Social Engineering

Social engineering is a term applied to the art of humans manipulation as a means to have a person divulge information or perform an action of the manipulator's choosing.

Email

Until the release of StormWorm social engineering by means of email was a less commonly used method. The process involved an email being crafted with the intent to trick the recipient into downloading something, executing something or disclosing information, arbitrary or not. Emails may be forged, hijacked, rewritten and/or simply full of lies, anything to get the sender's desired reaction.

See email spoofing for more information on this topic.

Telephone

There are a variety of approaches a social engineer can use over the telephone. Impersonations of figures of authority or people closely associated with loved ones are common roles assumed. Usually excessive flattery is one of the more successful approaches used when interacting with the target as a person is more open with people they do not perceive as a threat. If niceness is not successful the manipulator will then resort to an intimidation or fear-based attacks which can involve anything from security threats on a network to harm of the target. Though the latter is much less common as the social engineer often prefers to keep their intentions less obvious.

Examples

An example of using both email and telephone would be an email sent creating a weakness in a network. Then followed by informing an administrator of a security hole in which his configuration is vulnerable and providing a website or link providing a malicious piece of software that the engineer will call the "patch" to the vulnerability.

Average employees are often vulnerable to social engineering attacking. For example if the engineer has a lot of information on the employee (such as name, date of birth, the last four digits of his social security number, and so on) they may call the employee during off hours impersonating the employee's workplace, verify the last four social security digits and current password to "verify identity". This is followed by a story of a problem and that the employee's password is being reset, followed by giving the employee a new password. At the same time the attacker may have called in to the employer requesting a password reset to begin with- making both sides of the corporation believe there was an issue. The advantage of this is not only the password was reset but eventual discovery of the compromised account by the corporation has been delayed.

Other easily phoned social engineering attacks include knowing enough about a corporation to gain information from an employee. Calling employees on off-hours impersonating tech support or even a solicitor is often a successful method. If the engineer knows the employee's bank, they may pass themselves off as a bank representative, informing the employee that they have won a prize and requesting a piece of personal information (social security number, date of birth, or even bank account number) for verification of identity. With this newfound information the social engineer can then call the employee's company with enough information to pose as and "prove" the employee's identity in order to gain the routing and accounting information from the employee's paycheck or direct deposition. The engineer could then call the accounting department again assuming the role of a bank employee, give the routing and account number to validate identity, and then ask for the Federal Tax ID or Employer Identification Number for the targeted individual from the accounting department. By then the social engineer has enough information on their target to be able to hijack wire transfers and perhaps even successfully commit wire fraud with target corporate assets.

The examples listed are but minor ideas of social engineering over the mediums of electronic communication. Organized crime on the other hand won't always rely on such techniques. In a targeted social engineering attack the target corporation may fall prey to other variables such as malicious employees, sales agents of other corporations and furthermore may fall victim to malicious clientele.

Social Engineering

Social Engineering - By Impact

Outline of Social Engineering

This idea is more of a lifetime perspective or lifestyle. This means that creating milestones and reaching your targets allows you to start living a planned and directed life, a more efficient one. In order to achieve your goals, you should identify and implement them immediately.

Questions you should ask yourself include:

1. Where do you want to go?
2. What are the milestones in between?
3. How do you reach them?
4. How do you look like finishing the milestone/target?

If you are planning a hack, define yourself a finish line. Imagine yourself crossing this line, also known as self-actualisation. Also, think about the milestones you must reach in order to reach your final goal. An example of a social engineering target is a free pizza.

Analyzing and Creating Milestones

Questions to aid in the creation of milestones:

1. What do you have to do?
2. Who is going to help you?
3. Who are you going to exploit?
4. Who are you pretending to be?

Mantras for Social Engineering

- Define short, middle and long range targets for your life planning, even if you dont have one yet, keep thinking until you work them out - Partition them into milestones - Recruit people, who will help you reaching these targets - Motivate yourself daily - Visualize yourself while running over the finish line thats the theory

Example

Employee 1, Andrew, does not get along with employee 2, Bob. Bob knows this and feels he must take action in order to stop having to deal with Andrew. This can be done by becoming the boss of Andrew and then firing him. To attain this position of power, he identifies that he needs to become friendly with the big boss, Christian. Now Christian is not the target, but he is the milestone, required in order to remove Andrew. Bob would then try to establish trust and a relation to recruit Christian and exploit this to achieve the target, removal of Andrew.

Other Uses

When appearing to people on a professional basis in business, always try to leave an empathetic pleased impression on them, mutual happiness. They would then associate happiness with me and therefore remember their relationship with you as positive. Non-verbal communication can also aid in this positive relationship. By lowering your head, opening eyes wide, smiling and physical contact, you can create an open and strong relationship.

Politeness

This lesson is about politeness and it's use in social engineering. For most social engineering attempts, you are wanting a one time goal such as someone's password, access to a system etc and after that you are done with them.

To get this one time goal to succeed, you need to emulate the same types of activity you would usually partake in by making someone your friend. Unfortunately, most people on the internet show a severe lack of social graces, making it difficult to engage in social engineering.

The solution to this is forcing yourself to be polite all the time. This at first takes a lot of effort, but once it becomes a habit, you find your ability to social engineer comes easier. You can practice the basics by trying to make friends as it uses the same skills.

Things To Keep in Mind

With this, you have to be really careful and not see your friends as targets. This requires mental discipline, if you start socialising your friends, they will notice and they will start to feel used and you will lose them. So remember, keep socialing separate from your real friends.

Putting Social Engineering to Work

Once you have learned to be consistently polite, you will also notice an ease in your normal interactions with strangers. This is a good tool to have even if you aren't going to social engineer, you don't have to be overly formal, just polite as it carries a long way. For some people however, this does not work as they will mistake it for a sign of weakness. For this reason, you are being taught other skills.

Another thing to avoid is being too polite. By being too polite, it puts people off and they see it as false.

This is an advanced technique of this is to first observe a group and see what the social norm is are they friendly or somewhat hostile. Whatever it is, try to match it, not exactly but close enough to look like "one of them".

Any real con man will tell you that their scams are 90% truth, 10% lies. That helps with not being contradictory. Therefore, the best way to lie is to tell the truth. The feeling you want your target to have when you are done is for them to feel good about helping you then they won't think about it too hard

Protecting Yourself From Social Engineering

Now the reverse of this is to defend yourself from being socialed. This part is harder, a lot harder, as the same pathways you use to make friends, others might exploit. A proposed work around is to not give anything until you have known them for at least a month. This is done as most social engineers would have moved on to easier prey. A better alternative is to make others around you prove themselves any time they make a claim, this however can create uneasy relations with others around you, remember social engineering uses flaws in the way human beings make friendships and relationships with one another naturally, this makes it inherently difficult to detect. Combating it successfully requires a strong degree of paranoia and distrust toward your fellow human beings, this makes for lonely living. So you can protect yourself completely from these sorts of attacks if you are willing to sacrifice almost all of your interpersonal relations with others.

Seduction

In the perspective of social engineering seduction can be a powerful tool to enhance other tactics. Seduction gives you physical access and pliability. Users vulnerable to seduction yield physical access to themselves as well as any proximal technology to an attacker; sometimes emotionally falling for an attacker.

Hostility

This technique has a significant chance of backfiring use with caution and make sure you are dressed properly for the situation.

In the perspective of social engineering hostility can be useful to make multiple targets shy away from you if you are in a crowded area, faking a heated argument over cell phone while you walk to your destination will prevent the average person from questioning you. If you are angry, people are much less likely to stop and question you. In fact, people are much more likely to give you what you want when you are angry just to make you go away, do ensure you are dressed for the part or this is not likely to work.

Uses include getting through security doors and getting locations for sensitive items such as server racks and routers.

Spear Phishing

Spear Phishing deserves special mention due to the combination of social engineering and an attack known as phishing, in normal phishing targets are selected at random for exploitation, in spear phishing targets are chosen deliberately and the phishing attack is tailored to the target for a specific goal.

A real world example of this would be the 8 million dollar spear phishing scam that hit conde nast.

Foot-in-the-door (FITD) technique

This technique involves exploiting the human tenancy to help other fellow human by getting the target to agree to smaller requests before asking for a larger one, this can also be combined with other tactics for more effectiveness. Real world examples can be seen in modern marketing. In an information security standpoint this technique is good for its namesake, getting you through the front door.