Social engineering attacks sneak around your electronic defenses and attack users directly. In this video, you’ll learn about the principles of social engineering attacks.
<< Previous Video: Denial of Service Next: Insider Threats >>
Social engineering is a very low-tech form of a security attack. In fact, it doesn’t involve any technology at all. It involves someone else who’s trying to gain access by using social engineering techniques. You never know exactly what the bad guys are going to come up with next. They’re always using different stories and different ideas to try to gain information from you using these social engineering techniques.
Social engineering may involve one person trying to gain access or maybe multiple people and multiple organizations acting simultaneously. They’re all coordinating their efforts and hoping that you’ll drop your shield and allow them access to anything that they might need. This might be done in person, over the phone. It might be somebody who’s sending you an email electronically. Sometimes it’s somebody who’s being very aggressive on the phone and putting you in a very difficult situation.
This is where social engineering becomes very unique. Another example of social engineering that you might not be expecting are the bad guys taking advantage of the situations where there might be a funeral and sending funeral notifications to people that are inside of your company. These are ways that the bad guys are using to try to gain access without us even realizing that it’s happening.
There are a number of principles associated with social engineering. The first time we’ll talk about is authority. Social engineer is the person who’s trying to gain access.
So they’re going to pretend that they have some type of authority that allows them access to this information. They may say that they’re calling from the help desk, that they’re with the police department. They might be with the office of the CEO. And instantly, it might make us think that we need to provide this information to them.
Another principle used in social engineering is intimidation. And it may not be something that is directly focused on you. It may instead be a situation that is intimidating. They might say that bad things will happen if you don’t help. Or it could be something as simple as saying, the payroll checks aren’t going to go out unless I get this information from you.
Another principle that’s commonly used is called consensus. You might also hear this referred to as social proof. They’re using other people and what they’ve done to try to justify what they’re doing. They might tell you that your coworker was able to provide this information last week. They’re not in the office now, so it’s something that maybe you could provide for them.
Social engineers also like to have a clock that’s ticking. There needs to be scarcity. This particular situation is only going to be this way for a certain amount of time. We have to be able to resolve this issue before this timer expires.
If the person doing the social engineering can inject some type of urgency, then they can make things move even faster. This needs to happen quickly. Don’t even think about it. Just provide this information right now so that we can solve this problem.
Another technique that they use is one of familiarity. They become your friend. They talk about things that you like. And by doing that, they make you familiar with them on the phone and make you want to do things for them.
And, of course, the social engineer is going to try to create trust between you and him. He’s going to try to tell you that he’s going to be able to solve all of your problems. He’s going to be able to fix all of these issues. You just need to trust him and provide the information he’s asking for.
One very frightening example of social engineering happened to Naoki Hiroshima. He has the Twitter username @N. And as you can imagine, that is a pretty nice username to have. You can read all about this particular event on his medium.com post.
This happened because the bad guy talked to PayPal. Did not talk to Mr. Hiroshima. Instead, called PayPal and used social engineering to learn what the last four digits of his credit card were. He then called GoDaddy because that’s where Mr. Hiroshima had all of his websites and told him he lost his credit card, but he can validate himself with the last four digits.
GoDaddy said he also needed to know the first two digits of the card. And for some reason, GoDaddy allowed him to guess until he got it right. This obviously was not very good security from GoDaddy’s perspective, but it was very good social engineering from the bad guy.
At that point, the bad guy owned all of Mr. Hiroshima’s domains, had access and control over everything, and then told him, how about we swap? I’ll give you access to your domains again. All you have to do is give me the @N username.
And at that point, there was nothing else that he could do. He says, yes, I agree to this swap. He then went to Twitter and said, this was a problem. This is what happened. This was taken from me illegally.
It took about a month, but, eventually, Twitter gave him access again to his @N username. You can read all about How I Lost My $50,000 Twitter Username at his medium.com post. This is social engineering that involved multiple organizations. But ultimately, the bad guy was able to get exactly what he wanted just by using these social engineering techniques.