SOCIAL ENGINEERING

UNDERSTANDING SOCIAL ENGINEERING

If someone you trusted has ever tricked you to take inappropriate action or make erroneous decisions/ judgments, you know what it feels like to be socially engineered. These erroneous decisions/ judgments could be very costly and makes you feel you have inferior ‘grey matter’ compared to the ‘iniquitous’ guy that has taken advantage of you. It is more embarrassing than using a toy gun to snatch a car from its owner.

Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques: simply put as lying to obtain information. In the present day definition, social engineering entails manipulating people to defraud them or to obtain information that has value attached to it such as medical records, financial records, passwords, secret PIN (Personal Identification Number) for ATM and credit cards, etc.

Whilst similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.

The easiest way to get into a computer system is to simply ask permission. At the end of the day, no matter how much encryption and security technology you have implemented, a network is never completely secure. You can never get rid of the weakest link—the human factor. It does not matter how many firewalls, virtual private networks (VPNs), or encryption devices you have if your employees are willing to give systems access to anyone who asks for it, directly or indirectly.

A social engineer is someone who uses deception, persuasion, and influence to get information that would otherwise be unavailable. To social engineers, the fact that “there is a sucker born every minute” gives them the opportunity to circumvent some of the most secure data centers in the world. A sucker is someone who is gullible and easy to take advantage of. In the local parlance, social engineers are also addressed as “Yahoo Yahoo boys”, “Internet Fraudsters”, “Internet Cons”, “Internet 419ers”, “Scammers” etc.

Social engineering is more than just being a con artist; it is about understanding human psychology and having a methodical way of influencing someone to either give out sensitive information or grant you unauthorized access. In other words, it is not about being a good liar; it is about being an engineer who discovers ways to manipulate people for his or her advantage.

You need to be careful and be at alert to overcome the plot of the social engineers and therefore it becomes an imperative not only to understand their techniques but also to continuously keep abreast of their improvised strategies so as not to fall prey to them. Some popular social engineering techniques and how to deal with them will be explained in this article.

There is a concept called Reverse Social Engineering (RSE), which has three sequential steps: sabotage, advertising, and assisting. In the first step, a social engineer finds a way to sabotage a network. This can be as complex as launching a network attack against a target website, to as simple as sending an email from a spoofed (faked) email address telling users that they are infected with a virus. No matter what technique is employed, the social engineer has either sabotaged the network or given the impression that the network is sabotaged.

Next, the social engineer advertises his or her services as a security consultant. This can be done through many means including sending mailers, dropping business cards, or sending emails that advertise his or her services. At this point, the social engineer has created a problem in the network (sabotage) and is placing himself/herself in a position to help (advertising). The corporation sees the advertisement, contacts the engineer under the false pretense that the social engineer is a legitimate consultant, and allows the social engineer to work on the network. Once in, the social engineer gives the impression of fixing the problem (assisting) but will really do something malicious, such as planting keyloggers or stealing confidential data. Keyloggers are software that record activities taking place on the network including details of entries supplied to the computer via the keyboards such as passwords, business data, PINs, etc. The keylogger software sends its log on a periodic basis (as programmed) over the Internet to the person who planted the software.

Another social engineering technique is ‘Piggybacking”. This is probably one of the most effective ways of gaining unauthorized physical access into an organization. With piggybacking, a social engineer appears as a legitimate employee and walks into a secure building by following behind someone who has access. A classic example is a social engineer showing up at the front door of a secure facility on a rainy day at 8am, carrying a heavy box. As an employee walks up, the social engineer takes advantage of human kindness by saying, “Would you mind opening the door for me? I can’t reach my badge to open the door while carrying this box.” Because people generally want to help others, the employee will open the secure door and grant access to the social engineer.
Another common example of this is for the social engineer to show up in the area where employees stand outside to smoke. The social engineer stands outside smoking with other employees then, when the employees finish smoking, he or she will simply walk right behind them and into the building, bypassing any physical security control such as card readers.

Many network penetration testers and malicious hackers come from a technical background and not a background in human psychology. As a result, when technical people need to do social engineering they resort to what they know best: being a techie.
An example of this is when a social engineer calls up a user within an organization and impersonates a help desk operator. Here is a sample of what that phone call may look like:

Social Engineer: “Hello. This is Paul from the help desk. Hey listen, we’ve been noticing that some passwords have leaked out, and we are calling around to make sure that people are changing their passwords. We think your password may have been compromised, so if you don’t mind, I’d like to walk you through changing it.”

User: “Sure.”
Social Engineer: “Great! First, I want you to hold down the Control button, the Alt button, and the Delete button at the same time. That will bring up a new screen that has several buttons. Once this appears, click on the Change Password button. Now it’s important that you type in a secure password that contains a good mixture of uppercase and lowercase letters as well as numbers so that it is difficult for an attacker to hack into your computer. What password are you going to use?”

User: “Hmm…let me think. How about Password123? Is that secure?”

Social Engineer: “Absolutely. Go ahead and type in the new password and press OK. I really appreciate you taking the time to do this to keep your computer secure.”

The social engineer was able to use his or her knowledge of technology to convince a user to give out a password.

Another social engineering technique is called “phishing attack” and this occurs when a social engineer sends an email to a person who appears to come from a legitimate site, such as PayPal or a banking site, asking someone to visit a website and input sensitive information such as a bank account or password. The website appears to be the real website, but is instead a site created by the attacker. This is very common nowadays and an example of this:

Dear XYZ Bank customer, your access to online services is very important to us. Due to online fraudulent activities, our online banking security system has notice some changes on your online banking details. If you authorized these changes you are not to respond to this message, but if you did not authorized these recent changes you are therefore asked to secure your online banking access by clicking on the secure Web Form below.

http://www.amsp.kr/board/data/file/column/ebank.xyxbankplc.netbanking.html

Here is an example from an actual phishing email where the attacker impersonated an employee of PayPal:
“It has come to our attention that 98 percent of all fraudulent transactions are caused by members using stolen credit cards to purchase or sell non-existent items. Thus, we require our members to add a debit/check card to their billing records as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. Your debit/check card will only be used to identify you. If you could please take 5-10 minutes out of your online experience and renew your records, you will not run into any future problems with the PayPal service. However, failure to confirm your records will result in your account suspension.”
This e-mail went on to provide a link to a fake website for the e-mail recipient to access and input the credit card information.


Another popular socially engineered email in Nigeria, where an attacker impersonates a Bank’s staff.
Dear ATM Card User,
Central Bank is pleased to notify ATM Card User that we have successfully upgraded to a more secure and encrypted SSL servers to serve our esteemed customers for a better and more efficient banking services in the year 2010. Due to this recent upgrade you are requested to update your ATM CARD information by following the reference below. using our new 2010 secure and safe SSL servers. To validate your ATM CARD account click on UPGRADE MY ATM CARDS SECURITY.
This Email has being sent to all our Bank customers and it is compulsory to follow as failure to verify account details will lead to account suspension. Thank you.

Central Bank of Nigeria

It will be unfortunate for a customer to follow the instructions of the impersonators as he will end up blaming himself after the social engineers have had access to his credit card details, ATM pins, etc. The latter part of the story will be nothing but tales of woes.

Another variation of phishing attacks is a whaling attack. Here the social engineer targets executives and high-profile individuals. Information about executives and high-profile targets is easily accessible on the Internet. For example, a company may have bio-data of its executive officers on a corporate website. This information may be used by a social engineer to create a targeted spear phishing attack to the corporate officer.
For example, if the bio-data tells how a chief financial officer graduated from London University in 1979 and enjoys playing golf (yes, some executives actually put their hobbies in their bio-data), a social engineer may send an email to that corporate officer as if from the university alumni chapter asking him to come to a special alumni golf tournament for graduates. The executive will be likely to believe that it is authentic. The email may go on to ask the person to access a website to enter credit card information to reserve a spot in the tournament.

Because of the vast amount of information about corporate officers and other high-profile targets, whaling is becoming increasingly popular because this information makes it so easy for social engineers to target them in a convincing manner.

Not having much success with phishing or whaling? Try vishing! Vishing is an attack that uses the phone to perform the equivalent of a phishing attack. A common example, and one that is highly effective, is to have a war dialer call a list of numbers automatically and play a recorded message. When the phone is answered, the recorded message may say that the call is from the person’s bank and that their credit card may be compromised. The “victims” are asked to call a number to resolve the issue. The user calls the number and hears another automated message that prompts the victim to enter his or her credit card number, PIN, address, and whatever else the social engineer may want.
Another popular variation of a vishing attack is sending the original message through a text message to a cell phone instead of calling the person directly.

Social networking sites such as Facebook and MySpace are a social engineer’s paradise. A social engineer can find out so much about you from these sites. People post information about where they work, what they like to do, what bands they like, and more. A social engineer can use the information you post on your social networking page in a number of ways:
• Sending an email impersonating a friend listed on the page asking for confidential information or even chatting with you while you think you are communicating with your real friend and therefore he is extracting sensitive information from you.
• Viewing pictures of a person to find out popular hang-outs and then showing up at the same spots to social-engineer the person outside of a work environment.
• Discovering the person’s age, place of birth, school, and previous companies, this can all be used to target the person in a spear phishing attack.
• Adding the person as a friend to build up an online relationship with a person in order to build trust. The social engineer then exploits that trust to get information from the person which could be used to launch another attack.

The social engineer can send an email like this:
Dear Friend,
With due respect to your person and with much sincerity of purpose I make this contact with you as I believe that you can be of great assistance to me, but first let me introduce myself. My name is
Mr. AMAN JOE MATOU, a 41 years old western educated man, from the Republic of BURKINA FASO, West Africa. Presently i work with the ministry of Housing as the secretary in charge of foreign contractors payment. I am contacting you to seek for your assistance and possibly, partnership for investment purposes in your country. It has always been my mind to plan for the future of my family in a country like yours where there is a
free society. As you are aware, I am from a country where the same cannot be said. Should you sincerely make up your mind to assist and also cooperate with me fully to actualize my dream; I promise you will never

regret knowing me. To enable us discuss further on how you can fully render assistance kindly get back to me soon with this my private contact below meanwhile, for security reasons!. Thank you very much for
your anticipated cooperation.

Sincerely,
AMAN JOE MATOU.

Another social engineering technique comes with this universal truth that human beings do dumb things when attracted to someone else. Human attraction, especially to the opposite sex, if not properly managed may leave the person vulnerable for you to do everything from gathering insider information to pick-pocketing keys to a building while he or she is not paying attention.
A social engineer is one who understands psychology and engineers ways to manipulate people to their advantage. Leading someone on to believe there is mutual chemistry is one of the oldest social engineering tricks in the world.

If you are after information, nothing will get a person talking more than going to a bar. If a social engineer wants to learn about insider information, he or she may seek out a target who likes to go to bars. The social engineer may follow people home from their work to see which ones go to bars after work, or may look people up on social networking sites to see if there are pictures or any other information that may reveal the names of bars or clubs that they visit. Armed with this information, the social engineer may strike up a conversation with the targeted person at a bar and try to get the person drunk enough to reveal information.
There are several steps a social engineer may take to accomplish this. Once the social engineer learns what bar his target person visits, the social engineer will arrive early to strike up conversation with the bartender. He will tell the bartender that he will be in later and give the bartender a large sum of cash in exchange for making sure that there always drinks ready for him. In addition, he will tell the bartender that no matter what drink he asks for, not to put alcohol in his drink. This way the social engineer stays sober and can focus on this objective while the target person gets drunk.
Later that night, the social engineer will strike up a conversation with the target person, order several rounds of shots and hard liquor on his tab, and attempt to get his target person drunk. Once drunk, the social engineer can bring up the topic of work and proceed to get information that the person would otherwise never share such as how to get into a building, passwords, trade secrets, and more.

These are just a few of many techniques used by social engineers. Some of these involve technology (e.g., spear phishing) while others use tried and true methods of human manipulation, such as NLP (Neuro-Linguistic Programming). Social engineers use these tactics for a multitude of reasons, ranging from obtaining bank account numbers to acquiring trade secrets to sell to competitors.
If you are concerned about social engineers targeting people in your organization, you can take some steps to help thwart these attacks:
• First, employees should be regularly trained in how to look out for suspicious people, websites, e-mails, and phone calls.
• Second, train employees in what is called G.O.C.S. security—Good Old Common Sense security. In other words, some people just need to be taught some street smarts. I have seen companies do this by spelling out in their corporate security policy the dangers of using social networking sites and of drinking and discussing work topics with strangers (of course, this is only effective if employees actually read the policies which, as we all, is wishful thinking).
• Employ the principle of need-to-know. The need-to-know principle states that employees should only be given enough information to do their job. They should not be given information about other departments or about decisions made at higher levels that do not relate to their work. This way, should a social engineer try to get information out of them, they would have limited information that they could reveal.
• Always double check with superiors before you release information about your organisation to third-parties, business associates, contractors, affiliates, etc.
• Exhibit healthy level of skepticism and good common sense in all your dealings with people. Think through at all times when dealing with strangers and when performing electronic communication. Always ask yourself, why does this person need this information? How about if he is not the person the person he claimed to be? After all I am not seeing him. In addition, when you get an information that requires you to take certain action such as releasing goods to a customer after receiving deposit alerts on your phone, reconfirm this deposit from two about two other sources such contacting your bank account officer or log on to your account online to verify your balance.
• Only necessary information about you should be shared on the Internet via Facebook, MySpace, Blackberry Chat, Yahoo Messenger, MSN Chat, etc. Any compromise of this information can be exploited to the advantage of the social engineer. Therefore, when you are constantly prompted by facebook that “What is on your mind” simply say “Nothing”. According to Anindya Ghose, associate professor at New York University: "The average person should be aware of what is going on, just in general, because whatever you post online, if there is a digital trail, that’s going to be recorded, you know, for keeps. It’s going to stay there forever. So I think the average person should know that whatever information they release on Facebook, that’s going to be available to somebody or the other at any point in time."