How Social Engineers Exploit Relationships to Hack into Systems
After social engineers obtain the trust of their unsuspecting victims, they exploit the relationship and coax the victims into divulging more information than they should. Whammo — the social engineer can go in for the kill. Social engineers do this through face-to-face or electronic communication that victims feel comfortable with, or they use technology to get victims to divulge information.
Deceit through words and actions
Wily social engineers can get inside information from their victims in many ways. They are often articulate and focus on keeping their conversations moving without giving their victims much time to think about what they’re saying. However, if they’re careless or overly anxious during their social engineering attacks, the following tip-offs might give them away:
Acting overly friendly or eager
Mentioning names of prominent people within the organization
Bragging about authority within the organization
Threatening reprimands if requests aren’t honored
Acting nervous when questioned (pursing the lips and fidgeting — especially the hands and feet because controlling body parts that are farther from the face requires more conscious effort)
Experiencing physiological changes, such as dilated pupils or changes in voice pitch
Refusing to give information
Volunteering information and answering unasked questions
Knowing information that an outsider should not have
Using insider speech or slang as a known outsider
Asking strange questions
Misspelling words in written communications
A good social engineer isn’t obvious with the preceding actions, but these are some of the signs that malicious behavior is in the works. Of course, if the person is a sociopath or psychopath, your experience may vary.
Social engineers often do a favor for someone and then turn around and ask that person if he or she would mind helping them. This common social engineering trick works pretty well. Social engineers also often use what’s called reverse social engineering.
This is where they offer help if a specific problem arises; some time passes, the problem occurs (often by their doing), and then they help fix the problem. They may come across as heroes, which can further their cause. Social engineers might ask an unsuspecting employee for a favor. Yes — they just outright ask for a favor. Many people fall for this trap.
Impersonating an employee is easy. Social engineers can wear a similar-looking uniform, make a fake ID badge, or simply dress like the real employees. People think, “Hey — he looks and acts like me, so he must be one of us.”
Social engineers also pretend to be employees calling from an outside phone line. This trick is an especially popular way of exploiting help desk and call center personnel. Social engineers know that these employees fall into a rut easily because their tasks are repetitive, such as saying, “Hello, can I get your customer number, please?”
Deceit through technology
Technology can make things easier — and more fun — for the social engineer. Often, a malicious request for information comes from a computer or other electronic entity that the victims think they can identify. But spoofing a computer name, an e-mail address, a fax number, or a network address is easy.
Hackers can deceive through technology by sending e-mail that asks victims for critical information. Such an e-mail usually provides a link that directs victims to a professional- and legitimate-looking website that “updates” such account information as user IDs, passwords, and Social Security numbers. They might also do this on social networking sites, such as Facebook and Myspace.
Many spam and phishing messages also use this trick. Most users are inundated with so much spam and other unwanted e-mail that they often let their guard down and open e-mails and attachments they shouldn’t. These e-mails usually look professional and believable. They often dupe people into disclosing information they should never give in exchange for a gift.
These social engineering tricks also occur when a hacker who has already broken into the network sends messages or creates fake Internet pop-up windows. The same tricks have occurred through instant messaging and cellphone messaging.
In some well-publicized incidents, hackers e-mailed their victims a patch purporting to come from Microsoft or another well-known vendor. Users think it looks like a duck and it quacks like a duck — but it’s not the right duck! The message is actually from a hacker wanting the user to install the “patch,” which installs a Trojan-horse keylogger or creates a backdoor into computers and networks.
Hackers use these backdoors to hack into the organization’s systems or use the victims’ computers (known as zombies) as launching pads to attack another system. Even viruses and worms can use social engineering. For instance, the LoveBug worm told users they had a secret admirer. When the victims opened the e-mail, it was too late. Their computers were infected (and perhaps worse, they didn’t have a secret admirer).
The Nigerian 419 e-mail fraud scheme attempts to access unsuspecting people’s bank accounts and money. These social engineers offer to transfer millions of dollars to the victim to repatriate a deceased client’s funds to the United States. All the victim must provide is personal bank-account information and a little money up front to cover the transfer expenses. Victims then have their bank accounts emptied.
Many computerized social engineering tactics can be performed anonymously through Internet proxy servers, anonymizers, remailers, and basic SMTP servers that have an open relay. When people fall for requests for confidential personal or corporate information, the sources of these social engineering attacks are often impossible to track.