Most people are familiar with computer hacking, a concept typically paired with a sense of invasion from a distant and unknown source. Social engineering however introduces an element of proximity, or at least direct contact. Instead of spending time trying to crack a computer system from afar the attacker will instead try to manipulate the victim into divulging sensitive information, such as a password to a company network, or personal credit card information. There are several methods for doing so, some old, some newer but nearly all rely on exploiting human trust and curiosity, thus we may refer to social engineering as human hacking.
Different types of methods
Social engineering is a multifaceted tool that attackers use to compromise both individuals and companies/organizations. Here is a short description of the various (most common) kinds of social engineering – or rather attacks in which social engineering partake:
Phishing is probably the most well-known type of social engineering around. E-mail phishing has the attacker send an e-mail that in all likeness appears to come from a legitimate business, like a bank or a company whose web shop you have used before (one that requires a profile or account). The e-mail usually contains a link to a fraudulent web page that seems legitimate—with company logos and content—and has a form requesting everything from a home address to an ATM card’s PIN. It may also launch malware to a computer.
SmiShing is the SMS version of phishing, while Vishing is the phone version; this technique uses a rogue Interactive voice response (IVR) system to recreate a legitimate-sounding copy of a bank or other institution’s IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the “bank” via a (ideally toll free) number provided in order to “verify” information.
A bit different from the other methods, but no doubt one of the oldest ways of obtaining vital information about a company, dumpster driving simply means to go through the trash of a company and its employees. This may be as straightforward as raiding a container, or as cunning as presenting oneself as an employee in a company to gain access to trashcans. This method may yield surprisingly useful results for the perpetrator as people don’t tend to view their trash as potentially sensitive material. Trash in this regard may be everything from documents, to cd’s and discarded hardware.
Pretexting is actually quite fundamental to most techniques in social engineering. The idea is to conjure an invented scenario (a pretext) wherein the attacker confronts the victim in a way so as to have him/her disclose sensitive information.
Often requiring prior research and setup, it may be used to impersonate co-workers, police, bank, tax authorities, insurance investigators — or any other individual who could have perceived authority or a right to demand certain information in the mind of the targeted victim. This scam works better if the attacker is prepared to answer questions that might be asked by the victim. In some cases all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one’s feet.
This technique is a con exercised by professional thieves, normally against a transport or courier company. The objective is to persuade the persons responsible for a legitimate delivery that the consignment is requested elsewhere – near to, or away from, the consignee’s address, in the pretense that it is “going straight out” or “urgently required somewhere else”.
The diversion technique is not limited to theft in this manner however; it may be used in a myriad of ways, and the victim will rarely find out before it’s too late.
Baiting revolves around tapping into the curiosity of the victim. This is typically done by leaving a malware infected cd/usb-key in company building, some place that would make it seem as though the item has been dropped by accident. This item might even be labeled with some kind of interesting title so as to encourage the finder to use it on his/her computer to satisfy the curiosity, only to have malware infecting the computer and give the attacker access to sensitive information and/or the company’s internal network.
Quid pro quo
Something for something, that is what this Latin saying means. Concerning social engineering it involves making victims divulge sensitive information by offering something in return, without them knowing that they are putting themselves or their company at risk. This is done by operating in a seemingly harmless situation, as can be seen when an attacker calls random numbers at a given company, claiming to be calling back from technical support. For the most part, this won’t result in anything as the method completely relies on chance, but eventually the attacker may find someone with a legitimate problem, and wanting to get rid of said problem, the victim may hand over his/her password which the attacker “needs” to help fix the problem. Thus, access to the network is obtained and the attacker can launch malware.
What to do against threats
All types of hacking rely on locating a weakness in the system the attacker is trying to compromise. In social engineering, attackers try to circumvent the trouble of cracking a secured system by persuading their victims to let them in freely. Normally we don’t expect people to deceive us, and that is what attackers exploit.
A rule of thumb is to never divulge sensitive information to a source that cannot be verified. The following is a short list of pointers to help a company avoid attacks.
- Identify sensitive information and inform employees of their responsibilities.
- Establish awareness amongst employees of where and when to be on guard.
- Ensure that employees are able to politely refuse a request from a source that can’t be verified.
- Stress-test employees by secretly simulating attacks to locate weaknesses and correct them.