The human mind is wonderful, but it can be misled by social engineering as easily as computers can be hacked.
Every couple of days we hear about vulnerabilities and how the bad guys continuously exploit them in the wild. Of course, there may be various programming mistakes in the background, but there is much less talk about the human factor behind many of these attacks.
It is not enough to keep our computers and applications protected against attackers. The “little grey cells” can also be fooled easily by con artists. Even when we talk about Cross-site Request Forgery, Cross-site Scripting or Clickjacking – which are definitely programming mistakes –, the story of exploitation starts with persuading the user to visit a page, submit a form or click on a button.
Social engineering. When attackers target a system, they try to find the weakest link. And no matter how well the software is written, the weakest links is usually the human in the loop: the user.
Common social engineering techniques
Bad guys can, – and will – target the users of any system by using social engineering techniques, no matter what. Let’s see some of the essential techniques for this. Of course, the following list only contains example techniques – there are much more to watch out for. And common sense is always a good idea when dealing with unknown situations.
Pretexting is an invented scenario often using some real information that the adversary has collected before. These collected data can be anything, such as date of birth, child or pets name, address, etc. By (ab)using this information, one can easily build trust in the victim, which is always essential when it comes to social engineering. For example, approaching somebody as a fellow dog owner or as a parent of a similar aged child, or just as having the same religion. When people feel “belonging”, they tend to open up and drop precautions, making it easier to fall prey.
The most beneficial is to impersonate some officials. Again, goal is to gain trust, abusing the initial trust people usually have to an official person. For example, people are willing to disclose sensitive information more when asked by somebody in a uniform or to somebody who shows them an “officially” looking ID (which may be fake, of course). An attacker can extract information even over the phone by claiming to call from their bank or being a support personnel of their phone company.
Bad guys can even use AI. In a recent scam they used AI to mimic the voice of the CEO of a company demanding to transfer €220,000 to a foreign bank account. And it worked. Deepfake via machine learning is becoming a reality on the dark side as well. The technology of the movie “The running man” is not science fiction anymore. A phone is enough to fool a victim.
Phishing is a technique known and used by the bad guys for long. It’s all about sending out emails seemingly coming from a trusted source, usually pointing at of a malicious website that looks exactly the same as another genuine site; usually even the address (domain name) looks similar. These pages can look like web sites of banks, auction sites, email providers or other trustworthy services. But even though the website looks authentic, it is actually malicious and is operated by the attackers. The victim may “log in”, but the browser will send their authentication data, i.e. username and password to the attackers’ server instead.
Other variants of this social engineering technique are called smishing (SMS phishing) when the URL to click on is sent in an SMS, and vhishing (voice phishing) when the phishing is done via a phone call.
Vhishing has two distinct methods. One is when the attacker calls and tries to put a pressure on the victim by emphasizing the urgency of an action, for instance “the offer is only valid during this call” or “your insurance will expire if you don’t pay the renewal fee right now over the phone”.
The other method is to get the victim to call a specific number by for example sticking a fake customer services phone number onto an ATM. When the victim calls, the call can be routed through an automated Interactive Voice Response system to mimic the appearance of the faked organization and extract information of the victim. A fake operator can also just take the call and continue with the scam personally.
Spear phishing is a social engineering technique like phishing, but it targets specific users. To do this, the attackers gather information about the target before the attack to make the act of phishing smoother. In this sense this is a combination of phishing and pretexting.
The gathered information is usually open-source intelligence, typically collected from social media profiles and activities of the victim there. When they target CEOs and leaders of organizations, this scam is called whaling or whale phishing. But there are also other fish in the ocean. Don’t ever be fooled by “oh, I’m a small fish, nobody will want to target me”. Anybody with an access to a computer system can be a target for spear phishing. Just think about it. Receptionists have access to all the company address books. Post sorting have access to the package data. Developers have the source code. HR have all personal information of the employees. Accounting has all the financial data. Doctors have patient’s personal data. And so on and so forth. A recent scam done via a targeted email containing a fake zoom invite hit Levitas Capital with over AUS$8m resulting the closure of the Australian hedge fund.
Water-holing is a technique to take advantage of the trust people from the targeted organization have in a particular website. Once the attackers identify such a trusted website, they test it for vulnerabilities and – if some found – use them to deploy malware to the victims’ machines; for instance, for stealing credentials.
In this sense water-holing is a combination of the “classic” vulnerability exploitation and social engineering: bad guys need both vulnerabilities in systems and incautious humans.
Baiting is a social engineering technique when they trick the victim to let an attacker into the system by taking some kind of bait. Such bait can be – for example – an infected pen-drive left in the parking lot, or a downloaded file pretending to be something interesting to the victim. When the victim plugs in the pen-drive or runs the downloaded file, the computer or the whole system can be infected “from the inside”.
Quid pro quo
Something for something (“quid pro quo” in Latin). The attacker asks for something in order to be able to help the victim. A common example is pretending to be a tech support person, then asking the victim to disable the virus scanner in order to update some software on the victim’s computer. Then instead of (or in addition to) the update, they install a malware. The victims don’t even realize that they fell for social engineering.
A common example for this type of attack occurs in online games, where malicious people offer to give some advantage in the game (e.g. a powerful weapon, or some extra credits), but they say they can do it only if the victim gives them their account. Pretty trivial, but works, especially in case of kids, who can easily become victims of this quid pro quid scam. They of course lose their accounts, or “just” everything in the game.
Tailgating or shoulder-surfing is maybe the oldest of all social engineering attacks. It can happen when somebody stands close or follows a person in order to see their authentication credentials entered (shoulder-surfing), or to get access to a restricted place (tailgating, also called piggybacking). Yes, it is a common courtesy to hold open the door for people coming behind you, and if there is physical access control, being a polite person overrides security measures. This can easily happen even in case the other person clearly does not belong there, but even more when the attacker is not “out of context”, like an internet technician, a cleaner or somebody in a smart casual. It’s all about psychology.
Dumpster-diving is the act of going through the rubbish of the victim. The attacker looks for any kind of usable information, like bank statements, receipts or passwords written down on post-it notes, outdated documentation, old company phonebooks, anything what can help them to gather more information for a later attack.
And the list goes on and on…
Common social engineering countermeasures
All this looks scary. But protecting your company and yourself against these kinds of attacks is not as difficult as it seems.
- Use commons sense. If something sounds unbelievable, it usually is.
- Don’t feel obliged to help strangers. Be aware that they could exploit the basic human instinct to help. Try to find the right balance, and it may be different in different situations.
- Limit the personal information you share online. Remember: the more a stranger knows about you, the more vulnerable you are to them.
- Put in place security processes and frameworks at your company.
- Have the staff receive regular training on security.
- Announce tests to make sure people are aware of social engineering risks. Set up a red team and test preparedness regularly.
- Have all computers protected against malware and spam.
The user is typically the weakest link when it comes to security. But there are best practices related to social engineering when it comes to developing software. One can develop an application that takes into account the human in the loop. Be aware of the dirty tricks, and learn about these protection techniques on our courses.