Social Engineering is a process of psychological manipulation, more commonly known in our world as human hacking. The sad reality behind Social Engineering is it is very easy to do. In fact, it’s so easy that even a teenager can do it and destroy your company, all on a Friday night. The goal is to have the targeted victim divulge confidential information or give you unauthorized access because you have played off their natural human emotion of wanting to help. Being nice is a human trait and everyone wants to be kind and helpful. If you give someone the opportunity to save the day or to feel helpful, they will most likely divulge the information required. Most of the time the attacker’s motives are to either gather information for a future attack, to commit fraud or to gain system access for malicious activity.
Attackers often use Social Engineering techniques as their first vector of attack because it consistently works. There are many different people that use Social Engineering techniques other than hackers. Penetration testers and spies to fraudsters and everyday people use these techniques as well to accomplish their goal and get what they need. Even Information Security professionals fall for well-crafted Social Engineering attempts every now and then. Nearly everyone has been targeted by a Social Engineer. There is no patch for human error and that’s why Social Engineering often works. Common targets for Social Engineering include positions like customer service and tech support to delivery agents and your everyday employee.
Social Engineering within the context of computer security comes in many forms and from a wide variety of attackers. Their techniques include social and computer related methods to gain information from their target. It’s easier for hackers to trick a person into giving up sensitive information than it is to obtain the same material from compromising a device. Below are some of the common tactics used by hackers to gain access to sensitive information.
Phishing is a digital attempt to obtain sensitive information from a victim by using a malicious email or website. The attacker solicits personal information by posing as a trustworthy organization or the company itself. These attempts are either sent out to everyone in the company or designed to specifically target key associates. Once an associate falls victim to this attack, the hacker will then have the sensitive information required to gain access to certain systems.
SMS based Phishing attempt – America is spelled incorrectly
SMS based Phishing attempt’s website – Asks for card number and SSN
Baiting is a physical attempt to obtain sensitive information from a victim by leaving USB drives in the parking lot, bathrooms and other locations around the target. The attacker will label these devices with names like Salary Records, Photos and other captivating names in the hopes that someone will plug the device into their workstation. Once the victim plugs the device into their computer, an attacker will now have a foothold inside the network.
Social Engineers will go to great lengths to impersonate employees. Often they will monitor employees from a distance while gathering photo evidence that will allow them to construct fake employee IDs. Once they have created the ID they will attempt to walk near an employee with devices that allow them to clone their ID card. Once the attacker has cloned the card they can now enter the building without raising too much suspicion.
Impersonation – Cloning RFID cards
Smokers are one of my favorite targets while Social Engineering. Often these employees are frustrated and looking for a quick break from the stress of the day. Sometimes just having a lighter in your pocket or an extra cigarette is all you need to strike up a conversation. Other times it’s just relating to their frustration and using Neuro-Linguistic Programming (NLP) to create a bond while having a smoke. By mirroring the target’s body language, breathing rate, voice and vocabulary, I can begin to build a connection on a subconscious level. This will often throw my target off and they will allow me to walk into the building behind them without a badge.
There are ways to improve your protection from these attacks though. Companies should be constantly reviewing their exposure to Social Engineers by identifying where, when and why you could become a victim and how sensitive information should be handled. One of the most important things you can do is to start a training program and create awareness around Social Engineering. At the end of the day, your employees are the weakest link when facing Social Engineers. Establishing security policies and constantly testing your employees can go a long way, but this can be tricky. You do not want to shame your employee for failing a test. The best thing you can do is treat each failure as a teachable moment and allow the employee to recognize and correct their own mistake. Use Social Engineering to cure Social Engineering.
This is a song if you need a crash course
in manipulating people using the force
yeah fear; I’m a social engineer
getting what I want by talking off your ear
Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.
Daniel Smith is an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.