Because social engineering is fundamentally non-technical, it can be difficult to identify a social engineering attack through technical means. In this video, you’ll learn about social engineering and how security controls can be bypassed with social engineer techniques.
<< Previous: Session HijackingNext: Man in the Middle Attacks >>
In this video series, we’ve talked about firewalls, intrusion prevention systems, and proxies, and encryption. But when it comes to social engineering, we’re dealing with a security threat that we cannot identify through any electronic means. This is one that goes right under the radar of all of this equipment in technology that we’ve been working on to help secure our network.
This usually comes in is something like a telephone call. Hi, this is James, I’m calling from the help desk, and I understand there’s some problems with your system. Well, who doesn’t have problems with their system? Yes, I’m having problems. So I need your username and password and your social security number and your blood type. And they finally get this information out of somebody by pretending to be someone they’re not. That’s the social engineering part of this.
You should always look in your organization for somebody who might be walking around who shouldn’t be there. They don’t have a badge. They don’t understand the processes. They didn’t come in through the front door. And in any of those cases, you may be very susceptible to social engineering.
Many people who try to take advantage of social engineering will simply walk into your building. They’ll walk in behind somebody who’s already on their way in– they have a badge, and they let themselves in the door. And they keep the door open for the next person behind them. That’s the polite thing to do, but it’s also the very insecure thing to do, because once you’re inside the building, you’re more trusted, because you’re someone who really looks like they’re supposed to be here.
Sometimes people inside the building do all of the work. The bad guy only needs to make a telephone call, perform the social engineering, and have the person who’s inside the building provide them with the information they need right over the phone. They didn’t need any special access, they did need usernames and passwords, they didn’t need VPN connectivity. They just called somebody on the inside of the building.
Because all of this seems to be happening on the phone, you need to be careful about who’s calling you. Tech support generally doesn’t make proactive calls. They’re waiting for you to call them. So you should always think when you’re receiving a telephone call like this that this is not something normal. And that should put you on guard for some type of social engineering.
One way to use social engineering doesn’t even involve talking to someone. You take a USB key that’s infected with malware, you leave it in a parking lot outside of a company. Somebody’s going to find that USB key, take it inside, and plug it into a corporate laptop or a corporate desktop machine. And at that point, your malware has already kicked in and you now have access to that person’s machine. Even though they’re behind the corporate firewall, it’s now made a connection out to the outside world, and you effectively have a way in without having to go through any of those security controls.
An extreme case, but a very good example of social engineering happened to Naoki Hiroshima. He had a Twitter username of @N. That was it. It was the letter N. It was obviously a very valuable Twitter username. The value was set somewhere around $50,000 for that particular Twitter username. So a lot of people wanted access to that particular @N username. What the bad guys did was first call Paypal and pretend to be Naoki and said, I need access to my accounts, but all I have is this credit card that needs to be replaced. I’m not sure which credit card or currently have on file. Which one do I have on file? Oh, it’s the one that ends in the numbers 1234.
OK, well thank you. That’s the one I need to use. Thanks so much. And with a simple phone call, the bad guys were able to get– not the entire credit card number, but just the last four digits of his credit card number. The bad guys then called GoDaddy, which is where any Naoki keeps all of his domains. And they told the GoDaddy people that they were Naoki and they could confirm the last four digits of the credit card number.
But GoDaddy daddy wanted some extra details. They want to know the first two numbers of the credit card. And in this case, the person on the phone from GoDaddy let the bad guys go through a number of iterations until they got it correct. This was social engineering done very well. Once they had confirmed their identity to the folks at GoDaddy, they now had access and control over all of his domains.
So now the bad guys contact Naoki and says, we have all of your domain names and we’ll give them back to you if you give us the @N Twitter username. Naoki says, sure, that’s fine. I agree to that because I need these domain names. They are extremely important. All of my information is on the domains. All my hosting information is there. I need access to those.
In this particular case, Twitter examined what happened with this and eventually decided, a month later, to give access of @N back to the proper owner. Here’s the url, in case you’d like to learn more about this particular social engineering incident. But of course, it isn’t usually something this complex. Usually the bad guy is calling you at your desk at work when you’re least expecting it. And that is the hallmark of a very good social engineer, because he’s able to get that information out of you, without you even realizing that you’re giving it up.