In a typical penetration test there is the hacker who is attempting to gain unauthorized access to systems or data by abusing technical vulnerabilities. The “weakest link” however will remain out of sight during such tests. The weakest link when it comes to computer security remains humans. It appears that this “link” is increasingly becoming the target of attackers. There is a large number of incidents being reported in the media, where these so-called “weakest links” are involved in the actual crime. This article describes how this “hacking people”, also called social engineering is done, looks at some practical examples and discusses measures that can be taken against such attacks.
The social engineering techniques are aimed at users, to perform certain actions or to steal confidential or secret information, through manipulation. Social engineering is one of the oldest and one of the most succesful forms of hacking.
Essentially, social engineering is the art of seduction. That is a romantic approach. In reality, it is deception and a social engineer the modern name for a charlatan.
The big difference between a penetration test, where you can really “test” systems, and social engineering is that you have only one chance. There is no try-out. It has to be done perfectly in one go. If your story is not credible, it is possible that you’ll be removed from that place in handcuffs.
There are different ways to use social engineering to gain information. Here you can read about few of the most common ones but try to remember that this list can be made endless. If you are serious about trying to use social engineering think out of the box and develop your own method(s).
- Phishing: form of attack using emails or web pages from what seems to be a legitimate party , for example, the company’s website. but actually managed by the attacker. These mails or pages often aim to collect employee data (passwords, usernames, etc).
- Dumpster diving: searching garbage bins, bins next to copiers or containers placed outside of a company looking for valuable information. “Valuable information” may in this case be, for example letterhead or business cards because they can be used again in a subsequent attack.
- Pretexting: under false pretenses obtaining information. For example, calling an employee and impersonating a single colleague.
- Tailgating: the “piggybacking” on an employee to get through a secured entrance gate in order to gain physical access to a secure location.
- Reverse Social Engineering: a method in which the victim is manipulated so that he will ask the social engineer for help. The social engineer creates the victim a problem and will subsequently act as the “expert” that can solve the problem. Then, the social engineer will await the request of the victim. Because the initiative comes from the victim there’s a certain amount of trust.
- Shoulder Surfing: Watch when someone enters a password or his PIN code. This doesn’t mean you need to stand one inch behind someone and try to read his password when he types it. I’ve seen good use of miniature-espionage cameras in various cases, for example, a camera button, which can replace one of the buttons in your jacket with a camera. You can check the footage when you get back home and see if you have had any hits.
- Listening devices or keylogger: When access is gained to a property it’s often simple to place a listening device. Modern eavesdropping devices are available for people with a limited budget and can, for example call a pre-set cell phone number so that it can be monitored live via telephone. Alternatively, you can use a hardware keylogger. This device can be placed in seconds and then save all keystrokes the user makes. Current versions of keyloggers can then automatically over a wireless network via e-mail forwarded this information to the attacker.
- Malware: This will for example, collects passwords and forwards them to an email address of the attacker. Malware can be placed on the system trough infected PDF file. The PDF file can be spread by leaving a USB stick with files as payroll in 2011 or anti-fraud investigations in 2011. Ideal place to leave such sticks are in the toilet or the lunch area. When the victim opens the PDF file he automatically installs the software on his computer.
Although the attack scenario for this article is tailored to the situation and is therefore different every time, there are some psychological principles and tricks that come back every time.
- Build a relationship: for example by naming a common issue or interest. Social media can be a valuable source of information about someone. Reported to have worked at the same company, or doing the same sport can inspire confidence. you can also refer to a common friend. Requests made are therefore difficult to refuse for the victim.
- Time pressure: Not giving your victim enough time to think about his or her decision. Let them know circumstances require a quick decision. Windows often remember the name of the last logged-in user but not the password. By taking place behind a (locked) PC, a user can lock the account by entering a false password five times in a row. When an attacker manages to block the account he then calls the help desk and tell them he has to do a presentation in five minutes, but his account is blocked, this pressure will possibly lead to the helpdesk (after verifying that the account has just been blocked) to set a new temporary password and pass this over the phone.
- Referring to a senior person in the organization (person with authority): This trick often works very effectively with the element of time pressure. By indicating that the “victim” hampers the work of a senior person in the organization and therefore is to proceed with the request. A variation of this is the gaining authority through clothes version. With a suit and tie it’s much easier in some cases to enter a building then it’s with a pair of jeans and a shirt. I once entered a bank with a soaking wet construction workers outfit stating that there was leakage on the upper level. I asked them if I could check in the back of the building to see if the water had come through the ceiling. The staff was happy that they were warned in time and access was granted without further questions to the areas that were only available to staff.
- Request for help: for example, a request to print a file from a USB stick, which without the victim knowing, is infected with malware. Or the borrowing of an electronic access badge because yours is still on your desk. A request by a man to a woman , or vice versa will be accepted faster rather than making a request to someone from the same-sex.
- Offering something which leads to a personal benefit: For example, a phishing email with the code for ordering a personal Christmas gift.
- Use of a diversion: for example, the inclusion of that cute female colleague with high heels and a short skirt.
- Compensation: By giving people something you create the feeling that the are forced to do something back for you. This makes it easier for someone to fulfill a request. When you’ve done something for someone (even though he did not ask for) makes it for this person much more difficult to refuse a request for a something in return.
- Indicate that all colleagues of the victim have acted in the same manner, so that the request seems normal: People tend to regard something as true when others have made the same choice. A variation of this is to build (information) requests. If someone has already addressed a number of requests (for example, looking up completely irrelevant information), it will be harder to deny a request for confidential information.
In order to perform a successful attack there are two crucial things: information and timing. A thorough preparation is essential. Before an investigation it’s important to also collected as much information as possible about the target. Not only information about the organization that you are targeting (Website, Google maps, Search engines, Newsgroups, Job boards), but also the employees, their hobbies, place of residence and contact (Facebook, MySpace, LinkedIn and websites like that are very useful). All available information is potentially interesting.
The timing of the attack is also very important. The moment an employee that you need presents itself may be a matter of seconds. You often require an employee to pass a gate, fence, reception or other control points. With knowledge of the above, a good story, the ability to improvise in unforeseen situations, being a smooth talker and sometimes having nerves of steel will get you a long way. You will learn what people you should approach and which you’d better go out-of-the-way of. Secretaries for example, often know very well what is going on in a company. It can be very useful to approach this, but a good and well documented story is needed. Completely improvising at this point is like playing Russian roulette.
After reading my article you might be thinking that social engineering may be impossible and that something that sounds this simple will not succeed in practice. The reality is that these and similar attacks take place every day and that despite all the security measures such as security personnel, barbed wire fences, access cards, video surveillance and alarm systems social engineers still know how to penetrate the heart of a company.