Social Engineering 2—What Do We Have To Watch?

July 5, 2012 by Adrian Stolarski

In my previous article we focused on providing an introduction to social engineering. For the purposes of this article, I want readers to consider the words of Albert Einstein to be their mantra: “Only two things are infinite – the universe and human stupidity, and I’m not sure about the former.”

Let’s Go

So let’s begin the game. Due to the size and nature of this publication, I am forced to narrow the scope of this article to only include the most prominent methods of attacks:

Keeping the rules described in the previous article, the first step to a successful attack will often involve tricking an employee into performing some routine task. This is generally accomplished through an attachment to an e-mail containing some interesting information for the targeted employee (i.e. personal information from a co-worker, or information on how to access a benefits program run by the company).

Shortly after opening the attached document, malware automatically installs itself on the victim’s machine. A typical example of this malware includes a program that can record keystrokes, which gives an attacker access to the corporate network and data collected on local and network drives.

Another rule that an engineer can utilize when attacking is the rule of authority. An attacker can claim to be superior and force a subordinate to disclose critical business information. Board members and their closest associates are not always subject to the same security standards as regular employees.

For example, I once walked into a business with a colleague and we were both dressed in formal business wear. Without too much resistance, we were allowed to enter the business because everyone assumed we had a strong connection with the management division and security preferred not to ask unnecessary questions. Attackers can easily use deception tactics to exploit such subservience to superiors.

Another extremely dangerous rule used by attackers is the rule of sympathy. This works best when imitating an emergency scenario involving immediate family or a loved one. For example, a social engineer can call a general company line or a private number and explain that a family member will not receive funds because of transfer delays and other problems. The attacker will then offer to assist the individual in need, but certain information must be provided first, such as a bank account number or social security number.

In this situation, victims tend to be guided by a desire to settle the matter as soon as possible and often provide information without verifying the credentials of the hacker. Another vulnerability occurs when an employee himself needs money and is waiting for a bank transfer. Remember that the nervous employee is easy to manipulate because emotions prevail.

Keep in mind that most people are not really bad, and generally are guided by an instinctive desire to help. This tendency to want to help can also lead to another problem: feedback social engineering. A hacker using social engineering may stage a scenario (such as depriving employees of access to the network), and then go on to pretend to be someone else from the IT department.

Overall, the mechanism for asking for help is one of the most widely used manipulations by social engineers. This desire to aid (or seek aid from) a co-worker also triggers the reciprocity rule, which makes socially engineered attacks even more effective.

In extreme cases, a social engineer does not really have to do anything because untrained employees will simply make mistakes with regard to information distribution. A simple example is a protocol terminating banking or telecommunications accounts. Such information should never flow from the company, yet just imagine how many documents are distributed with such information throughout the company on a regular basis.

In an even more extreme example, I was talking with the former employee of a large telecommunications company in Poland, and our conversation turned to the security features of his former company. During this conversation I, drew from him all the information I would need to re- route all network traffic from the corporate operator. If I had used this information to attack, it would have been child’s play to hack into the company’s systems.

Another trick: Getting the private phone number of a company employee? To do this, one only needs to know an employee’s name. Once we have a name, we can call corporate headquarters and come up with some plausible scenario like: “Call the number xxx-xxxx-xxxx-xxxx, please. It’s very urgent! Thanks! This is the administrator” (and other similar variations). If you want a cell number, you can pretend to be a customer interested in offering a fictitious contract. A faux-secretary will then ask the manager to return your call.

Another important weapon used by a social engineer is garbage. Discarded papers contain e-mail addresses, names of managers, and information on co-workers. In fact, garbage is very rarely damaged or destroyed, and shredders are not designed to completely obliterate text. Vital information could still be visible on shredded paper, like account information or a bank balance. With this information, a social engineering can successfully reproduce the company’s organizational structure. Or a competitor can bribe a custodian to glean private information directly from refuse.

Another very important issue that arises is that every new employee in the company will make mistakes. The American model of business often assumes that individuals will learn from their previous business experiences at other companies. Yet while new employees should be given a larger margin for error, they should also be watched vigilantly.

For example, a social engineer may call a company and hold a long, yet fruitless conversation. The point of this conversation will be to hear all conversations going on in the background. From this overheard noise, a hacker will glean addresses, customer IDs, and other private information. Another funny thing: we all love corporate network administrators because, thanks to them, we can easily get the password to our network. The more complicated the password, the better for us; and the more passwords, the better.

However, the human brain has some limitations, and not all employees can remember the number of combinations in long passwords. So employees save their passwords on pieces of paper or use a simple password dictionary. Remember, if we have to save a password on a piece of paper, then let’s be careful about it and hide the password well. In front there should be 5 random characters, and then the password should be made of 10-20 random characters. Or, create ten lines of text consisting of random characters, and insert the password in only one of the lines of text.

The social engineer may also physically visit the employee of a larger organization while pretending to work with a potential client, allied company, or even the police. Using this strategy, call and say that an attacker may say that he or she has prepare a questionnaire in order to improve cooperation between two companies. In this way, using a mechanism of information that is relevant, a social engineer can gain information that can be useful for an attack later on

Another situation that rarely arises is a direct attack on the company —though these are almost impossible to achieve. A hacker that has gathered sufficient information can pretend to either courier or deliver a physical package for a specific employee. If the cover story is built correctly, the “delivery” person will claim to be dropping off a package, and through this ruse, gain physical access to a business. Once said “delivery” person is in the building, he or she can behave like an ordinary employee. No one will check. In such situations a hacker can easily get access to printed information or other data.

Remember the previously mentioned rule about items that are not available? Well, once an item becomes more available, it also becomes more of a target in the eyes of the hacker. A social engineer may create a situation that forces a staff member to impart critical information. For example, a hacker may deny a user access to a company server, and through this ploy, gain access to account passwords and information.

A similar tactic can be to create the impression that a credit card is deactivated or in danger of not being processed correctly. A hacker will ask a victim to please enter login and password information for a personal account, such as eBay. Phishing devices are common with this type of hack. Again, with a phishing scenario the mechanism is very simple and consists of persuading the victim to disclose the specific information needed for fraud. With this type of scam, an attacker doesn’t need to be an IT expert: he or she simply needs a bit of ingenuity combined with social engineering and a naïve target.

How to Defend

Above are just a few examples of the hundreds and thousands of techniques that can be used in socially engineered attacks. Every day attackers learn to use every aspect of daily life. They expand their knowledge by taking courses in psychology, sociology, and anthropology, and continue to develop their natural gifts. Our main strengths in combating these attacks lie in confidence, patience, and experience. Keeping this in mind, we can develop techniques that are 100% effective against socially engineered attacks.

First, check and re-check whether the person you’re talking with is who he or she claims to be. By weaving webs of manipulation, social engineers can learn a lot I about a company and a victim, but they can’t learn everything. This is why it’s so important to follow all safety and security rules at all times. If we have six verification codes and randomly select K, then let the caller verify use of code K. Let’s not yield to his request to bypass a code or procedure because he has provided some excuse like saving time or that there is another person working at his computer. This may be a clever lie, and the caller may simply be a social engineer who knows one code and is trying to learn another.

I ask you reader, do not indulge in emotions, peer pressure, or fears of authority. Remember The Matrix? “You have to give up everything. Fear. Lack of faith. Doubt.” If my boss is wrong, I look him in the eye and tell him that he is wrong. If I see a company that has hired me is not ready for a simultaneous attack, I give it to that company straight. I’m not afraid of losing a job or facing consequences.

Never open email attachments or files from unknown sources. For more information, check out the resources at InfoSec.

Ensure regular and thorough destruction of garbage and other printed materials produced by the business. Don’t disclose any confidential material or write said material in documents meant for general circulation. Block calls from independent third parties so they cannot hear the background noise going on in your office. If you meet resistance from company management, review this article.

Be sure to check the credentials of any person asking or offering to help, especially with regard to financial situations.

Also, regularly train staff members to be aware of social engineering and tactics employed by hackers. A well-trained staff can halve the problem.

In Conclusion

Social engineering is really the manipulation of human behavior in order to achieve material gain or confidential data. This is not a new phenomenon. Since the dawn of humanity, individuals have been using the principles of social engineering to achieve their goals; and as technology has advanced, tactics for socially engineered attacks have become more and more common among hackers. I hope that after reading this article you’ll have a better understanding of this problem as it threatens company security.

Posted: July 5, 2012
Adrian Stolarski
View Profile

Adrian Stolarski is a freelance security tech blogger, specializing in Java, PHP, and JQuery. In his own words, he does the hard work of training the unemployed. Currently, he handles Evaluation Visualization for real-time systems with XWT and Eclipse RAP. If he sees that something works, he asks how it works and why it works, then sets out to make it work better. A researcher for InfoSec Institute, he currently lives in Poland, but plans to move to London.