to question authority. Any medium that provides one-to-one communications between people can be exploited; all it takes is a good actor/liar.

Computer-based SE attacks employ software to retrieve data, but still requires a human input. It can function through a variety of media including pop-up windows that prompts the victim for data, e-mails with link or attachments flooding a large number of accounts.

Social Engineering Techniques

Social Engineers can exploit human nature using many different techniques:

Impersonating a valid user – which may lead to gain physical access to a building and once inside, gather information from devices.

Posing as an important user: intimidating lower-level employees.

Calling technical support: support staff are trained to help.

Using a third person: pretending to have permission from an authorised source to use a system.

Eavesdropping: or unauthorised listening of conversations or reading of messages

Attack step

An attack will have certain identified goals and may be long and drawn out or as short as a single phone call. The steps in the attack will be determined by its goals, though the following structure is typical of a social engineering attack.

The basic steps of a social engineering attack are:

1. Research the company – get the lingo and inside knowledge on operational procedures, groups and individuals.
2. Identify victim or victims possibly by their position(s) in the company (e.g. security guard, secretary, manager).
3. Develop a relationship with the victim.
4. Exploit the relationship for knowledge gain.
5. Utilise the knowledge to move closer to goal.

These steps are repeated as required.

Who’s at risk?

The answer to this question is simple: everyone. Everyone includes you: all the historical evidence points to it. We are all susceptible to SE to some degree. Even if we are aware of the problem, SE techniques, etc. there is always a moment in time when we are vulnerable. This is due to being busy, distracted, acting routinely and many other reasons.

Large companies that are spread out over a several sites are particularly vulnerable. Since individuals can claim to be from another site often giving them a degree of plausibility (especially if they are well rehearsed).

Who are the Social Engineers?

Potentially anyone could be someone trying to exploit your trust. Typical examples include: ex-employees, competitors, and hackers claiming to be employees, support staff or vendors. Often they prefer to do their work remotely (email and telephone) or through phishing exercises.

Social Engineers are adept at exploiting human behaviour, particularly by quickly building up trust. They listen closely and are quick to adapt as information and opportunities arise. They are personable and plausible. They keep relationships moving along fast making it difficult for victims to evaluate what is happening.

They can be very patient slowly building trust, moving contacts between departments collecting small pieces of information (each of which is trivial but the totality of which could be devastating).

Phishing

The word "phishing" originates from the analogy that criminals used e-mail lures to "phish” for passwords and data from users. The practice often involves acquiring data fraudulently over the Internet by masquerading as a trustworthy business. Phishing employs 'spoofed' e-mails to lead users to counterfeit websites designed to obtain data via trickery.

A phishing scam begins with an attacker sending out fraudulent e-mails that appear to come from trusted web sites (often using bait). Believing the e-mails to be legitimate, unsuspecting people respond to the requests for their personal information. A scammer often puts a link in a fake e-mail to a legitimate website, when actually it takes the victim to a spoofed site. Once at the spoofed site the user unwittingly enters personal data that will be transmitted directly to the attacker, enabling the attacker to steal the victim’s identity.

What makes phishing successful is the ease with which seemingly authentic web sites and legit-looking e-mail can be reconstructed. They include official logos and other identifying information taken from legitimate sites. Once at the spoofed site it is difficult for a victim to notice the difference.

Spear Phishing

Spear Phishing is a targeted form of phishing. The attacker sends a message to a target making it look as if it was sent by a person the target trusts. This could be a member of their family or their boss. Either way spear phishing requires some form of research of the victim.

Whaling

Why bother with the small fish? Whaling is nothing else but spear phishing targeted at a big user. This is generally a senior manager, CEO, etc. who has all the information required by the social engineer. This attack is generally slow and methodical and requires the attacker profiling the target in order to attack at the right moment.

Vishing

Vishing is a type of phishing attack that targets VoIP or mobile phones. It is a relatively new technique used by criminals to harvest many personal details from victims. Particularly, credit card details are often targeted. Like most other social engineering exploits vishing relies on the 'hacking' of a common procedure that fits within the victim's comfort zone.

Here is an example of vishing:

A criminal configures a war dialer to call phone numbers in a given region.

Victim(s) answers the call; an automated recording is played to alert the consumer that their credit card has had fraudulent activity or that their bank account has had unusual activity. The message instructs the consumer to call the following phone number immediately. The same phone number is often shown in the spoofed caller ID and given the same name as the financial company they are pretending to represent.

When the victim calls the number, it is answered by automated instructions to enter their credit card number or bank account number on the key pad.

Reverse SE

Whereas SE relies on attackers identifying and approaching potential victims, reverse SE involves attackers creating an assumed air of authority or knowledge such that potential victims will actually approach them.

Reverse SE is a unique form of social engineering that deals with the common difficulties (gaining trust) of normal attacks. In reverse social engineering the victim unwittingly goes to the attacker.

It requires the social engineer to sabotage some equipment either locally or remotely, and then advertise themselves as being the person that can fix the damage, or pretend to be a support person assigned to make the repair.

Due to the nature of reverse attacks and the development of trust, the hacker can receive much more information.

The typical reverse social engineering attack consists of three major parts: sabotage, advertising and assisting.

Impersonation

Impersonation involves any act of pretending to be someone you are not. This could be a manager, a delivery driver, a support technician, etc. Impersonation can be done in person, over the phone or via email, chat, etc.

Dumpster Diving

What is going out in the trash? There is now a new edition for the security software so might as well chuck the old one in the bin. How different is the new manual from the old one that you are about to let pass outside your security perimeter into the rubbish. What about those out-of-date directories filled with names, positions and telephone numbers/extensions – most of that is still valid!

Was that shredded document completely shredded – did I switch the machine off before it passed through? Perhaps the ‘shred’ can be put back together.

What happens to the stuff in the waste paper bin? Who might have access to it – the cleaner?; somebody with out of hours’ access?; a night guard, etc.? Will it end up in a skip out the back of the building? The information that went into the bucket is only protected by the weakest link.

Exploiting data in this way is called dumpster diving and it is always a potential source of data leakage.

Shoulder surfing

Who hasn’t come across someone on a train or bus using their device (mobile phone, laptop, etc.) to do some work? These people may check their e-mail, write some documents or be using some specialised software. Whatever the type of work being done, it can be quite easy in certain situations to have a visual of the person entering their password. This is shoulder surfing. Malicious social engineers could use this technique to their advantage to obtain passwords or other information.

Tailgating

One of the examples that we will talk about next is gaining physical access to buildings or other locations. Tailgating is a technique to achieve exactly that. Attackers are hoping on the kindness of someone just entering a building to keep the door open for them. It happens very often and can be especially effective if used in conjunction with impersonation (e.g. pretending to be a delivery driver, or even a disabled person).

Gaining Physical Access

Who is that wandering around your premises?

Crucial equipment should only be accessed by those with authorisation. The person on that secure floor may be a legitimate employee but does s/he have the authority to be in that location (a lot of network attacks are from insiders)?

The social engineer starts off without authority and will attempt to gain it through either: claiming a lost token with plausible cover story; use a stolen or fake ID; or manipulating the system into giving him an appropriate authority.

Hence, there should be a clear procedure for identifying to all security personnel the relevant lost/stolen IDs or other authentication tokens. Authentication should always be properly checked at appropriate check-points. Safeguards should be in place to ensure only valid personnel obtain authorisation (including temporary authority).

To help security personnel make good judgments there should be procedures in place to deal with lost identification tokens – no exceptions; not even for the ‘suits’.

What might they do?

Once a social engineer has physical access to the premises the sky is the limit. They may be in a position to impersonate management; or have access to unsupervised machines (including devices left logged on). They can pick up data storage devices (or leave ‘bad’ ones).

Who’s on the other end?

Only a small quantity of business is done face-to-face. We often have to deal with emails, telephone calls, and remote logins.

Trust and valuable information can be obtained through social media, allowing the person-on-the-other-end to become plausible. This could represent the first step in a larger exercise.

Telephone

There is a lot of trust given to people who phone your company and who know how your company works and who’s who. Even thought you might start out sceptical, a caller exhibiting knowledge and familiarity with the working of the company can win your trust. Even if they cannot win your trust they can always try again later.

A: ‘I am in the … room carrying out an urgent repair and need the logon credentials.’

V: ‘I’m sorry I can’t give that out’

A: ‘I understand that’s normal procedure but this is critical the whole system is about to go down. Look, check my credentials my name is Joe Blogs, I work in the ERC (emergency repair centre) my authentication number is xyz [all valid information]. I know it’s out of hours but you can call my manager on mobile: abcdef to confirm.’

You have no idea who is calling - just because he has the information identifying him as a valid member of staff does not mean that it is the claimant who is calling: this information may have been obtained through other means and is now being used to leverage a login capability. The ‘validation’ call that you are encouraged to make is a mobile number for an off-duty member of staff – do you really know who this is? [It might even be somebody who has phoned you on other pretexts to get your ‘acquaintance’]. Note that this ‘validation’ procedure is based on a common trust exploitation where both parties are using a supposed trusted intermediary.

Suppose you are on your guard and refuse the information; the social engineer tries again later looking for a different victim; the whole defence is only as good as its weakest link.

Some guidelines:

Only use recognised telephone numbers for validation (even then be sceptical)

Have authentication procedures in place for identifying callers requesting confidential information.

Make any checking calls independent of the person you are checking (don’t use their recommendation!)

Make questionable requests known to other staff that might have to deal with a similar call.

Who’s contacting you?

The source of an IP packet can easily be faked. The origin can be disguised by re-routing. Think of an IP address as a telephone number or licence plate; they identify the phone or the car, but they don’t identify the person.

That supplied email address, who does it actually belong to?

Where are you sending the data? Even faxed data that is sent to the front desk for pick up – where is it going? Mailed data – who has access to the mail room?

Gaining Network Access

There are many illegitimate ways to do this.

Just Ask

It seems incredible but just asking has often been an effective method for gaining access to resources. What has the asker got to lose? Probably the worst that will happen is that s/he will be told NO. If the asker is plausible with good insider knowledge allowing them to pass as genuine then asking might be enough to do the trick.

‘I was so successful in that line of attack [social engineering] that I rarely had to resort to a technical attack. Companies can spend millions of dollars toward technological protections and that’s wasted if someone can basically call someone on the telephone and either convince them to do something on the computer that lower the company’s defences or reveals the information they are seeking.’ (Mitnik, to Congress, 2000)

Exploit Human Behaviour

That pen drive dropped in the lobby – I’ll just check to see who it belongs to so that I can return it –what have I just downloaded onto my machine?

A program that will not close until a particular button is clicked (never happened before!). Pressing a ‘button’ on the screen activates some activity inside the PC. There is no requirement that the activity and the button title are related: Clicking that button could be running anything (wiping your hard drive, downloading malware, uploading secrets etc.)

A new web site looks very attractive and requires you to set up an account. This account will require a username and password. How often have you used these before? Nearly half the population use the same passwords on all sites – have you just given away a password to a ‘secure’ location? This happens! It could have duped you (and you were sure you were security conscious). Make sure you use those important passwords only once.

People

It’s a fact of life that unusual requests will occur – it might be valid but requires caution. If someone calls with an unusual (suspicious) request but refuses (by some excuse) to give a number for calling back then they are not to be trusted.

Watch out for someone claiming authority. Anyone can do this – not only over the telephone, but in person. [How many movies show an infiltrator turning up at a secure base with faked rank – good guards are trained to deal with this. For the period of the check they should have temporary authority]

Claims of urgency – if it’s that urgent it needs to be dealt with higher up.

The caller uses threats to enforce compliance. These threats could be against the victim (demotion/loss of job) or against the firm’s effective operation.

The caller seems to be uncomfortable when questioned (or avoids tricky questions with glib answers). A software engineer who has done his research will be prepared for this, but s/he only needs to slip once to create a warning signal.

The caller ‘claims’ familiarity with important members of the organisation – we can all do that. If the attacker is well researched he will know details about the dropped names making the claim plausible.

Beware individuals you haven’t known for long and are interested in information about the operation of the organisation; or, who are using you to make further friends (potential future victims).

Documents that have headers that look dodgy. This can be almost impossible to spot but if something looks slightly wrong it should set off alarms. Just because a document looks authentic doesn’t mean that it is.

Beware of the caller, visitor who appears overly friendly, boastful, threatening. Or those who flatter, are familiar or flirtatious. Whether we like it or not, many of us have susceptibility to these traits. A good social engineer will soon suss out your weaknesses.

Beware people who know things that they shouldn’t know; e.g. specialist terms and lingo or knowledge of company operation. And those that ask strange questions.

Contract termination

Either employees or contractors

Ensure that there are procedures in place for handling sacked employees:

they may need to be escorted off the premises

their name may need to be removed from authorisation lists

collect all their authorisation tokens

ensure guards know they are no longer an employee

all ‘related’ employees should change their passwords.

The same rules can apply to employees that have lost privileges.

The Trash

Treat the rubbish with respect: overlooking its potential significance could result in an ‘in’ for an attacker.

Establish procedures for discarding the trash (include in the security policy - later); ensure that cross-shredding of confidential documents occurs. Use a separate system for the disposal of confidential information.

Confidential information will also be on storage devices and some and this data needs to be erased (completely). The software delete option may not be enough!

Lock up the rubbish at least the confidential stuff.

Other

What exploitable information are you leaking? What is on your phones automatic reply or your out-of-office email response?

Talking about confidential information in public places; either to workmates or over the telephone (this is particularly dangerous leakage point - the caller is often oblivious to their surroundings).

Make sure you leave unattended terminals logged out.

Testing

The staff may well have been through a security awareness course; but how long ago was it? The lessons are soon forgotten. Keep training up-to-date and relevant.

It does no harm to test the system – get an outside team to do this. A fresh set of ideas on attacks will really test your security policies. Just trying yourself will not get you thinking outside the box.