Social Engineering Techniques

Social Engineering, as defined in Wikipedia, is the act of manipulating  people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. Simply put, social engineering is one of the simpliest forms of hacking, wherein a social engineer does not need special technical skills or tools to get confidential information.

Few people know that social engineering is one of the biggest forms of hacking the IT industry is now facing. Why? People trust people they know and its easy for these people to give out confidential information to people they trust and know.

But it doesn’t matter how many locks you put on the door that is your security plan, because criminals who use social engineering techniques will still sail right in. Why bother breaking down the door if you can simply ask the person inside to let you in? There is an old adage here that says “most crimes are done by people who you know and let into your house.”, so its the same adage applied in social engineering. There is often a debate about what is more prevalent and more dangerous: Is it the outsider threat or the insider threat? Once you accept the success of social engineering, you will recognize there is no distinction anymore. If you have an outsider, and they use a social engineering technique, they become an insider.

Based on studies done on social engineering, there could be four (4) techniques in doing so, namely:

Alternative communication channels:

Scam artists make use of alternative channels of communication because they catch people off guard. Attackers find their victims are more susceptible to influence when the attacker engages them using a different medium than the victim is used to. An example of this scam that was noted used windshield flyers. The flyers alerted drivers that their car was “in violation of standard parking regulations” and asked them to log onto a site where they could get more information.If you got a spam message that said this, you probably would have disregarded it.  But when people got this notice in the physical world, outside of the normal channel they are used to being on guard in, they went to horribleparking.com and they saw some pictures of improperly parked cars in their own town. Of course, if they wanted to see their own vehicle parked improperly, they had to download this media player. If they downloaded it, they infected themselves with a fake antivirus tool. Of course there are also vishing scams, where victims receive voice mails asking them to contact their bank about fraudulent account activity as another variation of this kind of attack. People call the number and are prompted by a series of voice commands to enter sensitive information, or they are connected with someone claiming to be a bank representative.  USB keys are another example of an alternative-channel exploit. There was a recent attack using USB keys that spread the Conficker worm, and noted that victims are often not suspicious of USB keys and put them right into the machine without a second thought. While it used to be standard for computer users to scan floppy disks for problems, the same protocol does not exist with USB keys.

Personality relevant messaging:

People don’t want to just get e-mail, they want me-mail. A me-mail is an e-mail message that is more personally interesting is going to get more attention, and criminals know that. A variation on this kind of scam involves spoofing messages to look like they come from a trusted source. One common attack lately uses delivery company UPS (or United Parcel Services) as the scapegoat. The message from “UPS” claims there was a failed attempt to deliver a package, and asks the victim to print out an invoice to take to the UPS center to pick it up. If I print it, it’s probably going to be a malicious executable or a malicious PDF file, and that’s how they are going to get  you. How do we tell our users not to open attachments from people they don’t know? It’s not very useful advice anymore. Because the messages that come to them are from people they are likely to know.

Social Compliance:

It is human nature that people want to do what others are doing. And our tendency to follow the crowd can also make us social engineering victims. Criminals know you will be more inclined to trust something that is popular, or recommended by trusted sources.It’s this kind of psychology that lead to the success of the recent ‘likejacking’ or “clickjacking” attacks on Facebook.  Facebook users were fooled into ‘liking’ websites that claimed to have information about celebrity secrets or photos. Instead, victims found themselves clicking on a maliciously-created website produced by hackers who had hidden an invisible button under the mouse. Clicking on the website hijacked the mouse click and secretly caused users to ‘like’ the webpage. This activity was then published the victim’s Facebook page, and gave the malicious page legitimacy, causing others to also ‘like’ it.Criminals have also exploited social compliance by uploading malicious software onto a file sharing site where software junkies go to find the latest and greatest products. The worm then kept hitting the download to artificially inflate the counter so the file would float to the top and appeared as the most popular download. If other people like it and download it, I want to see what others download and I download it.”

Reliance on Security Mechanisms

Because we are so used to certain security mechanisms, and often take them for granted, they are no longer protecting us. There was this story that featured a social engineer dressed as a police officer who comes into a store. He tells the clerk there have been counterfeit bills passed in the area, and gives the clerk a special pen, which he says can be used to verify real or fake money and will turn red on bills that aren’t legitimate.Later, someone else comes in and passes a fake bill. The clerk flags the bill as possibly fake and uses the pen. But the ink turns green, which indicates it’s OK. But in reality, the pen itself was fake, too, and would never have uncovered a fake bill in the first place. But the clerk’s trust in the police makes this con work.

The same holds true for the many security updates computer users have become accustomed to getting. Flash updates, for example, have been used in this type of exploit. You go to site, you get an error message that says you need to download the latest version of Flash. The victim has no way of knowing if they are downloading a legitimate tool, and in many cases they are not.

So how to we keep them out?

What do these four strategies mean for security? That the outsider can very easily become an insider.  And so far, training people and employees to be aware of social engineering has failed. When we look at our security architecture, we need to start thinking less, and focusing less, on external barriers. Focus more on what goes on inside the organization. We need to be putting more focus on internal segmentation of resources and internal monitoring of traffic that goes within and outside of your environment . And focus on giving your users as little privilege as they need. Not because you don’t trust them, but because you know they can easily be scammed and you are trying to protect them.

Remember, it’s just as easy as someone you know who works with you, calling you and getting your login and password and getting access to your financial and customer files.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s