Social engineering is the term that is used for exploiting the frailties of human behavior to gain access to an organization or system, or to invade the physical or virtual premises of an organization.
Social engineers, though they undoubtedly have strong technical skills waiting in the background, focus on manipulating people’s behavior to achieve the desired end, rather than trying to breach a system by manipulating technology.
Social engineers use a wide variety of methods to obtain passwords and entry credentials, or to gain access to sensitive or proprietary information, and the ingenuity of malicious attackers means that new methods and new ways of employing the old methods are always being invented.
Here we present ten of the most common methods used by social engineers.
1. Getting Information
Social engineers start by looking for information that can be used to penetrate a system or an organization. They use various trust-inducing methods to encourage people to share information, and the more they know about an individual or an organization, the easier it is for them to put the target at ease.
An employee who is approached by someone who seems to have all the information a co-worker or technician would is more likely be open to them. Social engineers use a variety of methods to gain information that makes them seem like insiders.
Some low-tech methods that social engineers can use to gain information are:
- Trawling the parking lot for goodies. Cars might contain security badges, smartphones, wallets, confidential paperwork or other items with great value to a social engineer.
- Social media sites like Facebook, Linked In, and Google+ are rich sources of information on both individuals and organizations.
- If the social engineer can enter the premises, personal items in an employee’s office can say a great deal about them.
- A good social engineer will find an opportunity to look through the trash a veritable treasure trove of discarded but useful information.
- Creating a pretext (also called “pretexting”) is the technique of inventing a plausible scenario like forgetting one’s ID badge or having computer problems that prompt the victim to willingly allow the social engineer to have access to his or her computer or to the system.
- A social engineer spends time to find out where the target spends time where they shop, what clubs they may belong to, what activities they engage in.
- For the higher-level targets, who’s who may provide a wealth of personal information that can be used to build familiarity and trust.
Higher-tech methods to be aware of include phishing in all its forms.
Phishing may be the single most common form of social engineering attack. Phishing attacks are when the social engineer sends a legitimate-looking email to people within an organization, directing them to click on a link or go to a website where they will be prompted to enter sensitive information, like log-in credentials or a credit card number.
The email will appear to come from a well-recognized entity like a bank, or from within the organization. The website will appear to be legitimate as well. Often, the email will have a sense of urgency about it, perhaps suggesting that a breach has already occurred and that this information is needed to remedy the damage. However, once the information has been entered, it is captured by the person or group executing the malicious attack.
Some other variations of phishing attacks exist. Spear phishing is targeted to an individual, as opposed the opportunistic phishing attacks that go out to an organization at large. Whaling attacks target executives and high-level managers.
Not only do such targets frequently have high-level access, but information about them is usually easy to obtain from financial reports, company profiles, country club information, etc. And vishing is a phishing attack that uses the phone instead of email, prompting the victim to dial a number where they are eventually prompted to supply sensitive information.
Baiting is a form of phishing in which the victim is lured to the bogus website by prizes or free downloads. Once there, they must enter sensitive information in order to get their download. Sometimes, the bait will be a promised benefit, like IT assistance, but it could just as easily be a free soap sample, as long as the victim believes that he or she is getting something in exchange for providing his or her private information.
2. Getting Familiar With the Gang
As we noted above, the goal of a social engineering attack is to gain information, usually in order to execute a more technical, deeper attack on an organization’s data and intellectual property. The method to accomplish this is to establish trust inappropriately. As always, social engineers have a wealth of methods to accomplish this.
Becoming a familiar presence takes little more than patience. The social engineer may frequent a bar that is popular among employees or a club or restaurant that is a favorite of executives in the target company, saying hello and chatting with people until he or she becomes recognized and is even greeted with a smile. Bars are particularly fertile ground, of course, because drinking itself creates some intimacy, and alcohol lowers inhibitions; employees may say more than they intend or even more than they realize.
In another technique used to establish familiarity, the social engineer may choose a group of people to walk into the building with on a regular basis, either continuing all the way in (see Piggybacking below) or turning aside at the last minute. In either case, the imposter manages to become a familiar face in the group.
Social engineers will also use social networking sites to reinforce their familiarity, requesting to be a friend or connection, and following people to establish their presence. Social networking has the added benefit to the social engineer of providing a rich source of information that can be exploited to escalate a more personal attack.
A way social engineers use their carefully cultivated familiarity is by piggybacking one of the oldest tactics for infiltration in history, far older than the Information Age itself. In this simple but elegant tactic, the attacker waits for other people to approach the building and enters with them, “piggybacking” on their passcode and using the crowd as camouflage.
Sometimes the tactic is used to follow another employee into a restricted area: the social engineer will run after an employee entering the server room, for instance, fumbling for his or her ID card, and the employee will politely hold the door for the intruder.
Another common type of piggybacking is where the social engineer joins a group of smokers in an outdoor smoking area and simply walks into the building with the rest of the group.
In another type of piggybacking attack, the social engineer will pretend to be a delivery person, even showing up in uniform. He or she will approach the door just behind other employees, laden with a package, and will request someone to hold the door “piggybacking” on someone else’s legitimate access.
4. Gaining Trust With Body Language
Social engineers are experts in their field and are well-schooled in reading body language and in projecting messages using body language, an area known as neuro-linguistic programming (NLP).
Some well-known body language cues that social engineers use are actually quite subtle, and solicit trust on a sub-rational level. Breathing in the same rhythm as the target, smiling intimately and appropriately, and reflecting and responding to emotional changes are only a sampling of the subtle psychological cues a social engineer can use to make a connection with an employee.
By creating trust at an unconscious level, people default to a desire to help hold the door so the imposter can get into the company, helping them attach their computer to the network, and so on. The social engineer, in this case, creates an atmosphere where assistance is automatic, and the target responds without thinking.
5. Gaining Trust With Sex
As obvious as it is, targeted individuals fall for it every time: Sex. A social engineer can gain trust by showing attraction for an individual in the company, even dating the person and developing an intimate relationship. Sometimes a flirtation will do the trick, and the target will be more likely to assist with log-ins, entry, and information that he or she might be reluctant to supply otherwise.
But if the flirtation alone isn’t enough to gain sufficient trust from the target, a dedicated social engineer will escalate the relationship, asking the target out on a date, ensuring the date goes well and following up with more dates, more time together, more trust. Most people wouldn’t assume that their steady date only wants to gain access to company systems; this kind of social engineering plays on an employee’s humility (“I’m not that important”) and vanity (“S/he thinks I’m sexy”) at the same time.
Attraction makes people behave in foolish ways, even ways that are uncharacteristic for them, so a social engineer who can successfully use sex in his or her favor has a powerful weapon in the social engineering arsenal. The only mystery is why, after thousands of years of sex being used to pry secrets from soldiers, spies, and statesmen, this method still works.
6. Using Hostility
An alternative to establishing trust is to establish hostility counterintuitive as this may sound; hostility is another form of intimacy.
Hostility generates intimacy or trust this way: people generally prefer to avoid hostile people. If someone sounds or appears angry, the instinctual reaction is to stay out of their way and avoid angering them further – perhaps opening doors, directing them to sensitive areas, or offering sympathy in an effort to avoid or assuage the anger.
One way that social engineers use this aspect of human behavior is by bonding with their targets over the cause of their anger. Who isn’t going to offer sympathy after a bad session with one’s insurance company? By sharing frustrations, a social engineer can foster a sense of camaraderie with an unsuspecting target.
Another way social engineers can use a hostile situation is if they need to go through sensitive areas on an organization’s physical site. Where normally people might be questioned, if the social engineer is displaying enough anger and frustration, many people will avoid confronting the individual, and may even open doors or assist with access where they normally wouldn’t an instinctive reaction to deflect or defuse the hostile situation.
7. Getting an Interview… and a Job
Valuable hacking targets – that is, organizations with a great deal of valuable data – are worth greater investments of time and energy, even to the point of investing months or years in infiltrating a company. A social engineer with an ambitious agenda might succeed in getting a job, although the interview alone may supply enough information to proceed to the next level of attack.
A surprising amount of proprietary or sensitive information can be exchanged during an interview, particularly one with a promising candidate. Social engineers are skilled at asking the right questions perhaps about IT technology in use, or details of a business process. The interviewer, instead of realizing that he or she is being pumped for information, is impressed at the candidate’s knowledge of the topic.
A level of comfort and familiarity is established. The candidate may even manage to get the interviewer to log into the system right there, gaining all the information they need from the interview alone, and never having to show up for a day of “work”.
However, the interviewer may not be so readily led, in which case, if the target organization is valuable enough, the social engineer might succeed in infiltrating the company from within, by getting hired and obtaining official credentials. Even with thorough vetting, some social engineers will manage to pass muster, and good social engineers will be patient enough to gain trust, and probably deploy anti-detection software, before they strike.
8. Acting as a Consultant
A social engineer may instead choose to enter the company as a consultant. Consultants are often trusted with an enormous amount of sensitive information after they have signed their non-disclosure agreements. Consultants should be carefully vetted, and references obtained and confirmed before hiring, and trust levels must be increased slowly – although a social engineer posing as a consultant can be assumed to be very patient… and very stealthy.
9. Talking the Talk
One powerful tactic in the toolbox of social engineers is knowledge – real, honest-to-goodness knowledge of systems and data processing. A skilled social engineer can use those skills to get an interview or even a job, but he or she can build trust simply by being knowledgeable. People without technical knowledge can easily be overwhelmed by people who have the right buzzwords and industry jargon, and often willingly provide passwords, access, and systems information to a person who simply sounds knowledgeable and self-assured.
10. Reverse Social Engineering
Finally, there is the tactic known as Reverse Social Engineering (RSE), in which the social engineer creates a problem and then steps in to solve it. This tactic has three basic steps: the initial sabotage, offering assistance and infiltrating.
First, a social engineer uses an opportunistic attack to alert the target’s IT department that they are under attack. This can be a DoS attack on their website, or perhaps it is as simple as sending an overtly obvious phishing email. The goal is to ensure that IT knows an attack has been launched and that the network may be compromised.
Next, the social engineer appears as a security consultant or agency. With a great deal of knowledge about the problem since they helped to cause it, they demonstrate their expertise and their ability to fix the problem and offer assistance. Finally, having been hired to fix the problem they caused, the attackers are able to execute the malicious activity, like uploading malware or keyloggers, or stealing proprietary or sensitive data.
The first line of defense against social engineering attacks is a good education program for your employees, but it can’t end there. Describing some methods and guarding against them is not enough to acclimatize people to an environment of security. In order to foster a culture of defensive behavior, organizations can set up unannounced tests for employees, using unexpected social engineering techniques at random times. If employees are conditioned to think and act securely, they are more likely to do so when confronted with a real threat.
Security policies are for employees and management, including executive management. Executives are not immune because they have a high-ranking position in the company, on the contrary, they are more valuable as targets. Include executives in employee training that covers defensive behaviors:
- Don’t open emails that come from unknown or untrusted sources, do not open odd emails, and do not click on links in emails from friends and family, even if you trust the source.
- Do not give strangers the benefit of the doubt.
- Secure your laptop when you are not at your workstation.
- Use anti-virus software.
- Do not let anyone into the building unless they have current, valid credentials.
Another step organizations can take is ensuring software on employee machines is updated and that all security patches are installed on servers. This helps in two ways: many updates are done for security purposes, and it also prevents end users from installing their own updates from untrusted sources.
In combating social engineering attacks, you must work against some fundamental human behaviors. Keeping your employees trained, impressing on them the consequences of their actions, and repeating training at frequent intervals, will help mitigate the threat you face from skilled and clever social engineers.