Checklist 45: Social Engineering; The Human Element of Hacking
In this weekly edition of The Checklist, we’re looking at what you need to know about social engineering: what it is, the techniques today’s bad guys use, how you can detect it, and more.
Not all hacking takes place from behind a keyboard. There is an important human element involved, too. Why should a hacker go through the effort of deploying malware to obtain user passwords when they might be able to gain them through a clever request? Deception is as much of a threat in the world of security as any malware. From the growing threat of spear phishing email campaigns to liars posing as others on the phone, these threats all fall under the same umbrella: social engineering.
It’s important that we think about security measures beyond the protective bubble of anti-malware software. We can start by looking at the origins of this practice.
- An overview of social engineering.
- Why is social engineering a problem?
- High-profile social engineers & their exploits.
- Modern social engineering threats and methods.
- Guarding against social engineering attempts.
An overview of social engineering.
What is social engineering? It’s not what the people who build sites such as Facebook and Twitter do, that’s for sure. We could start by making a quick comparison to a topic we’ve covered on The Checklist before: phishing. When someone sends you a phishing email claiming that you need to tell them your password due to a problem with your account, we could consider that a form of social engineering. It’s more than just a lie: it’s a lie from a supposed position of authority. That’s a big part of what social engineering is all about.
People tend to both follow “mob mentality” and to defer to authority — which means that an unscrupulous person can manipulate these tendencies to get what they want. Social engineering is all about finding ways to obtain secret or sensitive information by convincing victims or targeting other related individuals to provide it to you. There are many ways to make that happen.
These techniques have been around for quite some time too. Some of the early phone phreakers used social engineering as a part of their schemes to defraud the telephone companies, going so far as impersonating telco staff over the phone to other employees. It might surprise you to learn what doors can open when you know the right lingo and use an authoritative tone of voice.
Social engineering is a means to an end, but what that end is can differ greatly from attack to attack. For example, someone might work to socially engineer information about a third party from a business as groundwork for a later attack or further social engineering attempts. An attacker might need a name, or a phone number, or even just an email address as a launching point to gain access to someone else’s information. They might social engineer information out of one person at Company A, then take that information over to Company B to siphon even more sensitive information.
Phishing style attacks look for a way to convince a user to access a fake website that looks legit, or run a file filled with malware, which they can then use to steal more information. The attacker relies on your expectation of legitimacy to get away with their scheme. Other social engineers just want an easy and direct way to engage in identity theft and will use any number of tools to do that.
So, “hacking the mind” might be another way to think about social engineering since it’s all about social expectations and psychology. If you work in a corporation and someone claiming to be from HQ calls you and asks for in-depth system information, you might give it to them without a thought. Little do you know that person isn’t your superior, but someone probing the company for vulnerabilities. That’s a good example of the kind of threat posed by these efforts.
We’ll go into detail about the most common modern social engineering methods in a moment, but we should also think about why and how these techniques pose problems. It’s easy to think we’d all be able to spot a social engineering attempt — that we could never fall prey to lies like that. Unfortunately, the reality of social engineering efforts often yields a different outcome. It’s harder to spot than you’d think.
Why is social engineering a problem?
Does the average user at home have much to fear from social engineers? Perhaps not, especially if you’re vigilant about watching out for phishing efforts. You might not become a target of a more concerted effort at home. But what about outside of that safe digital bubble, though? That’s much different, and it’s still important to act as if it could happen at home. Complacency is the biggest security risk of all. We see that all the time with the way malware attacks succeed in using exploits that were patched long ago.
Social engineering efforts outside of large-scale phishing are often much more targeted. They’re undertaken by individuals who have a specific goal in mind, and who may have a complex plan to go along with it, too. The main targets of social engineering attacks aren’t users at home — it’s employees at businesses of all types.
Think about it: where’s the most potential to reap a financial reward, to steal valuable information, or just to cause chaos? It’s the business world, where tons of money flows back and forth every day. Many businesses also keep extensive client records, which is the true treasure trove for social attackers. With companies in the crosshairs, it’s extremely important that they take steps to protect their customers and their staff.
Unfortunately, when the rubber meets the road, many organizations remain vulnerable to social engineering attacks. That’s because of the “it won’t happen to me” attitude. It turns out that most employees do not see their actions on an individual level as important. They might not even see themselves as a part of their organization’s security efforts at all. Privileged users often don’t think about how privileged they are regarding access. They may think that security precautions are for others to take — that they couldn’t possibly end up in the sights of a social engineer.
Because of this complacency, it’s often a cake walk for a skilled individual to convince someone to hand over the information they want. Even a scam as basic as posing as someone from IT and calling someone at their desk to ask for a password might work, depending on the user. It’s our inherent desire to trust others that places us at risk. The simple fact that these methods are a lot harder to detect, as opposed to just sweeping your computer systems for malware, makes them that much more of a threat. There have been numerous individuals who’ve found that out firsthand.
High-profile social engineers & their exploits.
Let’s switch gears now. It’s one thing to have a basic understanding of social engineering and why we should be concerned about it, but what about its actual real world impact? What is a successful social engineering attack? Well, you wouldn’t notice a successful attack — not right away, anyway.
That’s the point: the social engineer would have you fooled into thinking you were speaking to someone with real authority. Over the past few decades, there have been numerous examples of social engineers whose exploits have come to light after they’ve revealed them or been caught in the act. We can get a better sense of the potential threat here by seeing what others have done in the past.
We should probably start with a man named Kevin Mitnick, perhaps the most famous or well-known social engineer out there. Though he’s often described as a “hacker” in the media, he is not one in the sense we might think of today — during his exploits in the 80s and early 90s, Mitnick relied primarily on his ability to charm others to break into systems. In other words, rather than break a lock to get inside, Mitnick always knew where to look to find the spare key. He got his start at an early age when he began looking for a way to ride his local bus system for free.
By convincing a bus driver that he had a “school project” to work on, he discovered where to buy a ticket punch like the kind used to void tickets. Combined with unused ticket slips he found in the garbage of a station, Mitnick could ride wherever he liked for free. Some years later, he entered the phone phreaking scene, and began the first of serious experiments in what he could achieve with social engineering.
During this period, Mitnick and some friends went so far as to talk their way past security guards at a Pacific Bell facility. They accessed the computer center for phone operations and wrote down plenty of usernames and passwords for later use. Mitnick even planted false information in a rolodex file to allow them to undertake additional social engineering efforts later; this was typical of the type of scheme Mitnick could execute. He even managed to gain illicit access to ARPANET, an act that landed him in juvenile prison for six months.
Later, Mitnick continued his exploits in phreaking and hacking, going so far as to try to obtain a copy of an operating system from a developer. During this time, Mitnick was on the run from the FBI. It all ended with his eventual arrest, and he was one of the first people charged under new laws related to computer crimes. In the years since his release from prison in 2000, Mitnick has become an active security researcher, author, and advocate for awareness about techniques like social engineering.
What about other famous social engineers? The Badir Brothers are a trio who made a name for themselves around the time of Mitnick’s conviction. Born blind, all three brothers became active in phreaking and used charm and intimidation over the phone to social engineer their way to crucial information. At one point, they even tapped into an Israeli Defense Force telephone network to make free international calls. Only one of the brothers ever went to prison for their exploits, which remain largely unknown.
Of course, as we said earlier, the most successful social engineers are the ones whose identities we never uncover. They don’t often go on high profile sprees like Mitnick or the Badir Brothers; instead, they make subtle moves and work hard to avoid detection. Year after year, there are countless stories of successful social engineering attacks, whether they include phishing, malware, or just plain conversation.
Modern social engineering threats and methods.
Now that we’ve covered a bit of a “who’s who” of social engineering, let’s move on to discussing more of the modern methods used today. Anyone can still call up a company and try to pretend to be someone else — and that does still happen. The techniques used to manipulate people today are much more varied. If you’ve ever undertaken social engineering training while working for a corporation, then you’ll already know that these attacks can come from almost any angle. The creativity of the individual social engineer gives them much greater leeway to craft possible attacks. There’s also the fact that it’s much easier to convince a person to do something than it probably is to infect them with malware directly.
By far the most common type of attack is what we call “pretexting.” In other words, the engineer creates a pretext for acquiring what they want, whether that’s information or something else like cash. One popular pretexting scam common today circulates both on social media and in our email inboxes. Most often the attackers will use a compromised account to reinforce the validity of their assumed identity, but not always.
In this method, the bad guys send a message claiming to be a friend or relative who has become stranded — or worse, arrested — in another country. They fabricate a convincing story and try to use details they’ve gathered about the victim to sound legitimate. Senior citizens are a popular target. After explaining the pretext, they ask for cash to help bail them out of the situation. Of course, there is no emergency, and any money sent will just disappear into the attacker’s pocket. While this kind of far-fetched emergency scenario could be easy to see through if you’re alert, there are many other pretexting scams that could do far more damage.
At DEFCON in 2012, a social engineering competition in front of a live audience saw one competitor engage with a remote Wal-Mart store employee on the phone while posing as a supervisor from headquarters. By simply using friendly banter and the right jargon, he could learn everything from supervisor schedules and break times to the layout of the store. For a malicious person, that kind of access opens a world of possibilities for exploitation.
After pretexting, we have phishing of course, but more importantly, spear phishing. Spear phishing emails target individuals, are very customized, and exhibit a high degree of legitimacy — most of the time. The giveaway is often an unusual request, such as the need to reset your password unexpectedly or log in to a website from a link in the email. You’ll usually end up downloading malware or plugging information into a fake “water hole” of a website, since you expect a site that you trust to be free from problems like this. We saw numerous successful examples of spear-phishing target individuals in political campaigns last year, including emails that claimed to come from Google.
Other attacks take place in the real world. For example, to slip into a secure area, someone might employ the technique of “tailgating.” While looking like one has a legitimate purpose, they follow someone else through a restricted access door after they use a valid access code. By posing as an employee, most people will not think twice about holding the door for someone in this situation. That kind of second-nature lapse in security is why it’s so important for companies to enforce their policies on access.
Baiting is common, too: this is when removable media, like a USB drive, is just left somewhere in plain sight. Naturally, a curious person who finds this drive will stick it into their machine to see what it contains. The answer? It’s malware, and is a common and clever way to infect systems that are on an internal network or behind too many access restrictions to try social engineering a way through; it’s why just about every company employs a policy that bars you from using unapproved USB devices like these! There are other methods, too, but these are some of the main ones. Since social engineering relies on complex lies, attacks can take many, many forms.
Guarding against social engineering attempts.
It’s obvious just from the widespread effects of phishing that social engineering is a threat worth taking seriously. How can you protect yourself from these schemes and lies? Defense against social engineering begins with individual users. Like we discussed earlier, structural defenses against these methods aren’t always effective because of the “not my problem” effect. So, the first step in protecting yourself is realizing one simple fact: yes, it could happen to you!
Chances are, you won’t be targeted by a serious effort individually — not unless your profile is high enough in some way to make it worthwhile for a social engineer. That doesn’t mean you won’t experience phishing attempts, but you can check out more on how to guard against that in the episode of The Checklist we dedicated to that topic.
When you work for a company, though, especially if you are in a position of authority, you could become an incidental target from a social engineering effort. We think it should also be clear by now that social engineering doesn’t always involve computers — someone could show up at your office in disguise! Yes, it might sound like a spy thriller, but that’s the reality we face.
The most obvious defense is to exercise healthy skepticism. You don’t need to doubt every call coming into your office, but just use common sense. You shouldn’t blindly trust whoever calls or shows up saying they’re authorized to conduct repairs or access a restricted area. When in doubt, fall back on the old “trust but verify” procedure. Ask to see credentials and verify that they’re legitimate. Challenge those exhibiting suspicious behavior to prove they are who they say, or go to a superior and ask for advice. It’s better to raise a false alarm than to open yourself or your employer to considerable damage.
That doesn’t mean you need to interrogate everyone who calls you. Just be aware of what an attack might sound like, and don’t forget that social engineers do their homework. They want to be able to sound as authoritative as possible so that they may know some basic details. Ask questions you’re certain only someone in their position would know or request documentation related to their request. If they have a legitimate reason to need something from your organization, they should be able to back it up with ease.
On a more personal level, we should create walls between portions of our digital lives by avoiding consolidation. Is it convenient to run everything off one email address with one password? Sure it is — it’s also a security risk. Even if you use multiple passwords, relying on one email account means disaster if someone socially engineers their way inside that single account. Partition off different activities with unique accounts and passwords. This way, even if someone hacks one account, it won’t lead to a domino effect through the rest of your life.
On your accounts where the option is available, enable two-factor authentication. It isn’t a foolproof method, but it will provide you with an important additional layer of protection. Some dedicated social engineers have called companies posing as the account holder and spinning a sob story until they finally convince an employee to disable 2FA. Even so, it still a good idea, since it means that if someone compromises your password, you’ll know without much delay. Brush up on what you should do to make strong passwords and keep them in order.
Finally: don’t forget that you need to always keep your defenses up against social engineering. In most cases, you won’t need to worry about it — but it’s the few other times that require some smart thinking on your part. Just as an example: whenever someone asks you for money, especially by wire transfer, take steps to make sure you’re really speaking to your friend or relative. With more people out there trying to take advantage of others through those schemes, you can’t let someone take advantage of your kindness.
Social engineering might be the part of hacking we don’t often hear about, but in many scenarios, it’s the linchpin that allows a malicious person to gain a foothold. Businesses need to be aware of the threats they face, too; not every social engineer is out to scam the business itself. As we’ve discussed, they might be on the hunt for information about a customer. Knowing how to recognize these methods and instituting behavior patterns that can counteract them is of vital importance. As hackers and others continue to try to trick us, we need to work harder to continue outsmarting them.
That’s all we have for today on The Checklist. For our listeners who’d like to know more, there’s plenty of excellent reading on social engineering out there, especially Kevin Mitnick’s The Art of Deception. We hope you’ve enjoyed this investigation into the social side of hacking. We’ll return next week with more.