The Dangers of Social Engineering
Many organizations have enemies who want to cause trouble through social engineering. These people may be current or former employees seeking revenge, competitors wanting a leg up, or hackers trying to prove their worth. In any event, the information gained from social engineering can be useful to someone hoping to launch a hacker attack against your organization.
Regardless of who causes the trouble, every organization is at risk to the dangers of social engineering — especially given the sprawling internet presence of the average company. Larger companies spread across several locations are often more vulnerable given their complexity, but smaller companies can also be attacked. Everyone, from receptionists to security guards to executives to IT personnel, is a potential victim of social engineering. Help-desk and call-center employees are especially vulnerable because they’re trained to be helpful and forthcoming with information.
Social engineering has serious consequences. Because the objective of social engineering is to coerce someone to provide information that leads to ill-gotten gains, anything is possible. Effective social engineers can obtain the following information:
- User passwords.
- Security badges or keys to the building and even to the computer room.
- Intellectual property such as design specifications, source code, and other research-and-development documentation.
- Confidential financial reports.
- Private and confidential employee information.
- Personally identifiable information (PII) such as health records and credit card information.
- Customer lists and sales prospects.
If any of the preceding information is leaked, financial losses, lowered employee morale, decreased customer loyalty, and even legal and regulatory compliance issues could result. The possibilities are endless.
Social engineering attacks are difficult to protect against for various reasons. For one thing, they aren’t well documented. For another, social engineers are limited only by their imaginations. Also, because so many methods exist, recovery and protection are difficult after the attack. Furthermore, the hard, crunchy outside of firewalls and intrusion prevention systems often creates a false sense of security, making the problem even worse.
With social engineering, you never know the next method of attack. The best things you can do to counteract social engineering are remain vigilant, understand the social engineer’s motives and methodologies, and protect against the most common attacks through ongoing security awareness in your organization.
How social engineers build trust to gain information
Trust — so hard to gain, yet so easy to lose. Trust is the essence of social engineering. Most people trust others until a situation forces them not to. People want to help one another, especially if trust can be built and the request for help seems reasonable. Most people want to be team players in the workplace and don’t realize what can happen if they divulge too much information to a source who shouldn’t be trusted. This trust allows social engineers to accomplish their goals. Building deep trust often takes time, but crafty social engineers can gain it within minutes or hours. How do they do it?
- Likability: Who can’t relate to a nice person? Everyone loves courtesy. The friendlier social engineers are — without going overboard — the better their chances are of getting what they want. Social engineers often begin to build a relationship by establishing common interests. They often use the information that they gain in the research phase to determine what the victim likes and to pretend that they like those things, too. They can phone victims or meet them in person and, based on information the social engineers have discovered about the person, start talking about local sports teams or how wonderful it is to be single again. A few low-key and well-articulated comments can be the start of a nice new relationship.
- Believability: Believability is based in part on the knowledge social engineers have and how likable they are. Social engineers also use impersonation — perhaps by posing as new employees or fellow employees whom the victim hasn’t met. They may even pose as vendors who do business with the organization. They often modestly claim authority to influence people. The most common social engineering trick is to do something nice so that the victim feels obligated to be nice in return or to be a team player for the organization.
How social engineers exploit relationships to gain information for hacks
After social engineers obtain the trust of their unsuspecting victims, they coax the victims into divulging more information than they should. Whammo — the social engineer can go in for the kill. Social engineers do this through face-to-face or electronic communication that victims feel comfortable with, or they use technology to get victims to divulge information.
Social engineering: Deceit through words and actions
Wily social engineers can get inside information from their victims in many ways. They’re often articulate and focus on keeping their conversations moving without giving their victims much time to think about what they’re saying. If they’re careless or overly anxious during their social engineering attacks, however, the following tip-offs might give them away:
- Acting overly friendly or eager.
- Mentioning the names of prominent people within the organization.
- Bragging about their authority within the organization.
- Threatening reprimands if their requests aren’t honored.
- Acting nervous when questioned (pursing the lips and fidgeting — especially the hands and feet, because controlling the body parts that are farther from the face requires more conscious effort).
- Overemphasizing details.
- Experiencing physiological changes, such as dilated pupils or changes in voice pitch.
- Appearing rushed.
- Refusing to give information.
- Volunteering information and answering unasked questions.
- Knowing information that an outsider shouldn’t have.
- Using insider speech or slang despite being a known outsider.
- Asking strange questions.
- Misspelling words in written communications.
A good social engineer isn’t obvious with the preceding actions, but these signs may indicate that malicious behavior is in the works. If the person is a sociopath or psychopath, of course, your experience may vary. (Psychology For Dummies, 2nd Edition, by Adam Cash [John Wiley & Sons, Inc.] is a good resource on such complexities of the human mind.)
Social engineers often do a favor for someone and then turn around and ask that person whether he or she minds helping them. This common social engineering trick works pretty well. Social engineers also use what’s called reverse social engineering. They offer to help if a specific problem arises. After some time passes, the problem occurs (often at the social engineer’s doing), and then the social engineer helps fix the problem. They may come across as heroes, which can further their cause. Social engineers may ask an unsuspecting employee for a favor. Yes — they outright ask for a favor. Many people fall for this trap.
Impersonating an employee is easy. Social engineers can wear a similar-looking uniform, make a fake ID badge, or simply dress like real employees. People think, “Hey — he looks and acts like me, so he must be one of us.” Social engineers also pretend to be employees calling from an outside phone line. This trick is an especially popular way of exploiting help-desk and call-center personnel. Social engineers know that these employees fall into a rut easily because their tasks are repetitive, such as saying “Hello, can I get your customer number, please?” over and over.
Social engineering: Deceit through technology
Technology can make things easier — and more fun — for the social engineer. Often, a malicious request for information comes from a computer or other electronic entity that the victims think they can identify. But spoofing a computer name, an email address, a fax number, or a network address is easy. Fortunately, you can take a few countermeasures against this type of attack.
Hackers can deceive through technology by sending email that asks victims for critical information. Such an email usually provides a link that directs victims to a professional, legitimate-looking website that “updates” such account information as user IDs, passwords, and Social Security numbers. They also may do this trick on social networking sites such as Facebook and Twitter.
Many spam and phishing messages also employ this trick. Most users are inundated with so much spam and other unwanted email that they often let their guard down and open emails and attachments that they shouldn’t. These emails usually look professional and believable, and often dupe people into disclosing information that they should never give in exchange for a gift. These social engineering tricks can occur when a hacker who has already broken into the network sends messages or creates fake Internet pop-up windows. The same tricks have occurred through instant messaging and smartphone messaging.
In some well-publicized incidents, hackers emailed their victims a patch purporting to come from Microsoft or another well-known vendor. Users may think that the message looks like a duck and quacks like a duck — but it’s not the right duck! The message is actually from a hacker who wants the user to install the patch, which installs a Trojan-horse keylogger or creates a backdoor into computers and networks.
Hackers use these backdoors to hack into the organization’s systems or use the victims’ computers (known as zombies) as launchpads to attack another system. Even viruses and worms can use social engineering. The LoveBug worm, for example, told users they had secret admirers. When the victims opened the email, it was too late. Their computers were infected (and, perhaps worse, they didn’t have secret admirers).
Many computerized social engineering tactics can be performed anonymously through Internet proxy servers, anonymizers, remailers, and basic SMTP servers that have an open relay. When people fall for requests for confidential personal or corporate information, the sources of these social engineering attacks are often impossible to track.