Deceit through words and actions

Wily social engineers can get inside information from their victims in many ways. They are often articulate and focus on keeping their conversations moving without giving their victims much time to think about what they’re saying. However, if they’re careless or overly anxious during their social engineering attacks, the following tip-offs might give them away:

• Acting overly friendly or eager
• Mentioning names of prominent people within the organization
• Bragging about authority within the organization
• Threatening reprimands if requests aren’t honored
• Acting nervous when questioned (pursing the lips and fidgeting — especially the hands and feet because controlling body parts that are farther from the face requires more conscious effort)
• Overemphasizing details
• Experiencing physiological changes, such as dilated pupils or changes in voice pitch
• Appearing rushed
• Refusing to give information
• Volunteering information and answering unasked questions
• Knowing information that an outsider should not have
• Using insider speech or slang as a known outsider
• Asking strange questions
• Misspelling words in written communications

A good social engineer isn’t obvious with the preceding actions, but these are some of the signs that malicious behavior is in the works. Of course, if the person is a sociopath or psychopath, your experience may vary. (Psychology For Dummies by Adam Cash is a good resource for such complexities of the human mind.)

Social engineers often do a favor for someone and then turn around and ask that person if he or she would mind helping them. This common social engineering trick works pretty well. Social engineers also often use what’s called reverse social engineering. This is where they offer help if a specific problem arises; some time passes, the problem occurs (often by their doing), and then they help fix the problem — not unlike politicians in Washington, DC! They may come across as heroes, which can further their cause. Social engineers might ask an unsuspecting employee for a favor. Yes — they just outright ask for a favor. Many people fall for this trap.

Impersonating an employee is easy. Social engineers can wear a similar-looking uniform, make a fake ID badge, or simply dress like the real employees. People think, “Hey — he looks and acts like me, so he must be one of us.” Social engineers also pretend to be employees calling from an outside phone line. This trick is an especially popular way of exploiting help desk and call center personnel. Social engineers know that these employees fall into a rut easily because their tasks are repetitive, such as saying, “Hello, can I get your customer number, please?”

Deceit through technology

Technology can make things easier — and more fun — for the social engineer. Often, a malicious request for information comes from a computer or other electronic entity that the victims think they can identify. But spoofing a computer name, an e-mail address, a fax number, or a network address is easy. Fortunately, you can take a few countermeasures against this type of attack, as described in the next section.

Hackers can deceive through technology by sending e-mail that asks victims for critical information. Such an e-mail usually provides a link that directs victims to a professional- and legitimate-looking website that “updates” such account information as user IDs, passwords, and Social Security numbers. They might also do this on social networking sites, such as Facebook and Myspace.

Many spam and phishing messages also use this trick. Most users are inundated with so much spam and other unwanted e-mail that they often let their guard down and open e-mails and attachments they shouldn’t. These e-mails usually look professional and believable. They often dupe people into disclosing information they should never give in exchange for a gift. These social engineering tricks also occur when a hacker who has already broken into the network sends messages or creates fake Internet pop-up windows. The same tricks have occurred through instant messaging and cellphone messaging.

In some well-publicized incidents, hackers e-mailed their victims a patch purporting to come from Microsoft or another well-known vendor. Users think it looks like a duck and it quacks like a duck — but it’s not the right duck! The message is actually from a hacker wanting the user to install the “patch,” which installs a Trojan-horse keylogger or creates a backdoor into computers and networks. Hackers use these backdoors to hack into the organization’s systems or use the victims’ computers (known as zombies) as launching pads to attack another system. Even viruses and worms can use social engineering. For instance, the LoveBug worm told users they had a secret admirer. When the victims opened the e-mail, it was too late. Their computers were infected (and perhaps worse, they didn’t have a secret admirer).

The Nigerian 419 e-mail fraud scheme attempts to access unsuspecting people’s bank accounts and money. These social engineers — I mean scamsters — offer to transfer millions of dollars to the victim to repatriate a deceased client’s funds to the United States. All the victim must provide is personal bank-account information and a little money up front to cover the transfer expenses. Victims then have their bank accounts emptied. This trap has been around for a while, and it’s a shame that people still fall for it.

Many computerized social engineering tactics can be performed anonymously through Internet proxy servers, anonymizers, remailers, and basic SMTP servers that have an open relay. When people fall for requests for confidential personal or corporate information, the sources of these social engineering attacks are often impossible to track.

Using the Internet

Today’s basic research medium is the Internet. A few minutes searching on Google or other search engines, using simple keywords, such as the company name or specific employees’ names, often produces a lot of information. You can find even more information in SEC filings at www.sec.gov and at such sites as www.hoovers.com and http://finance.yahoo.com. Many organizations — especially their management — would be dismayed to discover the organizational information that’s available online! Given the plethora of such information, it’s often enough to start a social engineering attack.

Criminals can pay just a few dollars for a comprehensive online background check on individuals, executives included. These searches turn up practically all public — and sometimes private — information about a person in minutes.

Dumpster diving

Dumpster diving is a little more risky — and it’s certainly messy. But, it’s a highly effective method of obtaining information. This method involves literally rummaging through trash cans for information about a company.

Dumpster diving can turn up even the most confidential of information because some people assume that their information is safe after it goes into the trash. Most people don’t think about the potential value of the paper they throw away. And I’m not just talking about the recycle value! These documents often contain a wealth of information that can tip off the social engineer with information needed to penetrate the organization. The astute social engineer looks for the following hard-copy documents:

• Internal phone lists
• Organizational charts
• Employee handbooks, which often contain security policies
• Network diagrams
• Password lists
• Meeting notes
• Spreadsheets and reports
• Customer records
• Printouts of e-mails that contain confidential information

Shredding documents is effective only if the paper is cross-shredded into tiny pieces of confetti. Inexpensive shredders that shred documents only in long strips are basically worthless against a determined social engineer. With a little time and tape, a savvy hacker can piece a document back together if that’s what he’s determined to do.

Hackers often gather confidential personal and business information from others by listening in on conversations held in restaurants, coffee shops, and airports. People who speak loudly when talking on their cellphones are also a great source of sensitive information for social engineers. (Poetic justice, perhaps?) Airplanes are a great place for shoulder surfing and gathering sensitive information. While I’m out and about in public places and on airplanes, I hear and see an amazing amount of private information. You can hardly avoid it!

The bad guys also look in the trash for USB drives, DVDs, and other media. See Chapter 7 for more on trash and other physical security issues, including countermeasures for protecting against dumpster divers.

Phone systems

Attackers can obtain information by using the dial-by-name feature built in to most voicemail systems. To access this feature, you usually just press 0 or # after calling the company’s main number or after you enter someone’s voice mailbox. This trick works best after hours to ensure no one answers.

Social engineers can find interesting bits of information, at times, such as when their victims are out of town, just by listening to voicemail messages. They can even study victims’ voices by listening to their voicemail messages, podcasts, or webcasts so they can learn to impersonate those people.

Attackers can protect their identities if they can hide where they call from. Here are some ways they can hide their locations:

• Residential phones sometimes can hide their numbers from caller ID by dialing *67 before the phone number.

  This feature isn’t effective when calling toll-free numbers (800, 888, 877, 866) or 911. Disposable cell phones and VoIP services work quite well, however.

• Business phones in an office using a phone switch are more difficult to spoof. However, all the attacker usually needs is the user guide and administrator password for the phone switch software. In many switches, the attacker can enter the source number — including a falsified number, such as the victim’s home phone number.
• VoIP Servers such as the open source Asterisk (www.asterisk.org) can be used and configured to send any number they want.

Phishing e-mails

The latest, and often most successful, means for hacking is carried out via e-mail phishing where criminals sending bogus e-mails to potential victims in an attempt to get them to divulge sensitive information or click malicious links that lead to malware infections. Phishing has actually been around for years, but it has recently gained greater visibility given some high-profile exploits against seemingly impenetrable businesses and federal government agencies. Phishing’s effectiveness is amazing, and the consequences are often ugly. I’m seeing success rates (or failure rates, depending on how you look at it) as high as 60–70 percent in my own phishing testing. A well-worded e-mail is all it takes to glean passwords, access sensitive information, or inject malware into targeted computers.

You can perform your own phishing exercises. A rudimentary, yet highly-effective, method is to set up an e-mail account on your domain, or ideally, a domain that looks similar to yours at a glance, request information or link to a website that collects information, send e-mails to employees or other users you want to test, and see what they do. Do they open the e-mail, click the link, divulge information, or — if you’re lucky — none of the above? It’s really as simple as that.

Be it today’s rushed world of business, general user gullibility, or downright ignorance, it’s amazing how susceptible the average person is to phishing e-mail exploits. A good phishing e-mail that has a greater chance of being opened and responded to creates a sense of urgency and provides information that presumably only an insider would know. Beyond that, many phishing e-mails are easy to spot because they often:

• Have typographical errors
• Contain generic salutations and e-mail signatures
• Ask the user to directly click on a link
• Solicit sensitive information

A more formal means for executing your phishing tests is to use a tool made specifically for the job. There are commercial options available on the Internet such as LUCY (http://phishing-server.com) as well as freebies such as Simple Phishing Toolkit (https://github.com/sptoolkit/sptoolkit) which is no longer supported but can still be used for this type of testing. With both options, have access to pre-installed e-mail templates, the ability to scrape (copy pages from) live websites so you can customize your own campaign, and various reporting capabilities so you can track which e-mail users are taking the bait and failing your tests.