Tech Gets Better, Humans Do Not: A Beginner's Guide to Social Engineering
by jk31214
Working in IT, I hear people talk about social engineering, and what they think it is.
Most of the time, they think it's evil hackers on the Internets trying to gain access to their Facebook accounts, to engage in nefarious wall posts. Social engineering is probably anything but that. But I wanted to outline some of the most common types from technical to simple. Our technology may change often, but human nature and cunning do not. That's why social engineering will always be a popular threat. Formally, social engineering is the act of manipulating people into giving out information that can lead to compromised security on a system, network, or lead to identity theft of an individual or group of people.
Social engineering focuses on exploiting the implied trust that most people give to one another, and using that trust to gain pertinent information. These types of threats exist in the physical world as well as the virtual world. There are many ways that attackers have come up with to gain information from users. This article discusses different types of attacks that people may encounter, and possible ways to thwart these attacks. At the very least, I'll try to explain the best way for users to posture themselves to stay protected from such attacks.
Social engineering can show up in many forms. Right now, the exact definition is not perfectly clear, but anytime that a victim's information is obtained through the use of some sort of social interaction, online or physical, this can be considered a socially engineered attack. Throughout history, we've had scammers in our society, but for some reason now it seems trendy to try and define these attacks. Most of the time, this isn't anything new. Hey, old tricks are the best tricks, right? Most people tend to think of social engineering as just pertaining to social networking sites, such as Facebook or Twitter.
Though this is one type of social attack, it's not the only type that is out there. There are many types of attacks in general. Some are cyber-related and some are physical attacks, meaning that they take place in the real world and they're not after your Twitter feed. As unbelievable as (((Hollywood))) makes it seem, it's usually easier for an attacker to obtain personal information from a user through actual physical social engineering than it is to "Holly-hack" a personal computer for the information.
The key to all social engineering attacks is first for the attacker to establish some sort of trust relationship with the victim. This can come from many angles unforeseen by the victim. For example, a new employee (attacker) at a company may start making friends quickly by striking up conversations about similar interests with coworkers. This may lead to a victim giving out more personal information than they should to the would-be attacker. If the answers to any of the victim's security questions are personal, an attacker may be able to collect these answers very easily just by having a conversation with the victim.
Even easier to perform than physical social attacks are "online" or cyber hoaxes, which are discussed later in the article. Have you ever gotten an email where the subject line was so convincing that you either had to open it to verify, or the email just plain fooled you right from the start? You then have become a victim of a social engineering attack. Just for that split second, your trust was earned and you opened the email. Chances are that most people can spot a hoax when they see one. But all it takes is one time to be fooled in order to fall victim to a serious attack.
I consider "spam" to be one of the first mainstream types of cyber social engineering. This is probably the most annoying attack that pesters most of us each day. Spam is an unsolicited email that is sent to thousands of victims at a time in the hopes that even a few victims fall for the deception, open the email, and follow its instructions. Spam is really the bane of email.
There are literally billions of spam messages sent out daily worldwide. It takes relatively little resources for spammers to send out multiple emails each minute of each day. Most are even controlled by botnets where peoples' own computers are infected and are doing the work for spammers. Those messages may even be sent to the unsuspecting user hosting a zombie computer themselves! A spammer's hope is that at least a small amount of victims will fall prey to the attack and the payoff is worth the effort (or lack thereof).
I read an article elsewhere that there is a 5.6 percent click rate through pornography spam and a 0.02 percent click rate through pharmaceuticals. With this much of a response, what incentive does a spammer have to stop? That translates to 56,000 people falling into a million message spam attack. Most people would call that successful. Sometimes the spam attack is not hazardous to security, but just ads for products. But other times there are malicious sites or code that are contained within the messages, and that's where the real threat come into scope.
Ways of preventing spam are easily implemented at first, but sometimes email becomes cumbersome and violated, no matter how hard you try. Rules for email include: Don't give out your email address to strangers or on forums or online chat rooms. Never open emails from unknown sources. Do not buy anything through unsolicited email. Use and maintain junk mail boxes or spam filters through your email providers or client software. You can possibly set up an alternate email account for questionable offers that require you to provide one. An easy method of implementing this is to choose a regular email account name such as: emailaddress@domain.com, then alternately choose a junk email box such as spamemailaddress@domain.com. This way, it's easy to remember which one houses the potential spam. A contributor from an earlier volume of 2600 outlined some pretty great ways to set up a Gmail white-list.
Spammers send out a lot of emails each day, each hour. Their lists are vast and contain millions of addresses. It's safe to say that not all of these addresses are correct or active. Most of the time, spammers use a type of brute force to generate email addresses for a specific domain. So with such a massively huge list, why waste the resources mailing out to every combination of the ASCII table? Short answer is that they don't. They hone the lists for live email addresses that actually have a human owner that occasionally checks the emails. But, if you're truly diligent and do not click on any unsolicited links from spam messages, how do they know that your email address is active? They use a simple technique called an email "beacon."
The spammers embed a 1x1 pixel transparent GIF into the email message. When the victim opens the email, the GIF is called from a tracking server, where the spammer can capture statistics of unique "opens" and IPs, and validate the email. The victim's email goes onto the good list and is added to future distributions. This email beacon lets the spammer know which of his email addresses belong to actual humans and that emails sent to these addresses will more than likely end up being read. And these are the numbers that count. These are the resultant numbers that rank spammers to large companies who seek their services.
Fortunately, for the email beacon to work, several things need to be taken into consideration. First, a victim's email must be set up to receive HTML messages. If the victim's email is set up for text only, the beacon will not work. The email address may still be able to be tracked if the victim clicks on a link within the mail, but looking at it will not flag the beacon. Second, most email clients (especially on the web or mobile) will not show pictures by default. This way the beacon is never requested when the email is opened. If the victim chooses to "always show pictures," only then is the beacon flagged. Email settings can be checked with a client to see if this feature is available. This should be turned off by default in case a well-crafted spam message does slip by better judgment.
"Spim" is a relatively newer term that is a play on spam over instant messaging. The concept is just like spam, only accomplished through your instant messaging client. The key to avoiding spim is to again only view messages from people you trust. Some client software allows you to set up spim filters as well.
Enough about spam. We may not know all about the industry, but we all know enough that we don't like it. And suffice it to say, that's usually enough to avoid it.
Another type of attack is called "phishing." This too is usually implemented through email, but can also come in the form of an already malicious site that has malicious hyperlinks set up to point you to phishing attacks. This is when an attacker tries to coax usernames and passwords from a victim by tricking them into thinking that they are on a legitimate website to which they have a valid account for authentication. Some phishing attacks are very crafty and attackers make effective sites, which look just like legitimate websites that victims normally visit. Because statistically most people use the same usernames and passwords on multiple systems, all the attacker needs to do is capture it once and they can potentially get into any other account that their victim owns. By use of sneaky tricks like browser add-ons or default search aids, attackers can take advantage of a victim, using misspellings, in order to send them to where they want them to go. Look for emails with links that are poorly written or have bad grammar throughout the body. Always be on the lookout for websites that you are normally familiar with that look strange or different from what you are used to seeing. Another technique is to never use the links provided in emails or from untrustworthy sites. Always go to the address bar and type in the URL yourself to avoid misdirection.
"Spear phishing" is an alternate use of the term phishing where attackers focus their attacks on a specific group of people. These people may all be part of a banking transaction list that was stolen or a website database that has been distributed illegally. Attackers can make assessments of these groups based upon their net worth so that they can focus their attention on a victim with high profitability.
"Whaling" is another term used where attacks are directed at high level corporate officers or even celebrities.
"Vishing" is an attack like phishing (it actually gets its name from a combination of the words "voice" and "phishing") where an attacker will try to get a victim to disclose usernames and passwords via an automated voice telephone system. With the prominent implementation of VoIP (Voice over IP), this type of attack is becoming increasingly popular in large companies. Because VoIP uses the IP suite of protocols, attacks can be constructed with the use of software and a computer, rather than having to rig up an analog voice recording along with analog equipment. Usually the attacker sends a bogus email to the victim pretending to be a bank or other credible institution and tricks the victim into calling the provided number. There the victim follows the system through a volley of verification checks and finally a password or PIN change. Avoid calling numbers that come from suspect emails. If the email is supposedly from a financial institution or other credible source, find the corporate number from an old statement or bill and use that to call instead.
"Pharming" is a practice where an attacker will try to redirect a legitimate URL to a doppelganger website using varying techniques. This attack can be carried out on multiple levels of the OSI model, so stay sharp. If the attacker has compromised the victim's computer, depending upon its configuration, the "hosts file" can be altered to redirect valid URLs to resolve to bogus IP addresses. Because most computers are configured to look to its own DNS tables before reaching out to the Internet for name resolution, this can be tricky for an average user to detect. Your host file for Windows systems is located in the system root directory, usually found in C:\WINDOWS\system32\drivers\etc.
Alternatively for UNIX, keep an eye on /etc/hosts and /etc/resolv.conf. Malicious software can also simply change the DNS server of your network configuration to whatever they want. Another way that an attacker can redirect requests is through a compromised browser add-on. Routers and their firmware can also be altered to automatically point some or all traffic to the malicious site. Finally, an attacker can, in fact, alter an actual DNS server so that any requests made to it are redirected elsewhere. There is nothing that the victim can do to prevent this. This is usually known as DNS poisoning. Users must be careful when downloading or agreeing to the use of browser add-ons when installing bundled software. Also, users can regularly check their DNS settings (most of the time they should be automatically set through the ISP) if they suspect that an attack is taking place.
People using public Wi-Fi Access Points (APs) should be careful to watch out for a social engineering technique called "evil twin." In this instance, an attacker will set up their own Wi-Fi Access Point with the same name as, or similar name to, a legitimate AP. Users will connect to the AP thinking that it is the legitimate one; all the while the attacker is capturing data packets that may contain usernames and passwords or other sensitive data. A victim's PC may try to automatically connect to both APs if the attacker is spoofing a legitimate AP with the same name, rather than merely a similar one. A victim might also see their connection continuously drop and reconnect as the network adapter does not know which AP to accept responses from. This can be an early warning sign that an Evil Twin attack is taking place. It's best to double check what the name of the AP actually is with the person in charge of the hotspot before actually connecting to one.
When trying to gain access to banking accounts, attackers will go to pretty bold extremes. By trying to steal credit card or debit card and PIN information, attackers may set up fake card readers, called scanners, overlaid on top of real ATMs or other legitimate card reading devices. This type of attack is called "skimming." And, as farfetched as it may sound, it's surprisingly becoming more and more frequent. Attackers can place these card readers atop of many common devices like gas station pumps or actual store merchant-service terminals. There have been reported cases where wait staff at restaurants used scanners to capture hundreds of card numbers per night at dining establishments from customers. This can only capture the card numbers themselves and usually not the PIN. For that, the attacker may use other techniques such as shoulder surfing. With the card information and a victim's PIN (if capturing debit cards), the attacker can encode a new card, buy goods and resell them, or cash out at the ATM. Always keep a lookout for ATMs or other card readers that are unsecured, seem poorly made, or do not match the device that they are a part of.
Social networking sites or social media sites can be a den of social engineering attacks because of their popularity amongst the masses. Most victims think that their information or content is secure, simply because they have a username and password to login. That doesn't account for the information that is made public by default, sometimes without the victim being aware. Just by accepting the End-User License Agreement (EULA) to a popular social media site, the victim is more than likely waiving rights to any information posted. People can be pretty revealing on a social media site. People often think that the only individuals who are interested in their page are people who know them personally. This is not always the case. A victim may be targeted for many reasons, including associates, the place that they are from, the school that they go to, or the places that they work. If an attacker is looking for information on a bank, why not try to compromise a bank employee? All it takes is one "office Christmas party" post, and you have become a target. Stay diligent on social media websites. Try not to post anything too revealing about your work and never post anything that you wouldn't want on the front page of tomorrow's newspaper.
When most people think of social engineering attacks or identity theft, the picture that often enters their minds is that of some "Holly-hacker" type computer-savvy person in a dimly lit room working fiendishly over a computer of sorts, hashing away at the keyboard, waiting to capture your next online transaction. Or that there is some sort of agglomerated suite of cutting edge applications running on a secret network comprised of several server racks in some abandoned building that is collecting data all day, running carefully milled algorithms in hopes of gaining access to your personal bank account. Sadly, as much as (((Hollywood))) can twist it, this is almost never the case. Most of the time that your information has been compromised, it was ill-gotten through unsafe handling practices of your "Personally Identifiable Information" (PII) by some lazy call center worker or banking associate. It's not always as glorifying as we'd dream it to be. Actually, people may be even more disappointed by the method in which their information was stolen over the fact that it was actually stolen in the first place.
What we are talking about is the not-so-technological means of social engineering and alternate methods of attack. More often than not, this is actually how attackers obtain victims' information. It's simply for the fact that it's actually easier to just trick the information out of someone or exploit their trusting nature, rather than executing an elaborate plot through specially crafted application warfare.
One type of non-technical attack is simple "impersonation." An attacker can just call or show up at a place of business claiming to be someone that they are not. They often will impersonate security personnel or an IT support tech. While calling or with face-to-face visits, the attacker is looking for inside information on an establishment in order to posture themselves for a better overall attack. They may try to use several techniques like an implied sense of urgency to try to befuddle the victim into not wasting any time letting them in or giving the attacker the key code to the security system. Attackers may act like a new employee that doesn't understand the inner workings of the company, or as a person who's been with the company so long, they no longer have any regard for security "protocol." Or the attacker may act absent minded and repeatedly apologize and act grateful for the favor of the victim letting them through the door. It's easier to attack an infrastructure if you have insider information about the establishment first. One can never be too careful about who's calling or visiting and asking about the network or asking to see the server room. Have you ever walked through a hospital or even your own workplace and seen a bunch of people there, moving in and out of rooms, going about their business? How do you know they're all supposed to be there? How do they know you're supposed to be there? It's all about swagger! More than likely, some stranger could probably walk up to a filing cabinet next to your cubicle, open a drawer, and take out some files, and you or any of your coworkers wouldn't even bother to think about them being there, let alone stop them. It's a person's duty to challenge those people lurking around or asking too many questions about sensitive information.
If an attacker cold calls your office, one thing you can do is ask the would-be impersonator if it would be all right to call them back at their corporate number or just call your boss to confirm the visit. Impersonation is actually a pretty common trick, especially amongst penetration testers that are hired to test a business's security. Why expend the effort when it is easier to just pick up the phone and get all the information you need from an unsuspecting worker?
"Shoulder surfing" might be the most common attack in the workplace or in any public place where you must use your sensitive information freely. This is the act of watching over someone's shoulder or from a great distance to see what the victim is typing, such as a PIN at an ATM or cash register, or a username and password on a computer keyboard. People have been caught using telescopic lenses to record ATMs or gas pumps fitted with skimming devices. An attacker, armed with a re-encoder can then create a fake card with the victim's numbers and their real PIN for use at an ATM. Coworkers or any malicious person can possibly shoulder-surf a password at work to gain unauthorized entry to a system using a victim's credentials. There are now applications that can read everything that a victim types into their iPad or phone with 97 percent accuracy and the ability to transmit data in real time, just by using an overhead camera such as a surveillance video camera. The victim can even move freely while using the touch screen because the application can adjust for movement.
Another type of non-technical attack is a "hoax." An attacker can try to construct a plausible story that a victim might believe, thus coaxing the victim into giving up some relevant information. A kindly fellow, down on his luck, may ask you for 20 dollars. You're happy to oblige because it is payday and you have some extra dough, not with you though. Luckily for the both of you, there is an ATM at the end of the block. After the transaction is done, and you've earned your Good Samaritan badge for the day, it's already too late. You've probably been skimmed and shoulder surfed from the guy with the binoculars across the street. Hoaxing is not always a live scam. Sometimes there are hoax emails that are circulated. They are usually comprised of some believe-it-or-not offer that can leave you very wealthy, if only to transfer a few thousand dollars to some Nigerian prince who won the lottery in Canada and has a difficult time with U.S. Customs. Sometimes a hoax is just a malicious application that tries to trick a victim into believing that they are infected with a virus. The victim then downloads a fake anti-virus program that holds their computer hostage for the exploitation of money from the victim. Hoaxes are best avoided through common sense. If offers look too good to be true, they usually are.
"Tailgating" is the act of using someone else to gain physical entry into a building or otherwise restricted area. The attacker tries to give the false impression that they belong to the establishment and they are just walking in with everyone else, without establishing credentials, or they simply try to go unnoticed behind a victim while entering a secure area. In crowded areas where many people are entering a building, usually people are kind enough to hold the door momentarily for the person behind them. Human kindness is a major security risk where physical security is concerned.
"Piggy backing" is when an attacker uses a victim to gain unauthorized entry to a secure location by feigning that they have just forgotten their ID badge (or other credentials) or just don't want to bother looking for it or bother to punch in their code either, because the victim already has the door open. Attackers play on the fact that people inherently are not rude, and would probably not just drop the door on someone's face if they knew they were behind them. An attacker may also ask a victim to open entry for them, claiming that they left their badge at their desk and have no other way to enter the building. People claiming to have forgotten their credentials should be reported to security personnel at once; no hard feelings.
"Dumpster diving" is perhaps the most splendid method of social engineering. People will actually hunt through the trash of large establishments, searching for discarded documents that may contain sensitive information about a victim. Who would be careless enough to throw away such sensitive information without making sure that it was properly destroyed? Banks, hospitals, schools, and other institutions have been known to throw away sensitive data on victims. Businesses are not the only ones that are held accountable, though, for throwing away important things. People throw away bank statements, bills, credit card offers, health records, and even checks all of the time. Dumpster divers usually target wealthy homes for garbage as well as large businesses. Unless someone has a personal vendetta against you, or you're part of a larger scheme, your private trash is probably safe. But it's better to play it safe than be sorry later; shred personal documents, then burn them, then bury the ashes in the garden for soil aeration With seemingly innocent information, Dumpster divers can usually piece together enough about a victim's life to open new bank accounts, apply for credit cards, or buy a new car on a victim's good credit.
"Reverse social engineering" is an intricate plan that involves first the attacker sabotaging a victim's system, then the attacker advertising their technical expertise and willingness to help, and finally the attacker assisting the victim with fixing their problem. Sometime an attacker has a target in mind, but may have a difficult time getting there. Unfortunately, people in general are usually the weakest link in the security chain. The attacker may use a victim as a temporary asset to achieve their final goal. This elaborate plot can be used by the attacker to gain entry to a location - physical or digital - that was previously off limits, through the exploitation of an indirect victim. The right combination of trust, misdirection, and lack of technical ability on the victim's part can easily let an attacker overcome a previously off-limits target. To a non-technical victim, this can be pulled off as easily as loosening a network cable while they are not looking. Then the attacker can convince the victim that a driver must have been corrupted, and that they can fix the problem quickly. Sometimes urgency is on the attacker's side also, if the victim is frightened of reprimand by their boss for "breaking" company equipment or for the loss of company time by not being able to get their work completed. One way to help protect yourself is to ask the would-be attacker if they can guide you through the process yourself, never surrendering your keyboard and mouse. Or ask that another person chaperone the situation if they insist on taking command. Always stay vigilant of your surroundings and those who seem overeager to help. If it's a commercial environment, never give your computer to someone overnight to fix without company knowledge and agreement first.
Once again, the overall crux of all social engineering attacks is the implied trust that people have with each other. Every person exhibits some level of confidence with the world around them - that it won't just turn around and stab them in the back. Most of the time, this is true. Not all people are out to steal your personal information. But it pays to stay conscientious about the dangers around you and to know how to mitigate these threats. None of these types of attacks go completely unnoticed. All social engineering attacks are detectable depending on the victim's level of knowledge and their unwillingness to trust strangers.
Human error and malice are the largest security vulnerabilities in the IT world. There are different types of social engineering attacks emerging every day, each one cleverer than the last. Attackers find an exploit or something that seems to consistently work, and then the technique becomes more widespread. As they become more popular, people begin to dissect the attacks and develop ways to readily identify them and ultimately counter them. Staying educated on the latest social engineering techniques helps best. But most attacks can be avoided with a little common sense, quick thinking, and just a touch of paranoia.
The greatest thing to remember is that when you least expect an attack and your guard is down, that's when it will most likely happen. So, just never let your guard down, right? Though there are scammers out there taking advantage of any potential victim that crosses their paths, one does not have to live in perpetual fear of identity theft or worse. And, even with all of this extravagant chicanery and crafty techniques to coerce victims into divulging personal information, it's still no excuse to leave the house wearing a foil hat.
Stay educated, stay vigilant, and never take anything at face value.