Why Does Social Engineering Work?

Social engineering is effective for a number of reasons, each of which can be remedied or exploited depending on whether you are the defender or the attacker. Let’s take a look at each:

Lack of a Technological Fix Let’s face it, technology can do a lot to fix problems and address security—but at the same time, it can be a source of weakness. One thing that technology has little or no impact on is blunting the effectiveness of social engineering. This is largely because technology can be circumvented or configured incorrectly by human beings.

Insufficient Security Policies The policies that state how information, resources, and other related items should be handled are often incomplete or insufficient at best.

Difficult Detection Social engineering by its very nature can be hard to detect. Think about it: An attack against technology may leave tracks in a log file or trip an intrusion detection system (IDS), but social engineering probably won’t.

Lack of Training Lack of training or insufficient training about social engineering and how to recognize it can be a big source of problems.

In many of the cases discussed in this book, you have seen social engineering play a role. One such example, is that of Trojans which exploit social engineering to entice a victim to open an executable or attachment that is infected with malware. A Trojan is a piece of malware that relies primarily on the element of social engineering as a mechanism to start an infection. Using the social-engineering aspect, virus writers can entice an unsuspecting victim into executing malware with the promise of giving them something they expect or want.

Another example of how social engineering works is the case of scareware. This type of malware is designed to frighten a victim into taking action when none is necessary. The best example is the case of fake antivirus products that prompt users with very realistic, but fake, messages that they should download an “antivirus” to disinfect their system.

In both cases, simple training and awareness could easily stop an attack before a security incident occurred. You should know the signs of social engineering plus include a dose of common sense prior to implementing social engineering in your testing. Some common signs that may indicate a social-engineering attack include, but are not limited to, the following:

• Use of authority by an attacker, such as making overt references to who they are or who they know or even making threats based on their claimed power or authority.
• Inability to give valid contact information that would allow the attacker to be called or contacted as needed.
• Making informal or off-the-book requests designed to encourage the victim to give out information that they may not otherwise.
• Excessive name-dropping as to who the attacker knows inside the organization.
• Excessive use of praise or compliments designed to flatter a victim.
• Show of discomfort or uneasiness when questioned.

Why is Social Engineering Successful?

Why has social engineering been successful, and why will it continue to be so? To answer this, you must first understand why it works and what this means to you as a pentesters. Going after the human being instead of the technology works for a number of reasons:

Trust Human beings are a trusting lot. It’s built into the species. When you see someone dressed a certain way (such as wearing a uniform) or hear them say the right words, it causes you to trust them more than you normally would. For example, if you see someone dressed in a set of scrubs and carrying a stethoscope, it causes you to trust them. This tendency to trust is a weakness that can be exploited.

Human Habit and Nature Human beings tend to follow certain default habits and actions without thinking. People take the same route to work, say the same things, and take the same actions without thought. In many cases, humans have to consciously attempt to act differently from the norm in order to break from their learned habits. A good social engineer can observe these habits and use them to track people or follow the actions of groups, and gain entry to buildings or access to information.

Social-engineering Phases

Social engineering, like the other attacks we have explored in this book, consists of multiple phases, each designed to move the attacker one step closer to the ultimate goal. Let’s look at each of these phases and how the information gained from one leads to the next:

1. Gather information and details about a target through research and observation. Sources of information can include dumpster diving, phishing, websites, employees, company tours, or other interactions.
2. Select a specific individual or group that may have the access or information you need to get closer to the desired target. Look for sources such as people who are frustrated, overconfident, or arrogant and willing to provide information readily.
3. Forge a relationship with the intended victim through conversations, discussions, e-mails, or other means.
4. Exploit the relationship with the victim, and extract the desired information.

You can also look at these four phases as three distinct components of the social-engineering process:

• Research (step 1)
• Develop (steps 2 and 3)
• Exploit (step 4)

What Is the Impact of Social Engineering?

Social engineering can have many potential outcomes on an organization, some obvious and some less so. It is important that you understand each of these, because they can have far-reaching effects:

Economic Loss This one is fairly obvious. A social engineer may cause a company or organization to lose money through deception, lost productivity, or identity theft.

Terrorism Perhaps one of the more visible forms of social engineering is terrorism. In this case, a target is coerced into action through the threat of physical violence.

Loss of Privacy An attacker using these techniques can easily steal information to perform identity theft on any number of victims.

Lawsuits and Arbitrations Depending on the compromise, the successful completion of an attack may result in lawsuits or other actions against the victim or the victim’s organization.

Temporary or Permanent Closure Depending on how bad the breach is, the result can be catastrophic, with an entire business closing as a result of mounting financial losses and lawsuits.

Loss of Goodwill Although all losses may not be monetary, they can still be devastating, such as the loss of goodwill from customers or clients.

Common Targets of Social Engineering

An attacker will look for targets of opportunity or potential victims who have the most to offer. Some common targets include receptionists, help desk personnel, users, executives, system administrators, and outside vendors. Let’s look at each and see why this is.

Receptionists—one of the first people visitors see in many companies—represent prime targets. They see a lot of people go in and out of an office, and they hear a lot of things. Establishing a rapport with these individuals can easily yield information that’s useful on its own or for future attacks.

Help desk personnel offer another tempting and valuable target due to the information they may have about infrastructure, among other things. Filing fake support requests or asking these personnel leading-questions can yield valuable information.

System administrators can also be valuable targets of opportunity, again due to the information they possess. The typical administrator can be counted on to have very high-level knowledge of infrastructure and applications as well as future development plans. Additionally, some system admins possess far-reaching knowledge about the entire company’s network and infrastructure. Given the right enticements and some effort, these targets can yield tremendous amounts of information.

Mistakes in Social Media and Social Networking

Social media can be made safer if you take simple steps to strengthen your accounts. In fact, it has been found in many cases that with a little care and effort, you can lessen or avoid many common security issues and risks. You can reuse some of the guidance from earlier chapters and apply it to these new platforms:

Password Using the same password across multiple sites means anyone who gets controls of the password can access whatever data or personal information you store on any of those sites. In a worst-case scenario, for example, a Twitter password hack can give the hacker the key to an online banking account. Keep in mind that if you use a password on a site that doesn’t protect information carefully, someone can steal it. Many social-networking sites have grown so large so fast that they do not take appropriate security measures to secure the information they are entrusted with until it is too late. Additionally, many users never or rarely ever change their passwords, making their accounts even more vulnerable.

Too Much Information With the proliferation of social networking, the tendency to share too much has become more common. Users of these networks share more and more information without giving much thought to who may be reading it. The attitude nowadays tends to skew toward sharing information. People increasingly see sharing as no big deal. However, an individual’s or company’s brand and reputation can easily be tarnished if the wrong information is shared. In some cases, companies have taken the brunt of the public’s ire because an employee posted something that was off-color or offensive. It may not initially seem like a security problem, but rather a public relations issue; but one of the items you must protect as a security-minded individual is the public’s perception of your company.

Many types of scams can ensnare users by preying on an aspect of human nature that entices people to investigate or do something they would not normally do:

Secret Details about <Some Celebrity’s> Death This type of post feeds on people’s insatiable desire for information regarding celebrities or public figures.

I’m Stranded in a Foreign Country—Please Send Money These types of scams target users by claiming that the message is from someone the user knows who is trapped without money in a foreign country or bad situation. The scammer says they will gladly pay the person back when they get home. Once the victim’s trust is heightened to the point of sending money, the scammer comes up with plausible reasons to ask for increasingly larger amounts, eventually fleecing the victim for much greater sums.

Did You See This Picture of J-Lo? Both Facebook and Twitter have been plagued by phishing scams that involve a question that piques your interest and then directs you to a fake login screen, where you inadvertently reveal your Facebook or Twitter password.

Test Your IQ This type of scam attracts you with a quiz. Everybody loves quizzes. After you take the quiz, you are encouraged to enter your information into a form to get the results. In other cases, the scam encourages you to join an expensive text-messaging service, but the price appears only in extremely small print.

Tweet for Cash! This scam takes many forms. “Make money on Twitter!” and “Tweet for profit!” are two common come-ons that security analysts say they’ve seen lately. Obviously this scam preys on users’ greed and curiosity, but in the end they lose money or their identities.

Ur Cute. Msg Me! The sexual solicitation is a tactic spammers have been trying for many years via e-mail and is one that has proven wildly successful. In the updated version of this ruse, tweets feature scantily clad women and include a message embedded in the image, rather than in the 140-character tweet itself.

Amber Alert Issued!! This one is not so much as scam as it is a hoax. Amber alerts are pasted into status updates that turn out to be untrue. Although such attacks don’t gain information, they are designed to cause panic and concern as well as increase traffic among recipients.

Countermeasures for Social Networking

Because social networking has exploded in popularity so quickly, companies and individuals have not had much time to deal with the problems the technology has brought to bear. Surveys taken in recent years have found that many companies either do not have a policy in place regarding social networking or are unaware of the risks. Recently, however, people are slowly starting to become aware of how big the danger is and that they need to take steps to protect themselves. Company policies should touch on appropriate usage of social media and networking sites at work as well as the kind of conduct and language an employee is allowed to use on the sites.

Currently about 40 percent of companies have implemented a social-networking policy; the rest have either suggested doing so or are not doing anything. Many individuals and companies have been burned or heard about someone else getting burned and have decided to do something about the issue.

Social networking can be used relatively safely and securely as long as it is used carefully. Exercising some basic safety measures can substantially reduce the risk of using these services. As an ethical hacker and security professional, consider recommending and training users on the following practices:

• Discourage the practice of mixing personal and professional information in social-networking situations. Although you may not be able to eliminate the company information that is shared, it should be kept to a bare minimum.
• Always verify contacts, and don’t connect to just anyone online. This is a huge problem on many social media networks; users frequently accept invitations from individuals they don’t know.
• Avoid reusing passwords across multiple social-networking sites or locations to avoid mass compromise.
• Don’t post just anything online; remember that anything you post can be found, sometimes years later. Basically, if you wouldn’t say it in a crowded room, don’t put it online.
• Avoid posting personal information that can be used to determine more about you, impersonate you, or coax someone to reveal additional information about you.

To avoid problems with social networking, a company should exercise many different countermeasures. As a pentester, consider recommending the following techniques as ways to mitigate the threat of social-engineering issues via social networking:

• Educate employees against publishing any identifying personal information online, including phone numbers; pictures of home, work, or family members; or anything that may be used to determine their identity.
• Encourage or mandate the use of non-work accounts for use with social media and other types of systems. Personal accounts and free-mailers such as Gmail and Yahoo! should be used in order to prevent compromise later on.
• Educate employees on the use of strong passwords like the ones they use, or should be using, in the workplace.
• Avoid the use of public profiles that anyone can view. Such profiles can provide a wealth of information for someone doing research or analysis of a target.
• Remind users of such systems that anything published online will stay online, even if it is removed by the publisher. In essence, once something is put online, it never goes away.
• Educate employees on the use of privacy features on sites such as Facebook, and take the initiative in sending out e-mails when such features change.
• Instruct employees on the presence of phishing scams on social networks and how to avoid and report them.

Protective Measures

As the world has moved away from brick and mortar to online operators, protecting yourself from online fraud becomes vital. More and more people access their banks online than ever before or work with other types of sensitive information.

In many cases, the only thing standing between someone and your money is a four- to six-digit number or a word or combination of words. To help you access your account if you forget your password, many sites let you set up security questions based on a few predetermined facts about yourself. But anyone else who knows the answers can access the account, too. And with the proliferation of Facebook, obtaining those answers is no longer a problem!

For example, in recent years Sarah Palin’s e-mail account was hacked, and Paris Hilton’s personal accounts and cell phone were hacked and photos posted online. Technically, they weren’t hacked in the technical sense of someone attacking the system and breaking in—rather, they had security questions that could easily be researched from publicly available sources. The answers were available to anyone who bothered to use Google. You may not be a celebrity, but once your personal information is online, it’s not personal anymore.

Know What Information Is Available

If you have googled yourself, you’ve learned firsthand what is available about you online, but you probably missed quite a bit. If you haven’t done so already, try googling yourself: See what types of information are available, and note the level of detail that can be found. Note whether any of the information gives clues about your background, passwords, family, or anything else that can be used to build a picture of who you are.

Sites that may contain personal information include:

• Spokeo
• Facebook
• Myspace
• LinkedIn
• Intellius
• Zabasearch
• People Search
• Shodan

There are tools that reveal more about a victim or target than a Google search does. Some companies mine, analyze, and sell this data for a few dollars without regard to who may be requesting the information or how it may ultimately be used. By combining information from multiple sources using social engineering and footprinting techniques, you can paint a pretty good picture of an individual, up to and including where they live in many cases.

One of the tools on this list, Intellius, is a great example of how accessible personal information may be. For less than $30 per month, you can subscribe to this service and look up as many individuals as you desire. In some cases, your search may yield multiple results (for example, if a person’s last name is Smith or Jackson), but this can easily be addressed by using information from the other sources on this list to narrow the search results. Using Intellius, I was able to use information from the Facebook and LinkedIn profiles of friends and family to fine-tune the results.