A social engineer is someone who uses deception, persuasion, and influence to get information that would otherwise be unavailable. Social engineering is more than just being a con artist. It is about understanding human psychology and having a methodical way of influencing someone to either give out sensitive information or grant you unauthorized access. In other words, it is not about being a good liar; it is about being an engineer who discovers ways to manipulate people for his or her advantage. This is why we need to use psychological techniques to combat the social engineers. There are many social engineering techniques which social engineers use to reach their goals. This article outlines some of what I consider to be the most popular.
If you want to hack a corporation fast, Social Engineering (SE) techniques work every time and more often than not it works the first time. Securing the information that is in the human mind is a monumental, colossal, epic, task compared with securing digital data. So it is no surprise that it is also the largest gap in a corporations IT security.
Social Engineering Techniques
1. Social Engineering in Reverse
This is one of social engineering techniques.Reverse social engineering techniques has three steps: sabotage, advertising, and assisting. In the first step, a social engineer finds a way to sabotage a network. This can be as complex as launching a network attack against a target website, to as simple as sending an email from a spoofed email address telling users that they are infected with a virus. No matter what technique is employed, the social engineer has either destroyed the network or given the impression that the network is sabotaged.
Next, the social engineer advertises his or her services as a security consultant. This can be done through many means including sending mailers, dropping business cards, or sending emails that advertise his or her services. At this point, the social engineer has created a problem in the network (sabotage). And she/he is placing himself/herself in a position to help (advertising). Last, the corporation sees the advertisement, contacts the engineer under the false pretense that the social engineer is a legitimate consultant. And the corporation allows the social engineer to work on the network. Once in, the social engineer gives the impression of fixing the problem (assisting) but will really do something malicious. Such as planting keyloggers or stealing confidential data.
2. Familiarity Exploit
This is one of the best social engineering techniques and is a corner stone of social engineering. On the whole, you are trying to make it appear perfectly normal to everyone that you should be there. Making yourself familiar to those that you want to exploit helps to lower their guard. People react differently to people they know, have talked to or at least seen around a lot. People are way more comfortable responding and carrying out requests by familiar people than they are with complete strangers. A familiar person, in the eyes of your mark, is perfectly normal, doesn’t set off alarm bells in the brain of “who is that and why are they here”. Once you become familiar then you strike. Being into a secure area behind someone who is familiar with you works often.
3. Creating a Hostile Situation
Another kind of social engineering techniques is creating a hostile situation. People withdraw from those that appear to be mad, upset or angry at something or someone other than themselves. For example, if you are on the phone and fake having a heated conversation with someone people around you will absolutely notice you but they will go out of their way to avoid you as well. You can create a hostile situation in a ton of different ways. Just don’t create a hostile situation between you and your marks. This rarely works. Instead you want the hostile situation to be between yourself and your phone, your accomplice, or mumbling to yourself as if you just had a huge argument with someone.
If you find yourself in a situation where you need to go through areas with people that are otherwise likely to stop and question your presence this technique comes in handy. If you are angry, people are much, much less likely to stop and question you. In fact, people are much more likely to obey your wishes when you are angry as well.
People just want to get rid of angry people, so it works well for asking people to open doors for you or give you information on the location of things, etc. A good real world example of this is my friend that wanted to sneak some alcohol into an amusement park. The park has a guard station to check the bags and a wand to detect metal. My friend started up a heated fight with his wife before they walked up. Then the guards just waved them by the checkpoint without checking them. As a piece of a cake!
4. Gathering and Using Information
When it comes right down to it the key to being a successful social engineer is information gathering. The more information you have about your mark the more likely you are to get what you want from him or her, obviously. Good places to gather this info:
- Parking lot: Cars that are unlocked or are easily unlocked might have security badges, uniforms, paperwork, smart phones, wallets, all sorts of goodies you can use.
- Online site like Linked In, Google, Facebook, MySpace, etc.
- Things in their workspace area (posters, pictures, books, etc.)
- Asking their friends and colleagues. Pretend to be a manager from another office or branch.
- Tail them home or to their favorite watering hole. Try to figure out their patterns, interests, places they frequent. These are all good data points you can use to help make a personal connection to the mark.
- Dumpster diving. Sure going through their trash is nasty but the gems that will be there are invaluable.
5. Get a Job There
If the reward is worth it, just get a job at your target and grab all the information you can. Most small-medium size businesses do not perform even simple background checks on new hires. Most large companies will but they are typically not very extensive. HR and hiring managers are almost never trained on how to spot warning signs they might be hiring someone with malicious intent. Once you are on the inside you become way more trusted, even if you are a lowly clerk. Social engineering a co-worker is usually a piece of cake given the assumed trust you’ll have as a fellow employee.
6. A Whale of an Attack
Another variation of phishing attacks is a whaling attack. Here the social engineer targets executives and high-profile targets. Information about executives and high-profile targets is easily accessible on the Internet. For example, a company may have bios of its executive officers on a corporate website. A social engineer may use this information to create a targeted phishing attack to the corporate officer.
Because of the vast amount of information about corporate officers and other high-profile targets, whaling is becoming increasingly popular. Because this information makes it so easy for social engineers to use their techniques to target them in a convincing manner.
7. Reading body language
An experienced social engineer will read and respond to their mark’s body language. In the eyes of the master social engineer, body language, used effectively, is one of the most powerful connections you can make to a person. Breathing when they breath, smile at the right times, recognize and adapt to their emotions, be friendly and polite but not to much so, if they appear nervous make them comfortable, if they are comfortable then exploit them, etc. etc.
Reading body language, if done well, can be your ticket to the crown jewels in a corporation. It makes people want to help you and feel good about doing so, an act of kindness on their part. And not only will they want to help you but they won’t go back later and analyze what they did “Hey now that I think about it, why did I let that guy into the data center today?” Instead they will dwell the on the help and goodwill they provided for you.
Ways to Protect Yourself
So the last part is how do you defend against social engineering techniques and attacks? The best defense you have against the human risk (to social engineering) is personnel training and awareness programs. Sure that sounds boring and you’d much rather buy a widget or two that you get to have in your security toolbelt, but no widget will be as effective.
- Delete any request for financial information or passwords: If someone ask you to reply to a message with personal information, it’s a scam.
- Reject requests for help or offers of help: Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, etc., a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizations on your own to avoid falling for a scam.
- Set your spam filters to high: Every email program has spam filters. To find yours, look at your settings options, and set these to high–just remember to check your spam folder periodically to see if legitimate email has been accidentally trapped there. You can also search for a step-by-step guide to setting your spam filters by searching on the name of your email provider plus the phrase ’spam filters’.
- Secure your computing devices: Install anti-virus software, firewalls, email filters and keep these up-to-date. Set your operating system to automatically update, and if your smartphone doesn’t automatically update, manually update it whenever you receive a notice to do so. Use an anti-phishing tool offered by your web browser or third party to alert you to risks.
These are just a few of many social engineering techniques that social engineers use. Some of these involve technology (e.g. phishing) while others use tried and true methods of human manipulation. Social engineers use these techniques for a multitude of reasons. It ranges from obtaining bank account numbers to acquiring trade secrets to sell to competitors.
If you are concerned about social engineers targeting people in your organization, you can take some steps to help by these attacks:
- First, employees should learn how to look out for suspicious people, e-mails, and phone calls.
- Second, train employees in what I like to call G.O.C.S. security—Good Old Common Sense security. In other words, some people just need to be taught some street smarts. I have seen companies do this by spelling out in their corporate security policy the dangers of using social networking sites and of drinking and discussing work topics with strangers.
- Finally, employ the principle of need-to-know. The need-to-know principle states that employees should only be given enough information to do their job. They should not be given information about other departments or about decisions made at higher levels that do not relate to their work. This way, should a social engineer try to get information out of them, they would have limited information that they could reveal.
I’d like to hear your favorite social engineering techniques or any good stories of social engineering you’d care to share.