The term “Social Engineering” has an almost gentle sound to it, as though it involves a psychologist or social worker gently persuading people to behave in a socially correct manner, perhaps saying “please” and “thank you,” or maybe giving people strategies for navigating the paperwork and bureaucracy of life. The reality of this innocuous-sounding phrase, however, is quite sinister.
The term “Social Engineering” has an almost gentle sound to it, as though it involves a psychologist or social worker gently persuading people to behave in a socially correct manner, perhaps saying “please” and “thank you,” or maybe giving people strategies for navigating the paperwork and bureaucracy of life. The reality of this innocuous-sounding phrase, however, is quite sinister.
Social engineering is the process of exploiting the weakest part of your security system: the human factor. Social engineers accomplish their goals by a combination of technical sleight-of-hand, and using personal contact to gain trust.
The phrase “social engineering” was originally popularized by the American security consultant and author Kevin Mitnick, who began his career as a hacker. After being convicted of wire fraud, possession of unauthorized access devices, interception of electronic communications, unauthorized access to a federal computer, and additional charges that resulted in prison time, he turned his talents to helping businesses understand and protect against the methods that criminals use to gain unauthorized access to systems.
Surprisingly, many of these methods do not use technology at all, or only use technology as an adjunct to personal contact. Mitnick admitted, in his book, The Art of Deception: Controlling the Human Element of Security (J. Wiley, 2002), that he was able to primarily use non-technical social engineering techniques to learn passwords and gain access to systems. Understanding what these techniques are is the first step in not falling victim to them.
Let’s look at the top ten social engineering techniques:
- Phishing. This is a well-known technique, and the real mystery is why people keep falling for it. Phishing is where the hacker sends an email that appears to come from a legitimate site, like PayPal, a credit card company, or a bank. The email claims that in order to fix or prevent a security breach, some information is required – for instance, passwords, account numbers, and so on. The target willingly provides this information in order to “protect” their accounts.
- Phishing comes in several forms. There is a version called “spear phishing”, which leverages personal information to gain the trust of the target. For example, a phishing email might capitalize on discovering where the target went to school, announcing a reunion, and inviting him or her to visit a web site where credit card information can be entered to reserve a seat. A version of spear phishing called “whaling” targets an executive, also using personal information, a great deal of which is available online. An online profile might reveal that the executive belongs to a certain country club; the hacker can then invite the target to a special event, again inviting him or her to reserve a spot by providing credit card information.
- Still another variation is “vishing,” in which the same techniques are employed using the voice technology (also VoIP). This is an effective fall-back for hackers when users have been well educated about email phishing; they are alerted to phony emails, but are unaware that the same techniques are just as effective using the voice based technology like telephone.
- Smishing is a short acronym of phishing email scam where an attacker sends a text message to lure users to visit a website or to call on given number. It is a kind of security attack in which the attacker tries to download malware, Trojan horse, or any virus onto the user’s device. Once the users click on a given website link, they prompted to download a program which is actually a malware or a Trojan horse. Finally the malware gain access of the device and turns into zombie at later.
- Piggybacking. (Tailgating) This is perhaps the simplest and most effective way a hacker can gain access to your company. The hacker simply follows legitimate workers inside, where he or she can use other methods to start building trust. The hacker might simply follow a crowd of people inside, or perhaps join a group of smokers outside the door, and come in with them. The hacker might pretend to have forgotten his or her ID card, and ask for assistance from someone in the group; or he or she might approach the door with an heavy carton and ask for someone to hold the door, knowing that people are inclined to help one another rather than let the door slam in someone’s face. Once in, the hacker will employ other methods to gain trust in order to reach his or her real target.
- Social Networking.One way to gain trust without providing a foundation for it is to establish a relationship over social networks. Social networks are a rich source for providing personal information to the ill-intentioned. Such information gleaned from social networks can be used to drive spear phishing attacks, or to establish or further a friendship, or to impersonate a co-worker asking for information. Social networks can also give clues about where a person hangs out physically, and the hacker can frequent those same places and establish a personal relationship with the target in order to gain trust.
Social networks, along with news sites, can also provide valuable information about a company to a savvy hacker, who might be able to exploit knowledge of a merger or reorganization to his or her benefit. Demonstrating possession of such knowledge gains the target’s trust; the hacker can then send an email that uses this inside knowledge to request information like social security numbers, pass codes, sensitive information, and so on, under the guise of needing this information for administrative purposes prior to the merger or reorganization.
- Tech Talk. Once physical entry to a site is gained, a hacker might present him or herself as a technical support person who needs to know the target’s password in order to help protect against security breaches. The target willingly provides the information, believing that he or she is helping to keep information safe. The hacker might appear in person first, to gain trust, then return by remote desktop application to complete the malicious activity.
- Company Jargon. A hacker can gain trust simply by using company jargon in person or on social networks. A target often wrongly assumes that anyone using company jargon and inside references does in fact belong to the company, and will share information freely with the presumed co-worker.
- Neuro-Linguistic Programming (NLP). A hacker who is skilled in NLP will establish a personal relationship and then use subtle clues like body language or conversational familiarity to gain trust. This technique relies heavily on a knowledge of psychology, and the hacker exploits visual, tactile, and auditory clues to subconsciously signal to the target that the hacker is, in fact, a person who can be trusted.
- Sexual Attraction and Intoxication. Used separately or together, sexual attraction and intoxication are a powerful combination. The target responds to the hacker’s sexual overtures and, especially with inhibitions lowered by the use of intoxicants, will share passwords and other inside information.
- Exploitation of altruism. Hackers take advantage of the tendency of people to want to help each other – for instance, as mentioned above, holding the door for someone who is carrying a heavy carton or an unwieldy stack of books. A hacker might also do a favor for someone, incurring a sense of obligation that the target feels has to be returned. He or she may return that obligation by permitting a friendship to begin, which our patient hacker will eventually use to gain information that the target would never pass to a stranger under normal circumstances.
- Spoofing.Technical knowledge allows a hacker to make a phone call appear to be coming from within a company, either by spoofing the number on Caller I.D., or by using a kind of NLP in which the hacker records the company’s own hold music. The hacker then initiates a vishing attack, and puts the target on hold during the call, playing the hold music and giving the target an unconscious clue that the call is coming from within the company.
A technical hacker can also spoof a web site URL. In this case, a phishing attack sends the target to a completely legitimate-looking site, URL and all, where he or she enters the information the hacker is looking for.
- Reverse Social Engineering. In this scenario, the hacker gains access to the system first through deception or sabotage. Once it has become clear that a security breach has occurred, the hacker will advertise him or herself as a security expert who can help fix the problem. The company opens up their system to the “security expert,” who can now perform the malicious activity with virtually no impediments.
Your best defense is to educate everyone in your company, and then to educate again. Teach your employees and your security detail to be paranoid. Include all employees in your education plan, including – and maybe especially – those who have the least access to information. It is likely that your hacker isn’t going to start by going directly after the accounts with the greatest access. Patience is a virtue, and a good social engineer has a lot of patience; a skilled hacker will start with the people furthest from the goal, and work his or her way up to the real target. Ensure you have good spam systems in place, as well as a rapid response system for when a hacker does manage to penetrate your defenses. Assume that a security breach is not an “if” but a “when.”
In addition to education, a strong and well-enforced need-to-know policy can be very effective. If an employee doesn’t know an access code or critical information, he or she is unable to share it, no matter how much trust the hacker has gained.
Knowledge is power, and the more you know, the more you can protect yourself. And don’t assume that today’s techniques are all you have to worry about – hackers are endlessly inventive, and new techniques are constantly being invented and deployed. A well-informed IT manager is the best way to ensure a safe, secure system.