Top 10 Social Engineering Tactics
Date: Jun 11, 2009
Article is provided courtesy of Addison-Wesley Professional.
If someone you trusted has ever tricked you, you know what it feels like to be socially engineered. Security expert Andrew Whitaker explains both the technical and non-technical techniques used by social engineers today to gain trust and manipulate people for their benefit. Andrew is the lead author of Chained Exploits, a book that teaches how attackers combine attacks like social engineering to achieve their goals.
The easiest way to get into a computer system is to simply ask permission. At the end of the day, no matter how much encryption and security technology you have implemented, a network is never completely secure. You can never get rid of the weakest link—the human factor. It does not matter how many firewalls, virtual private networks (VPNs), or encryptiong devices you have if your employees are willing to give access to the systems to anyone who asks for it.
A social engineer is someone who uses deception, persuasion, and influence to get information that would otherwise be unavailable. To social engineers, the fact that “there is a sucker born every minute” gives them the opportunity to circumvent some of the most secure data centers in the world.
Social engineering is more than just being a con artist; it is about understanding human psychology and having a methodical way of influencing someone to either give out sensitive information or grant you unauthorized access. In other words, it is not about being a good liar; it is about being an engineer who discovers ways to manipulate people for his or her advantage.
Social engineers use many techniques to reach their goals. This article outlines 10 of what I consider to be the most popular.
#10. Social Engineering in Reverse
Reverse social engineering (RSE) has three steps: sabotage, advertising, and assisting. In the first step, a social engineer finds a way to sabotage a network. This can be as complex as launching a network attack against a target website ,to as simple as sending an email from a spoofed email address telling users that they are infected with a virus. No matter what technique is employed, the social engineer has either sabotaged the network or given the impression that the network is sabotaged.
Next, the social engineer advertises his or her services as a security consultant. This can be done through many means including sending mailers, dropping business cards, or sending emails that advertise his or her services. At this point, the social engineer has created a problem in the network (sabotage) and is placing himself/herself in a position to help (advertising). The corporation sees the advertisement, contacts the engineer under the false pretense that the social engineer is a legitimate consultant, and allows the social engineer to work on the network. Once in, the social engineer gives the impression of fixing the problem (assisting) but will really do something malicious, such as planting keyloggers or stealing confidential data.
#9. Piggyback Rides
I am surprised at how piggybacking is still one of the most effective ways into an organization. With piggybacking, a social engineer appears as a legitimate employee and walks into a secure building by following behind someone who has access.
A classic example is a social engineer showing up at the front door of a secure facility on a rainy day at 8am, carrying a heavy box. As an employee walks up, the social engineer takes advantage of human kindness by saying, “Would you mind opening the door for me? I can’t reach my badge to open the door while carrying this box.” Because people generally want to help others, the employee will open the secure door and grant access to the social engineer.
Another common example of this is for the social engineer to show up in the area where employees stand outside to smoke. The social engineer stands outside smoking with other employees then, when the employees finish smoking, he or she will simply walk right behind them and into the building, bypassing any physical security control such as card readers.
#8. Techie Talk
Many penetration testers and malicious hackers come from a technical background and not a background in human psychology. As a result, when technical people need to do social engineering they resort to what they know best: being a techie.
An example of this is when a social engineer calls up a user within an organization and impersonates a help desk operator. Here is a sample of what that phone call may look like:
Social Engineer: “Hello. This is Andrew from the help desk. Hey listen, we’ve been noticing that some passwords have leaked out, and we are calling around to make sure that people are changing their passwords. We think your password may have been compromised, so if you don’t mind, I’d like to walk you through changing it.”
User: “Sure.”
Social Engineer: “Great! First, I want you to hold down the Control button, the Alt button, and the Delete button at the same time. That will bring up a new screen that has several buttons. Once this appears, click on the Change Password button. Now it’s important that you type in a secure password that contains a good mixture of uppercase and lowercase letters as well as numbers so that it is difficult for an attacker to hack into your computer. What password are you going to use?”
User: “Hmm…let me think. How about Password123? Is that secure?”
Social Engineer: “Absolutely. Go ahead and type in the new password and press OK. I really appreciate you taking the time to do this to keep your computer secure.”
The social engineer was able to use his or her knowledge of technology to convince a user to give out a password.
#7. Catch Me a Phish
A phishing attack occurs when a social engineer sends an email to a person who appears to come from a legitimate site, such as PayPal or a banking site, asking someone to visit a website and input sensitive information such as a bank account or password. The website appears to be the real website, but is instead a site created by the attacker.
Here is an example from an actual phishing email where the attacker impersonated an employee of PayPal:
“It has come to our attention that 98 percent of all fraudulent transactions are caused by members using stolen credit cards to purchase or sell non-existent items. Thus, we require our members to add a debit/check card to their billing records as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. Your debit/check card will only be used to identify you. If you could please take 5-10 minutes out of your online experience and renew your records, you will not run into any future problems with the PayPal service. However, failure to confirm your records will result in your account suspension.”
This e-mail went on to provide a link to a fake website for the e-mail recipient to access and input the credit card information.
If a social engineer is able to glean information specific to a person, such as a name or address, the engineer can take the phishing scam a step further and include this information in the email to make it appear more legitimate. This type of targeted attack is called a spear phishing attack.
#6. A Whale of an Attack
Another variation of phishing attacks is a whaling attack. Here the social engineer targets executives and high-profile targets. Information about executives and high-profile targets is easily accessible on the Internet. For example, a company may have bios of its executive officers on a corporate website. This information may be used by a social engineer to create a targeted spear phishing attack to the corporate officer.
For example, if the bio tells how a chief financial officer graduated from Duke University in 1979 and enjoys playing golf (yes, some executives actually put their hobbies in their bios), a social engineer may send an email to that corporate officer as if from the university alumni chapter asking him to come to a special alumni golf tournament for graduates. The executive will be likely to believe that it is authentic. The email may go on to ask the person to access a website to enter credit card information to reserve a spot in the tournament.
Because of the vast amount of information about corporate officers and other high-profile targets, whaling is becoming increasingly popular because this information makes it so easy for social engineers to target them in a convincing manner.
#5. Catch Me a Vish
Not having much success with phishing or whaling? Try vishing! Vishing is an attack that uses the phone to perform the equivalent of a phishing attack.
A common example, and one that is highly effective, is to have a war dialer call a list of numbers automatically and play a recorded message. When the phone is answered, the recorded message may say that the call is from the person’s bank and that their credit card may be compromised. The “victims” are asked to call a number to resolve the issue. The user calls the number and hears another automated message that prompts the victim to enter his or her credit card number, PIN, address, and whatever else the social engineer may want.
Another popular variation of a vishing attack is sending the original message through a text message to a cell phone instead of calling the person directly.
#4. Social (Engineer) Networking
Social networking sites such as Facebook and MySpace are a social engineer’s paradise. A social engineer can find out so much about you from these sites. People post information about where they work, what they like to do, what bands they like, and more. A social engineer can use the information you post on your social networking page in a number of ways:
- Sending an email impersonating a friend listed on the page asking for confidential information.
- Viewing pictures of a person to find out popular hang-outs and then showing up at the same spots to social-engineer the person outside of a work environment.
- Discovering the person’s age, place of birth, school, and previous companies, which can all be used to target the person in a spear phishing attack.
- Adding the person as a friend to build up an online relationship with a person in order to build trust. The social engineer then exploits that trust to get information from the person which could be used to launch another attack.
#3. NLP = Success
A good social engineer has a strong grasp on how to manipulate the human mind. Neuro-linguistic programming (NLP) is one psychological tool used by social engineers to manipulate people that, when done right, is highly successful. NLP deals with a person’s neurological processes, language, and learned behavior responses. While NLP was originally designed to be used in therapeutic settings, it has principles social engineers use to manipulate people to do almost anything the social engineer wants.
For example, if I am using NLP to socially engineer someone, I will seek ways to use my body language and a careful selection of words to give subconscious messages to the person I am trying to manipulate. I will begin by matching my body language with the other’s body language. I will also match my breathing rate, voice level, accent, and vocabulary with the other person. Doing this helps me to build rapport on a subconscious level. I may then give other subconscious messages by changing my body language, smiling and lightly touching the person on their shoulder or arm, and using words that denote positive thoughts, images, and emotions. All of these tactile, visual, and verbal actions (called anchoring and reframing in NLP terms) give subconscious messages that influence the person to have positive feelings and gain a sense of rapport with me. I can then direct the communication to what I am after, such as gathering information about a company’s secrets.
NLP is especially successful if you combine it with an understanding of personality styles and behavior profiling. It takes practice, but is extremely successful.
#2. Sex Sells
If there is one universal truth, it is that human beings do dumb things when attracted to someone else. Now I am sorry to disappoint you, but writing about how to social engineer someone to be attracted to you is an entirely different topic for an entirely different audience. In the context of this article, however, using human attraction is about getting someone interested in you and giving them the impression that the feelings are reciprocated. This leaves the person vulnerable for you to do everything from gathering insider information to pick-pocketing keys to a building while he or she is not paying attention.
A social engineer is one who understands psychology and engineers ways to manipulate people to their advantage. Leading someone on to believe there is mutual chemistry is one of the oldest social engineering tricks in the world.
#1. Get smashed
If you are after information, nothing will get a person talking more than going to a bar. If a social engineer wants to learn about insider information, he or she may seek out a target who likes to go to bars. The social engineer may follow people home from their work to see which ones go to bars after work, or may look people up on social networking sites to see if there are pictures or any other information that may reveal the names of bars or clubs that they visit. Armed with this information, the social engineer may strike up a conversation with the targeted person at a bar and try to get the person drunk enough to reveal information.
There are several steps a social engineer may take to accomplish this. Once the social engineer learns what bar his target person visits, the social engineer will arrive early to strike up conversation with the bartender. He will tell the bartender that he will be in later and give the bartender a large sum of cash in exchange for making sure that there always drinks ready for him. In addition, he will tell the bartender that no matter what drink he asks for, not to put alcohol in his drink. This way the social engineer stays sober and can focus on this objective while the target person gets drunk.
Later that night, the social engineer will strike up a conversation with the target person, order several rounds of shots and hard liquor on his tab, and attempt to get his target person drunk. Once drunk, the social engineer can bring up the topic of work and proceed to get information that the person would otherwise never share such as how to get into a building, passwords, trade secrets, and more.
Conclusion
These are just a few of many techniques used by social engineers. Some of these involve technology (e.g., spear phishing) while others use tried and true methods of human manipulation (such as NLP). Social engineers use these tactics for a multitude of reasons, ranging from obtaining bank account numbers to acquiring trade secrets to sell to competitors.
If you are concerned about social engineers targeting people in your organization, you can take some steps to help thwart these attacks:
- First, employees should be regularly trained in how to look out for suspicious people, e-mails, and phone calls.
- Second, train employees in what I like to call G.O.C.S. security—Good Old Common Sense security. In other words, some people just need to be taught some street smarts. I have seen companies do this by spelling out in their corporate security policy the dangers of using social networking sites and of drinking and discussing work topics with strangers (of course, this is only effective if employees actually read the policies which, as we all, is wishful thinking).
- Finally, employ the principle of need-to-know. The need-to-know principle states that employees should only be given enough information to do their job. They should not be given information about other departments or about decisions made at higher levels that do not relate to their work. This way, should a social engineer try to get information out of them, they would have limited information that they could reveal.
Social engineering will always be around. As long as you are willing to have a healthy level of paranoia and good common sense, you do not need to fear them.