General security

Guerilla Psychology and Tactical Approaches to Social Engineering, Part II

1. Introduction

So far, we have discussed techniques used in manipulation, the characteristics that social engineers possess, the cycle of social engineering, and the four main qualities that are abused in such attacks. Below, we will present an interesting classification of social engineering, present some more techniques, discuss why social engineering works, and discuss our human nature and present a short vision of the future ahead.

1. Classification of social engineering attacks

Social engineering can also be classified in three categories - as direct and indirect, prior-the-attack information gathering and classical attack, and in computer-based or human-based attack, as Susanne Quiel classified it in her Bachelor Thesis entitled "Social Engineering in the Context of Cialdini's Psychology of Persuasion and Personality Traits".

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Download Now

Direct social engineering means that the attacker contacts a prospective victim and attempts to build a relationship and exploit it, while indirect means no contact whatsoever is made with a particular target.

Computer-based and human-based classifications are obvious; the former involves a computer to launch the attack, while the latter involves interaction between the two parties.

Indirect prior-the-attack information gathering attacks include dumpster diving, shoulder surfing, eavesdropping (tapping conversations, whether phone-based, eye-to-eye, or made through VoIP), and theft. Computer-based prior-the-attack information gathering attacks consist of social network mining, using search engines and what is available in websites and in the public domain to get to know the target or trying to access his accounts by guessing his password or using password-cracking tools and network sniffers such as Cain & Abel.

The direct classical social engineering attacks consist of pretexting and impersonation, which we have already discussed (pretending to be an insider or creating a fake situation to make the victim reveal information he would not reveal in normal circumstances), using flirting, emotions, lies, manipulation and deceptiveness, name-dropping, NLP, reciprocation, authority, tailgating, piggybacking, using the jargon that is prevalent and used in the particular environment so he can pose as an insider and not raise suspicion, and resorting to a fake or falsified ID. I believe we already talked about almost all of these techniques, to a greater or lesser extent, in the first part of this article.

Indirect computer-based attacks include phishing (pretending to be a trustworthy business or entity to obtain sensitive information), setting up USBs with malware where the victim will find it and most likely pick up and put in his computer to satisfy his curiosity, sending malware through emails or sending out websites with drive-by downloading of malware or keyloggers.

Direct computer-based attacks could occur in online chatrooms, instant messenger applications, VoIP appplications or in video/voice stream.

A Verizon Data Breach Investigation Report in 2012 concluded that the most widely used social engineering attack channel is phone, followed by eye-to-eye interaction, followed by emails. So vishing and other phone-based scams occur in near 50% of the attacks while eye-to-eye contact takes place in near 40% of the cases. Pretexting is the preferred strategy, followed by bribery/solicitation, followed by phishing. The former is used in more than 40% of all attacks, the second being used a bit less than 30% of the attacks, while phishing was employed in more than 10% of the cases. The most chosen targets are ordinary employees, while the least preferred target are human resources staff and customers. This shows that company-wide security awareness must be in place, as regular employees are most susceptible to being attacked by social engineers. Pretexting usually involves invoking a sense of fear or immediacy to act in the victim, while phishing relies on carelessness and trust, and bribery mostly exploits human greed. So various techniques are at play here.

1. Techniques used by social engineers – Continued

Reverse social engineering is a common technique and it has three phases: first the attacker disrupts a target company's network by all means possible, then he in some way contacts the target and claims he can resolve the problem, and if they catch the bait, he fixes the problem and accesses sensitive information in the meantime.

Another common technique is taking advantage of your technological knowledge to establish credibility regarding your expertise and luring the victim into completing "some steps" on their computer.

All the methods we have discussed so far work due to our human nature. Firstly, because in most cases such a request that social engineers make is genuine, we tend to be at ease when a request by a social engineer comes. Secondly, if nobody scammed us before, our guard is completely down. Thirdly, we prefer not to look paranoid in our workplace and in our social life, so we let our suspicions slip away. Fourthly, in the workplace we are taught to be friendly towards clients and people and by nature we prefer to cooperate with others. Fifthly, we tend to feel empathy for people in a bad position who need some help from us. Sixthly, our human nature can be exploited because we often believe the request to be "no big deal".

1. Why does social engineering work? What human qualities, thoughts and desires enable the techniques we have discussed so far?

These attacks also work because employees tend to think things like, "Those security staff need to get out more, go in a bar or a night club, they are too paranoid," or "What I do is unimportant, I cannot spill out any trade secrets of our company because I am not in possession of any," or "even if someone cracked my username and password he would not be able to do anything. I do not have access to anything of importance," while in reality each individual employee has access to something of importance to the social engineer.

Also, there is a notion of 'business reality' in the mind of employees, and they tend to think that they cannot afford to lose a potential profit-bringing client only due to some fears or paranoia coming from the IT staff, or when a malicious request comes they do not even think about it because of the mindset that "We have all kinds of requests like this. Such requests bring us profit and sales and enable us to continue our business".

The desire to help can be exploited because usually in work environments employees think something like "We're all colleagues here. We gotta cooperate, help each other, act united and stay together".

Another perception of employees that leads to lack of desire to take the responsibilities of careful consideration of inquiries and requests is, "Security is not my job. Let the IT staff handle that. I've got real work to handle," or "People who call me are prospective clients. You security guys need to discern the malicious guys before they start communicating with me". Not taking responsibility and putting the blame on others is a common mindset in employees and it is linked with carelessness as well.

Also, social engineers use impersonation and authority because employees react to requests from positions of high authority from fear of getting on the wrong side of them and losing their job. They can react to such requests even from the pure desire not to be called a "naysayer" and receive a reputation of being such a person.

Also, social engineering is made possible because it is cool to be nice and if you agree to a request – you do it and it is no longer there – you get rid of it, as opposed to if you refuse the request – you would have to give all kinds of explanations as to why you cannot do that particular thing.

1. What is the future ahead?

To combat social engineering, one must be able to think and behave more like a social engineer, as Brett Wahlin, former US counter-intelligence officer currently working in Sony, put it. To prevent another attack on Sony, he states that they are going to use "counter-intelligence" to prevent future penetrations in their systems by resorting to a "FBI-inspired human behaviour profiling" tactics and sophisticated fraud detection mechanisms. He further stated that they are going to look into people's interactions, which includes badging systems, phones – who and when is called – and look into browser history and which applications their people use in order to detect suspicious activity and react appropriately.

The best thing to do to combat future attempts of social engineering that is now coming to life is performing "live" and real-time tests involving micro video games and which combine fun and practice. A study that involved more than 500 employees conducted over one month concluded that embedded training lowered the number of successful social engineering attacks by 50% - which clearly indicates that the future is bright for such preventive mechanisms.

1. Conclusion

It can be concluded from our discussion that social engineering is a widely used penetration method, as humans are the weakest link in a system and a penetration could be performed without the involvement of complicated technological processes and phases. Even a person with no IT background can penetrate a system, as eye-to-eye social engineering occurs in around 40% of all such attacks. People who perform social engineering are more knowledgeable in human psychology, body language, and gestures than in hacking.

The future seems bright for security awareness as regards social engineering – novelty methods of training can drastically reduce the chance of such attacks to succeed, while the current human mindset has to be changed in order for such attacks to be harmless.

Finally, our innate human nature makes us susceptible to such exploitations and that is why such exploits will probably continue to exist in the near future.

To visit the online exercises and test your understanding of Part II, which is also the last part of this article, please visit: 

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Download Now

[download]

References

1. Verizon RISK Team, 2012 Data Breach Investigations Report, Accessed 6/6/2014. Available at: http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf.
2. EMC Academic Alliance, 'Social Engineering and Cyber Attacks'. Accessed 7/6/2014. Available at: http://www.slideshare.net/emcacademics/11467-test9
3. SANS Institute, 'Global Information Assurance Certification Paper. Psychological Based Social Engineering'. Available at: http://www.giac.org/paper/gsec/3547/psychological-based-social-engineering/105780. Accessed 9/6/2014.
4. Wikipedia, 'Psychological manipulation'. Available at: http://en.wikipedia.org/wiki/Psychological_manipulation. Accessed 10/6/2014.
5. John G. O'Leary, 'Psychology of Social Engineering: Training to Defend'. Available at: http://csrc.nist.gov/organizations/fissea/2006-conference/Tuesday300pm-OLeary.pdf. Accessed 8/6/2014.
6. Susanne Quiel, “Social Engineering in the Context of Cialdini’s Psychology of Persuasion and Personality Traits’. Available at: http://doku.b.tu-harburg.de/volltexte/2013/1221/pdf/Social_Engineering_in_the_Context_of_Cialdinis_Psychology_of_Persuasion_and_Personality_Traits.pdf Accessed 11/6/2014.
7. Stephany Nunneley, "Sony using 'social engineering psychology with data analytics' to fight security breaches". Available at: http://www.vg247.com/2012/03/13/sony-using-social-engineering-psychology-with-data-analytics-and-user-education-to-fight-security-breaches/. Accessed 10/6/2014.
8. Nick Mediati, 'Reports: 77 Million PlayStation Network Accounts Compromised'. Available at: http://www.pcworld.com/article/226352/sony_77_million_playstation_network_accounts_hacked.html. Accessed 11/6/2014.
9. Mosin Hasan, Nilesh Prajapati and Safvan Vohara, 'Case Study on Social Engineering Techniques for Persuasion'. Available at: http://airccse.org/journal/graphhoc/papers/0610jgraph2.pdf. Accessed 9/11/2014.
10. SECPOINT, 'Top 10 Social Engineering Tactics'. Available at: http://www.secpoint.com/Top-10-Social-Engineering-Tactics.html. Accessed 11/6/2014.
11. Clark Case, 'The Top 7 Psychological Triggers Behind Social Engineering. Available at: http://www.merchantlink.com/blog/top-7-psychological-triggers-behind-social-engineering. Accessed 10/6/2014.
12. Joan Goodchild, 'Mind Games: How Social Engineers Win Your Confidence'. Available at: http://www.csoonline.com/article/2124219/security-awareness/mind-games--how-social-engineers-win-your-confidence.html. Accessed 05/06/2014.