Social Engineering

Social engineering can be categorized, broadly, in one of two ways: human-based or computer-based. It is a hacking technique that mainly focuses on the human factor that uses deception as well as other elements of psychology in an attempt to extract information or to motivate a person toward an action or response.

Since many successful attacks have in some way incorporated social engineering at some level, it is now considered that social engineering is the most dangerous form of attack. With spam and Phishing attack convincing users to visit malicious websites to attackers impersonating friends or colleagues that trick users into installing Trojan Horses is this any wonder? Add to this total strangers who are interacted with in chat rooms or online forums. They become trusted because of several principles of social engineering including reciprocation and liking of common interests. Business incentives tend to make us all masters of the practice of social engineering just to compete in some environment as at the heart of social engineering lies information gathering as well as psychology. Unfortunately, as personal privacy is being chipped and eroded away in today's society, social engineering has become easier for an attacker.

The best defense and countermeasure for social engineering is education. By learning how to spot a social engineering attack and how to defend against it will provide you with your best protection against identity theft or other malicious activities that you might fall victim to. Sadly, these best practices are getting harder, not easier to establish.

Social Engineering: The Dangers and Countermeasures

The primary goal of a social engineer is obtaining computer information from a human target. The objective: to circumvent the controls and breach the system. This, by security experts, comes from what is considered the weakest link in any security program, and that is, the user. The reason behind this is that the user makes active decisions not to comply with policies and procedures of an organization's security program.

An attacker must spend time to identify what sensitive information is needed to break into an I.T. system and to locate what user has it to make an effective social engineering attack. An attacker must interact with many individuals to gather information that may be harmless in itself, but together they could represent something useful that the attacker can use. The attacker will determine who might be the best person to obtain the information they need and then develop a relationship with this person. This relationship will include reasons that justify the target providing sensitive information to the attacker. The reasons must be compelling enough for the user to make a decision to violate the organization's polices and in doing so will make the attack successful.

Challenging is the task of in the prevention of social engineering. There is typically a two-step process in the defense against social engineering. Those steps are:

1. The organization must implement policies that describe how its members are expected to act when someone asks them for any type of information.
2. Employees must be trained to recognize what activities could provide sensitive information to a party whose identity they cannot confirm and that any information shared should only be with those individuals in which they recognize.

Human-Based Social Engineering

Though there are thoughts that 70% of all attacks are the result of "inside" jobs, it is still important to educate users about supplying information only to known parties, especially when dealing with parties from outside of the organization. With this being said, since many companies deal with unfamiliar people on a daily basis, an attacker can easily obtain the information of a person that deals with the organization they wish to attack and then impersonate that user.

One motive for a social engineering attack can stem from a disgruntled employee acting on revenge. This employee may already have contacts within the organization and has an inherent advantage. The attacker may also be familiar with systems that contain sensitive information and have a pre-existing relationship with the users or administration of the target system.

Another motive for attack is for financial gain. Inside attackers may recognize or develop an opportunity to commit fraud against their employer. No matter what reason is behind the attack, social engineering attacks that originate from the inside are more difficult to prevent than those from outside due to the fact that inside attackers know what is most valuable and how to get it without having to use much guesswork.

Social engineering attacks can be either elaborate taking months to complete or can be simple and only involve an email or phone call. Another thing to remember is that some attacks are not made for malicious intent but rather out of sheer carelessness, lack of respect for a security process or in a way to gain advantage. Some of the worst offenders are those who are trying to conduct what they consider normal daily business. Many small attacks can add up over time and the best attacks even go unidentified. Their impact on a company is never measured accurately.

Elements of Social Engineering

There are several techniques that can be used in social engineering that help establish a relationship with the target. The attacker could convince the target that they have something in limited supply, a potential problem or the chance to access something of value.

Other methods may involve convincing the target that they are in contact with someone in authority, establishing a rapport with the target or creating a sense of empathy on the target's behalf. Basically, there are six typical elements to social engineering. These are:

• Authority
• Scarcity
• Liking (Similarity)
• Reciprocation
• Commitment (Consistency)
• Social Proof (Validation)

Authority - People have a natural tendency to be responsive to those who they perceive as being in a position of authority. Sometimes this responsiveness goes without question.

Scarcity - It's human nature for people to want or desire something that they believe is in short supply or will only be available for a short period of time even if this item is something they don't need to begin with.

Liking (Similarity) - People tend to be more comfortable with others who share a similarity and will often not scrutinize their appearance or intentions. These similarities may be cultural or based on a common ground within a situation such as having the same problem, pursuing the same interests or agreeing on the same issues.

Reciprocation - The ability to return a favor is a priority to most people. If one receives a gift or if a promise is made and kept, the receiving party, by nature, wants to return it.

Commitment (Consistency) - People often have a set routine; what they do today is what they will do tomorrow. With this, the attacker will employ a tactic knowing as "reading people." They learn their target's daily routine in order to predict their next action.

Social Proof (Validation) - People, by nature, like to talk about themselves. They enjoy this more when whatever they say is validated. The social engineer will be nice and complimentary, not in an exaggerating way but in a way that seems charming and sincere. This sincerity disarms the victim and makes them think no harm could come from talking to this person.

Reverse Social Engineering

Reverse social engineering is an attack during which the target is compelled to ask the social engineer for assistance. Though there are different techniques used in reverse social engineering, the results are the same.

One method of reverse social engineering is to damage the targets system and then convince the target that they can fix it. Another method involves suggesting a software patch. Reverse social engineering is considered to be the most difficult to execute because it takes a significant amount of panning and preparation in order to succeed. The three principles of reverse social engineering are:

• Sabotage
• Advertising
• Assisting

Sabotage - is where the attacker will create a problem on a single host such as a printer or the target's computer. This will take the attacker to the next two steps.

Advertising - is where the attacker will advertise being an expert that can solve the problem faster than the authorized personnel can.

Assisting - is where the attacker will assist the target with the solution to their problem. While doing so, and with side conversation, the attacker will distract the target and over time gain the trust and authority gaining the attacker a more inside position.

Social Engineering By Means of Telecommunications

Before the Internet an attacker's target of choice was the public switched telephone service. Described as phreakers, these attackers goal was making free long-distance phone calls. The most famous of these was John Draper, who went by Captain Crunch. He found that using a toy whistle he obtained from a box of cereal with the same name as his handle was the correct frequency of 2,600 Hertz and would activate the trunk in the phone system allowing him to make free long distance calls. An organization called 2600 was created and still exists today.

Another technique is known as pretexting. This is where unauthorized individuals pretend to be someone they are not in order to obtain personal information about someone.

There are still other attacks in the telecommunication industry generally known as slamming and cramming. Slamming is the practice of changing a customer's long distance carrier without the expressed consent or knowledge of the customer. Cramming is the fraudulent practice of adding charges to a customer's phone bill using devious procedures such as adding charges onto the phone company's bill.

Phishing and Spear Phishing

Phishing is a scam that uses email to lure unsuspecting users into revealing information about themselves or about their financial accounts. This type of attack is used to commit fraud against the unsuspecting victim.

Objectives of phishing attacks can range from selling nonexistent products to acquiring Personal Identifiable Information (PII) about the victims. These attacks are mostly successful because some users do not understand what phishing is or are not clever or informed enough to notice anything suspicious and most of the time ignore security warnings.

A variant of phishing is known as spear phishing. This technique focuses on a particular set of users that just happen to be customers of a popular online vendor or belong to a community of people with something in common such as a trade organization or social networking site. Targets are lured to an attacker's website which has been made to look exactly like a familiar website such as a banking or shopping web site.

These websites are basically identical in their presentation when they are compared to their legitimate counterparts and the average user will not notice any subtleties that show it as a fake domain. Unsuspecting users provide their account user-names and passwords to these fake sites and the site will respond with a failed login attempt message. However, by now the attacker has gained the user's login information and it can be used to the attacker's advantage.

Three steps must be performed for a phishing attack. The first is to establish a domain name in which the target users will be directed to. Next, a website must be configured by the attacker to resemble the legitimate site. By creating an exact copy of the legitimate website, the potential victims will be not be suspicious while submitting their personal identifiable information to this fake page. The final step is when the attacker sends out the spam email messages in an effort to lure the unknowing users to the fake website. There are several factors that must be taken into consideration to make this attack successful. This includes the accuracy of the fake website when compared to the legitimate site and the quality of the email list used by the attacker for sending spam.

419 Scams (Nigerian Phishing)

A 419 Scam is an advance-fee fraud type of scam where the victim is convinced to advance money to a stranger. In such scams the victim is led to expect that a much larger sum of money will be returned to them but first they must provide some type of "good-faith" monetary advance to receive such monies. This type of scam is well known to security experts as the Nigerian Phishing scam.

Recognizing Phishing Scams

The process of deliberately making something difficult to understand is known as obfuscation, and this process can be applied to code in a URL as well. Attackers frequently use code obfuscation to disguise the true intent of their malicious code and phishing scams rely on this technique to hide the real name of a phisher's malicious website. The most common technique of URL obfuscation is to make a slight change to the name of the malicious website.

The concern with phishing websites is that they can execute malicious code against anyone who happens to visit the site. These sites may transmit malware to the target in an attempt to create an unauthorized account with the intent to take control of the target's system. In this case, the malicious code is a Trojan Horse and can facilitate the attacker from gaining control over another's computer and steal the target's PII. One of the most common practices of this malicious code, or Trojan, is to use the target's computer to distribute spam or other forms of advertising material.

Unfortunately, even legitimate websites can be compromised to perform this same pernicious deed of infecting a visiting users' system. Redirection is yet another hacking technique used on legitimate sites to redirect the user from a legitimate site to a phishing website. This can also be achieved by attackers by compromising resource records or the cache of DNS servers.

Social media sites or sites with discussion forms are often used ot lure people into clicking a link that can lead to a malicious site.

Hidden, malicious code can also reside in other places other than websites. In email, spammers include code that will return a message to the sender whenever their spam message is opened. This will then allow the spammer to validate the existence of a valid email account and by doing so improve the quality of their mailing list.

Dangers of Online Email

One of the goals of spammers is to create a list of valid email addresses in which they can send their spam messages from. Since a personalized email address tends to be more believable, it is harder to recognize as spam. A spammer can also use legitimate email addresses from which to originate their spam. In reality, a message sent from a user known to the recipient is perceived more credible than one that is received from a stranger. Spammers will also collect other data about users. This gives them the opportunity to perform spear phishing attacks. All security experts strongly recommend that users only offer their email address to valid parties only.

Dangers of Open Relays

As you well know, spam is the unsolicited email traffic that is typically sent to advertise the availability of products or services. Recently spam has been used as a method for committing fraud against unexpected users. Spam is distributed by using a legitimate email address and exploiting a SMTP open mail relay. An open mail relay is an SMTP server configuration that allows any email traffic on the Internet to pass through it and is not designed for mail destined to or originating from specific email accounts. Open mail relays have become unpopular due to their exploitation by spammers.

To combat against spoofing email and other attacks on the system, administrators have incorporated a number of "after-thought" countermeasures to protect the inherently insecure SMTP protocol. Here are two examples.

• The implementation of SMTP_AUTH (RFC 4954). Although spoofing is still a possibility, this extension to the SMTP protocol prevents open relay generated spam.
• The use of a Layer 7 firewall to block certain SMTP commands. The VRFY command allows an attacker to verify the existence of a particular email account. The EXPN command allows a spammer to obtain additional addresses. RFC 2505 largely addressed this issue and most ISPs filter these commands.

Why You Should Be Aware of Social Networks

Social networks were first designed to a source of entertainment as well as a way for users to interact with others who have the same interests as well as a way to make new acquaintances. Phishers, however view these sites as sources of data that could generate opportunities to commit fraud and perpetrate identity theft.

Since it is not difficult to impersonate someone on a social network, a social engineer can easily create a personality and then invite unsuspecting users to join the attacker's network all in the effort to exploit their personal data.

Social Networks and Their Dangers

There are many popular social networking sites out there and not one of them is immune from being a playground for attackers. Even commercial websites are not immune as they can offer a visitor a chance to share the resources of a social media site directly from their page.

Popular social media sites such as Facebook, MySpace and even Linkedin have been hit by attackers who set up a fake login page and then steal the users' credentials when they attempted to login.

Twitter has had phishing attacks as well as members have received messages from other users inviting them to a website which appears to be sponsored by Twitter, however it is actually a phishing site.

Social engineers collect credentials from many social networking sites who feel that many users create the same account name and password for popular e-commerce sites.

Social Engineering of Physical Controls

There are other social engineering techniques used to compromise the physical access controls in place to protect an organization's network. The objective behind this is to gain physical access to a secured area within a facility. Once inside, the intruder could cause physical damage to sensitive I.T. assets, steal data from a powered-up system by using a USB port on that system.

Other examples of gaining entry are:

• Piggybacking - This is the following of an authorized user though a secured access point such as a door requiring a badge for access.
• Tailgating - This is impersonating someone by using a stolen proximity card or swipe badge.
• Shoulder Surfing - This is the action of watching someone type in a key code either by eyesight or with a hidden camera.
• Insider Affiliate - This is accomplished by masquerading as a service technician in hopes of entering a facility by presenting fake credentials to a receptionist or administrator.
• Insider Associate - Is the impersonating a fellow employee.
• Outsider Associate - Happens when someone left the door open and the attacker just walks in.
• Dumpster Diving - Is when an attacker sifts through trash that has been discarded by a company in an effort to discover potentially sensitive data about the company's systems.
• Eavesdropping - By simply listening into conversations between employees, the attacker hopes to hear about sensitive data that is inadvertently divulged by an employee. The attacker may use an open area such as a break room or a lunch room to find his targets for eavesdropping.