Chapter 6
In This Chapter
Understanding social engineering
Examining the ramifications of social engineering
Performing social engineering tests
Protecting your organization against social engineering
Social engineering takes advantage of the weakest link in any organization’s information security defenses: people. Social engineering is “people hacking” and involves maliciously exploiting the trusting nature of human beings to obtain information that can be used for personal gain.
Social engineering is one of the toughest hacks to perpetrate because it takes bravado and skill to come across as trustworthy to a stranger. It’s also by far the toughest thing to protect against because people who are making their own security decisions are involved. In this chapter, I explore the consequences of social engineering, techniques for your own ethical hacking efforts, and specific countermeasures to defend against social engineering.
In a social engineering scenario, those with ill intent pose as someone else to gain information they likely couldn’t access otherwise. They then take the information they obtain from their victims and wreak havoc on network resources, steal or delete files, and even commit corporate espionage or some other form of fraud against the organization they attack. Social engineering is different from physical security exploits, such as shoulder surfing and dumpster diving, but the two types of hacking are related and often are used in tandem.
Here are some examples of social engineering:
Sometimes, social engineers act as confident and knowledgeable managers or executives. At other times they might play the roles of extremely uninformed or naïve employees. They also might pose as outsiders, such as IT consultants or maintenance workers. Social engineers are great at adapting to their audience. It takes a special type of personality to pull this off, often resembling that of a sociopath.
I approach the ethical hacking methodologies in this chapter differently than in subsequent chapters. Social engineering is an art and a science. Social engineering takes great skill to perform as a security professional and is highly-dependent on your personality and overall knowledge of the organization.
You can perform social engineering attacks in millions of ways. From walking through the front door purporting to be someone you’re not to launching an all-out e-mail phishing campaign, the world is your oyster. For this reason, and because training specific behaviors in a single chapter is next to impossible, I don’t provide how-to instructions for carrying out social engineering attacks. Instead, I describe specific social engineering scenarios that have worked well for me and others. You can tailor these same tricks and techniques to your specific situation.
An outsider to the organization might perform certain social engineering techniques such as physical intrusion tests best. If you perform these tests against your own organization, acting as an outsider might be difficult if everyone knows you. This risk of recognition might not be a problem in larger organizations, but if you have a small, close-knit company, people might catch on.
People use social engineering to break into systems and attain information because it’s often the simplest way for them to get what they’re looking for. They’d much rather have someone open the door to the organization than physically break in and risk being caught. Security technologies such as firewalls and access controls won’t stop a determined social engineer.
Many social engineers perform their attacks slowly to avoid suspicion. Social engineers gather bits of information over time and use the information to create a broader picture of the organization they’re trying to manipulate. Therein lies one of their greatest assets: time. They’ve got nothing but time and will take the proper amount necessary to ensure their attacks are successful Alternatively, some social engineering attacks can be performed with a quick phone call or e-mail. The methods used depend on the attacker’s style and abilities. Either way, you’re at a disadvantage.
Social engineers know that many organizations don’t have formal data classification programs, access control systems, incident response plans, or security awareness programs, and they take advantage of these weaknesses.
Social engineers often know a little about a lot of things — both inside and outside their target organizations — because this knowledge helps them in their efforts. Thanks to social media such as LinkedIn, Facebook, and other online resources I discuss in in Chapter 5, every tidbit of information they need is often at their disposal. The more information social engineers gain about organizations, the easier it is for them to pose as employees or other trusted insiders. Social engineers’ knowledge and determination give them the upper hand over management and their employees who don’t recognize the value of the information that social engineers seek.
Many organizations have enemies who want to cause trouble through social engineering. These people might be current or former employees seeking revenge, competitors wanting a leg up, or hackers trying to prove their worth.
Regardless of who causes the trouble, every organization is at risk — especially given the sprawling Internet presence of the average company. Larger companies spread across several locations are often more vulnerable given their complexity, but smaller companies can also be attacked. Everyone, from receptionists to security guards to executives to IT personnel, is a potential victim of social engineering. Help desk and call center employees are especially vulnerable because they are trained to be helpful and forthcoming with information.
Social engineering has serious consequences. Because the objective of social engineering is to coerce someone for information to lead to ill-gotten gains, anything is possible. Effective social engineers can obtain the following information:
If any of the preceding information is leaked, financial losses, lowered employee morale, decreased customer loyalty, and even legal and regulatory compliance issues could result. The possibilities are endless.
Social engineering attacks are difficult to protect against for various reasons. For one thing, they aren’t well documented. For another, social engineers are limited only by their imaginations. Also, because so many possible methods exist, recovery and protection are difficult after the attack. Furthermore, the hard, crunchy outside of firewalls and intrusion prevention systems often creates a false sense of security, making the problem even worse.
With social engineering, you never know the next method of attack. The best things you can do are to remain vigilant, understand the social engineer’s motives and methodologies, and protect against the most common attacks through ongoing security awareness in your organization. I discuss how you can do this in the rest of this chapter.
Trust — so hard to gain, yet so easy to lose. Trust is the essence of social engineering. Most people trust others until a situation forces them not to. People want to help one another, especially if trust can be built and the request for help seems reasonable. Most people want to be team players in the workplace and don’t realize what can happen if they divulge too much information to a source who shouldn’t be trusted. This trust allows social engineers to accomplish their goals. Of course, building deep trust often takes time. Crafty social engineers can gain it within minutes or hours. How do they do it?
After social engineers obtain the trust of their unsuspecting victims, they coax the victims into divulging more information than they should. Whammo — the social engineer can go in for the kill. Social engineers do this through face-to-face or electronic communication that victims feel comfortable with, or they use technology to get victims to divulge information.
Wily social engineers can get inside information from their victims in many ways. They are often articulate and focus on keeping their conversations moving without giving their victims much time to think about what they’re saying. However, if they’re careless or overly anxious during their social engineering attacks, the following tip-offs might give them away:
A good social engineer isn’t obvious with the preceding actions, but these are some of the signs that malicious behavior is in the works. Of course, if the person is a sociopath or psychopath, your experience may vary. (Psychology For Dummies by Adam Cash is a good resource for such complexities of the human mind.)
Social engineers often do a favor for someone and then turn around and ask that person if he or she would mind helping them. This common social engineering trick works pretty well. Social engineers also often use what’s called reverse social engineering. This is where they offer help if a specific problem arises; some time passes, the problem occurs (often by their doing), and then they help fix the problem — not unlike politicians in Washington, DC! They may come across as heroes, which can further their cause. Social engineers might ask an unsuspecting employee for a favor. Yes — they just outright ask for a favor. Many people fall for this trap.
Impersonating an employee is easy. Social engineers can wear a similar-looking uniform, make a fake ID badge, or simply dress like the real employees. People think, “Hey — he looks and acts like me, so he must be one of us.” Social engineers also pretend to be employees calling from an outside phone line. This trick is an especially popular way of exploiting help desk and call center personnel. Social engineers know that these employees fall into a rut easily because their tasks are repetitive, such as saying, “Hello, can I get your customer number, please?”
Technology can make things easier — and more fun — for the social engineer. Often, a malicious request for information comes from a computer or other electronic entity that the victims think they can identify. But spoofing a computer name, an e-mail address, a fax number, or a network address is easy. Fortunately, you can take a few countermeasures against this type of attack, as described in the next section.
Hackers can deceive through technology by sending e-mail that asks victims for critical information. Such an e-mail usually provides a link that directs victims to a professional- and legitimate-looking website that “updates” such account information as user IDs, passwords, and Social Security numbers. They might also do this on social networking sites, such as Facebook and Myspace.
Many spam and phishing messages also use this trick. Most users are inundated with so much spam and other unwanted e-mail that they often let their guard down and open e-mails and attachments they shouldn’t. These e-mails usually look professional and believable. They often dupe people into disclosing information they should never give in exchange for a gift. These social engineering tricks also occur when a hacker who has already broken into the network sends messages or creates fake Internet pop-up windows. The same tricks have occurred through instant messaging and cellphone messaging.
In some well-publicized incidents, hackers e-mailed their victims a patch purporting to come from Microsoft or another well-known vendor. Users think it looks like a duck and it quacks like a duck — but it’s not the right duck! The message is actually from a hacker wanting the user to install the “patch,” which installs a Trojan-horse keylogger or creates a backdoor into computers and networks. Hackers use these backdoors to hack into the organization’s systems or use the victims’ computers (known as zombies) as launching pads to attack another system. Even viruses and worms can use social engineering. For instance, the LoveBug worm told users they had a secret admirer. When the victims opened the e-mail, it was too late. Their computers were infected (and perhaps worse, they didn’t have a secret admirer).
The Nigerian 419 e-mail fraud scheme attempts to access unsuspecting people’s bank accounts and money. These social engineers — I mean scamsters — offer to transfer millions of dollars to the victim to repatriate a deceased client’s funds to the United States. All the victim must provide is personal bank-account information and a little money up front to cover the transfer expenses. Victims then have their bank accounts emptied. This trap has been around for a while, and it’s a shame that people still fall for it.
Many computerized social engineering tactics can be performed anonymously through Internet proxy servers, anonymizers, remailers, and basic SMTP servers that have an open relay. When people fall for requests for confidential personal or corporate information, the sources of these social engineering attacks are often impossible to track.
The process of social engineering is actually pretty basic. Generally, social engineers discover the details on people, organizational processes, and information systems to perform their attacks. With this information, they know what to pursue. Social engineering attacks are typically carried out in four simple steps:
These steps can include numerous substeps and techniques, depending on the attack being performed.
Before social engineers perform their attacks, they need a goal. This is the first step in these attackers’ processes for social engineering, and this goal is most likely already implanted in their minds. What do they want to accomplish? What are the social engineers trying to hack? Why? Do they want intellectual property, server passwords, or is it access they desire? Or, do they simply want to prove that the company’s defenses can be penetrated? In your efforts as a security professional performing social engineering, determine this overall goal before you begin. Otherwise, you’ll just be wandering aimlessly creating unnecessary headaches and risks for you and others along the way.
After social engineers have a goal in mind, they typically start the attack by gathering public information about their victim(s). Many social engineers acquire information slowly over time so they don’t raise suspicion. Obvious information gathering is a tip-off when defending against social engineering. I mention other warning signs to be aware of throughout the rest of this chapter.
Regardless of the initial research method, all a criminal might need to penetrate an organization is an employee list, a few key internal phone numbers, the latest news from a social media website, or a company calendar. Chapter 5 covers more details on information gathering, but the following are worth calling out.
Today’s basic research medium is the Internet. A few minutes searching on Google or other search engines, using simple keywords, such as the company name or specific employees’ names, often produces a lot of information. You can find even more information in SEC filings at www.sec.gov
and at such sites as www.hoovers.com
and http://finance.yahoo.com
. Many organizations — especially their management — would be dismayed to discover the organizational information that’s available online! Given the plethora of such information, it’s often enough to start a social engineering attack.
Dumpster diving is a little more risky — and it’s certainly messy. But, it’s a highly effective method of obtaining information. This method involves literally rummaging through trash cans for information about a company.
Dumpster diving can turn up even the most confidential of information because some people assume that their information is safe after it goes into the trash. Most people don’t think about the potential value of the paper they throw away. And I’m not just talking about the recycle value! These documents often contain a wealth of information that can tip off the social engineer with information needed to penetrate the organization. The astute social engineer looks for the following hard-copy documents:
Shredding documents is effective only if the paper is cross-shredded into tiny pieces of confetti. Inexpensive shredders that shred documents only in long strips are basically worthless against a determined social engineer. With a little time and tape, a savvy hacker can piece a document back together if that’s what he’s determined to do.
The bad guys also look in the trash for USB drives, DVDs, and other media. See Chapter 7 for more on trash and other physical security issues, including countermeasures for protecting against dumpster divers.
Attackers can obtain information by using the dial-by-name feature built in to most voicemail systems. To access this feature, you usually just press 0 or # after calling the company’s main number or after you enter someone’s voice mailbox. This trick works best after hours to ensure no one answers.
Social engineers can find interesting bits of information, at times, such as when their victims are out of town, just by listening to voicemail messages. They can even study victims’ voices by listening to their voicemail messages, podcasts, or webcasts so they can learn to impersonate those people.
Attackers can protect their identities if they can hide where they call from. Here are some ways they can hide their locations:
Residential phones sometimes can hide their numbers from caller ID by dialing *67 before the phone number.
This feature isn’t effective when calling toll-free numbers (800, 888, 877, 866) or 911. Disposable cell phones and VoIP services work quite well, however.
www.asterisk.org
) can be used and configured to send any number they want.The latest, and often most successful, means for hacking is carried out via e-mail phishing where criminals sending bogus e-mails to potential victims in an attempt to get them to divulge sensitive information or click malicious links that lead to malware infections. Phishing has actually been around for years, but it has recently gained greater visibility given some high-profile exploits against seemingly impenetrable businesses and federal government agencies. Phishing’s effectiveness is amazing, and the consequences are often ugly. I’m seeing success rates (or failure rates, depending on how you look at it) as high as 60–70 percent in my own phishing testing. A well-worded e-mail is all it takes to glean passwords, access sensitive information, or inject malware into targeted computers.
You can perform your own phishing exercises. A rudimentary, yet highly-effective, method is to set up an e-mail account on your domain, or ideally, a domain that looks similar to yours at a glance, request information or link to a website that collects information, send e-mails to employees or other users you want to test, and see what they do. Do they open the e-mail, click the link, divulge information, or — if you’re lucky — none of the above? It’s really as simple as that.
Be it today’s rushed world of business, general user gullibility, or downright ignorance, it’s amazing how susceptible the average person is to phishing e-mail exploits. A good phishing e-mail that has a greater chance of being opened and responded to creates a sense of urgency and provides information that presumably only an insider would know. Beyond that, many phishing e-mails are easy to spot because they often:
A more formal means for executing your phishing tests is to use a tool made specifically for the job. There are commercial options available on the Internet such as LUCY (http://phishing-server.com
) as well as freebies such as Simple Phishing Toolkit (https://github.com/sptoolkit/sptoolkit
) which is no longer supported but can still be used for this type of testing. With both options, have access to pre-installed e-mail templates, the ability to scrape (copy pages from) live websites so you can customize your own campaign, and various reporting capabilities so you can track which e-mail users are taking the bait and failing your tests.
You have only a few good lines of defense against social engineering. Social engineering will put your layered defenses to the true test. Even with strong security controls, a naïve or untrained user can let the social engineer into the network. Never underestimate the power of social engineers — and that of your users and helping them get their way.
Specific policies help ward off social engineering in the long term in the following areas:
These policies must be enforceable and enforced for everyone within the organization. Keep them up-to-date, tell your users about them, and, most important, test them.
One of the best lines of defense against social engineering is training employees to identify and respond to social engineering attacks. User awareness begins with initial training for everyone and follows with security awareness initiatives to keep social engineering defenses fresh in everyone’s mind. Align training and awareness with specific security policies — you may also want to have a dedicated security training and awareness policy.
While you approach ongoing user training and awareness in your organization, the following tips can help you combat social engineering in the long term:
Share the following tips with your users to help prevent social engineering attacks:
www.checkshorturl.com
and http://wheredoesthislinkgo.com
offer this service.A few other general suggestions can ward off social engineering:
www.pdaconsulting.com/datadp.htm
.The following techniques can reinforce the content of formal training:
The Appendix lists my favorite security awareness trinkets and tool vendors to improve security awareness and education in your organization.
3.146.107.89