One of the best ways to circumvent security controls is to manipulate people instead of technology. In this video, you’ll learn about social engineering and how attackers use good people to do bad things.
<< Previous Video: Anti-Malware Tools Next: Denial of Service >>
One of the challenges in fighting social engineering is you never know what’s coming next. That makes it very difficult to protect when you aren’t quite certain where the attack is coming from. The attack may involve a single person, or it may involve multiple people. It could include one organization or multiple organizations. You’re never quite certain exactly what the combination will be and where it will be coming from. These attacks might be done in person where somebody calls in as an aggressive customer and is asking for information.
Or it may be someone sending an email that has a provocative link. Perhaps someone says that Bob has passed away, and here’s the link to learn more, when in fact, Bob is perfectly fine. But in the meantime, you’ve had a number of people click that link because of this social engineering.
So what is social engineering? There are a number of principles that are very common in social engineering attacks. The first is authority. The person who is trying to perform the social engineering needs some particular level of authority. This person may be posing as a CEO. Or they may say they’re with local law enforcement in order to give their requests a bit more authority.
The next principle is intimidation. If you don’t provide me with this help, something bad is going to happen. For example, if you don’t provide me with the information I need, then none of the paychecks will go out in the next pay period. This type of intimidation adds additional pressure to try to get information during the social engineering.
The next principle is social proof or consensus. This makes it very common that someone would be providing this very sensitive information to a stranger that’s calling in over the phone. After all, your co-worker provided this information to me last week. You could certainly do the same today.
There’s also a time frame associated with the social engineering. This is the principle of scarcity. The person who is doing the social engineering is setting a frame on when they need this information by.
Along these same lines, you have the principle of urgency where they want this to occur as quickly as possible. They don’t want you to perform any checks. They don’t want you to even think about what you need to do. You need to simply do this as quickly as possible.
The person doing the social engineering also wants to take advantage of someone who’s familiar or likable, someone who is calling in and saying, I’m a friend of yours or a friend of a friend. Therefore, it’s OK to provide me with this information.
And the last principle is trust. It’s very common for someone to call and say, I’m with the help desk. I’m performing some troubleshooting. All I need is your username and password to confirm that your particular site is operating properly.
A very particular kind of social engineering is phishing. This is a way that the social engineer can get you to provide them with personal information. This is commonly done electronically. Or they’ll send you an email with a link to pay for a particular product.
You click that link, and you’re presented with something like this PayPal page. This looks like a perfectly legitimate PayPal page. But in reality, you’re being redirected to a completely different domain than paypal.com.
And if you look closely, even on this page, there are things like certain images that aren’t appearing on the page. There might also be misspellings or fonts. But if this is done properly, this may be an exact replica of a legitimate page. And the only thing you have to look for is that URL at the top.
There’s another type of phishing, which is voice phishing, or vishing. This is phishing that is done over the phone. This might be someone who’s calling you and saying they’re from the IRS and they need you to send them a lot of money right now.
But they don’t want cash. They want you to get gift cards and send them the numbers from those gift cards. You would think that that particular process would be one to raise some red flags. But this vishing process is so realistic that many people don’t even think about what they might be doing.
Phishing is usually a very broad net. You’re trying to get anyone to respond to a particular email or request. With spear phishing, the bad guys are focusing in on a very specific group of people. For example, it’s very common for spear phishing to target the accounts payable department to try to get those folks to wire money to a third party.
You might also hear of spear phishing that’s being directed at the highest executive levels of a company. That’s very often called whaling. There are many examples of spear phishing that occur. Some examples here are from April 2011.
Epsilon was targeted. There were 3,000 email addresses attacked at that organization. 100% of those emails were the email operations staff. If someone clicked in that message, they downloaded an antivirus disabler, a keylogger, and a remote administration tool.
And in April 2011, the Oak Ridge National Laboratory received an email from the human resources department. This obviously did not come from their internal HR department. There were 530 employees targeted. 57 people clicked on a link inside that email. And two of those were infected. Data was downloaded. And there were servers then that were infected with the malware that came from those two infected workstations.
Impersonation plays a big part with social engineering. The fraudsters are very often pretending to be someone that they’re not. They may be getting details from online resources or perhaps even going into your trash to find information that can make it seem like they’re someone legitimate. But in fact, they are impersonating someone else within the organization.
It’s very common that the person who’s being attacked is being called from someone who is allegedly higher in rank than them. This might be someone posing as the CEO or some executive of the organization to try to get someone who’s lower in rank to perform a function for them. Sometimes there’s even a bit of confusion thrown in with the impersonation.
When things become very technical or large terms are thrown around, sometimes people would rather perform the request that you’re making rather than question the things that you’re saying. And the likability factor can be thrown in with impersonation. Or someone can pretend to be someone you know or someone that you work with.
During our normal workday, we commonly have sensitive information that’s shown on our screen. This might be internal company secrets, or it might be financial information. But it’s all shown on the screen that’s in front of us. If anyone else happens to be looking at that screen at the same time that we are, they’ll be able to gather all of these details as well.
This is very common to see in public areas like airports and coffee shops where you can simply walk by someone and see everything that they’re seeing on that screen. If you’re in a big city, you may not even realize that you’re doing this, because it’s very easy to see these computer screens from the building that’s next door by simply using binoculars or a telescope. There’s also software that can monitor your webcam and take captures of your screen and then send that information to a third party.
If you’ve ever walked into a place of business where there was a large building with many offices, you know there’s a lot of security in place. Usually you would need an access card to get into particular doors. But if you gained access to one of those offices by simply following somebody who already had an access card, then you would be tailgating.
In Johnny Long’s book, No Tech Hacking, he talks about how you would tailgate in some of these environments. You would use clothing that would be very similar to the people who are already working there, for example. Or if you knew there was a lot of work being done with the telephone system, you might dress like someone who’s a telephone technician. This third party would be very legitimate. And people wouldn’t think twice to letting in someone to help work on the telephones.
Maybe you’re sitting in the smoking section and making friends with people. And as they’re walking back in, you’re simply following them. Or you simply walk up to the door with boxes of donuts. And people will help you get into that door, even though you don’t have an access card. Once you get past that first door, there’s usually not much security after that. So if you’re able to tailgate in through the door, you effectively have access to the rest of the building.
The attackers that focus on social engineering want to gather as much information about the organization as possible. And a lot of good information is thrown out with the garbage. So they will go out to the dumpster. And they will gather details from your trash. We call this dumpster diving because in the United States, the brand of this mobile garbage bin is a Dumpster.
And there may be a lot of information inside of that dumpster. It’s all been bundled up for you and ready for the attacker to take back with them. They can then use this information to begin impersonating the people within your organization. They might have information on different locations of the company and may have specific names and emails that they can reference.
The timing of this is very important. There may be times during the year when information is sent out with the trash. And of course, the dumpster diver wants to grab this information before it’s picked up.
In the United States, going through someone else’s garbage is generally considered to be legal, unless there are specific rules on the books preventing it. If it’s in the trash, then you effectively have access to that information. And nobody else happens to own any of those details.
If the dumpsters are on private property, you may not be able to legally gather any of those details, because you legally don’t have a right to be on that property. You can’t break the law in order to gain access to someone’s garbage. If you’re not quite certain exactly whether it’s legal in your area, you should always consult with a legal authority to find out the details for your particular geography.