Last Updated: 28/10/2020
While not so much technical, this has always been a topic that has interested me in Security. And that’s to say security of IT systems isn’t just focused around securing the technology itself, but the users that use the technology. We often joke that the users are the weakest link in any system, and this is true for a lot of things. You can have the best security solutions in place but if you have users using weak passwords and clicking on every link in an untrusted website then we are only making the hackers life easier. So what happens when we couple technical knowledge with a few psychological manipulation skills? The answer is even easier access to a system.
I remember hearing from somewhere that its much quicker and easier to get someone’s password through social engineering means than it is to run a brute force attack…and for the IT guys this means that despite your best efforts to enforce complex passwords, this means nothing when the user writes it on a sticky note or has there password as the name of their company or make of their laptop.
What is Social Engineering?
Social Engineering is a form of Human Exploitation, and takes advantage of how the average human works, thinks, and reacts to certain scenarios. While we call it social engineering you probably know it as con-artist, con-man, or confidence man.
What makes con-artists so successful? Well, people will believe you if you say something confidently enough, couple that with adding urgency or the need to be helped will effectively trick and manipulate someone into doing something that they normally wouldn’t or shouldn’t do. Now, if we use some of our recon techniques and scrape social media sites of our targets, we then have even more information to arm ourselves with. So, the original question is, what is Social Engineering? In short, it’s exploiting the way the human mind works to achieve an objective. This could be getting a user to give up their password or blag your way through security into a building or restricted area.
Social Engineering Techniques
While the above section goes through what social engineering is, i think it will help everyone who has read this far to understand some of the techniques in Social Engineering.
Pretexting is one of the most common techniques of Social Engineering. This is when the attacker lies and fabricates a scenario with the intention to obtain personal or sensitive data. Generally pretending to be someone in authority or requiring the details to help with an issue (Issues of course create urgency, making us less rational about our decision). This information is generally used to commit identity theft or be used for another attack. The fabricated scenario will generally use other gained information to make the scenario more believable, the more believable the scenario the more the victim will trust the attacker and give up information or perform actions.
A common example is when banks ask to confirm your Date of Birth and Security Question, the attackers could pretend to be your bank and that there has been a compromise in security. They will then ask you for your security questions to confirm who you are. This is a very simple example and attackers generally use several different scenarios and back stories to achieve this. Although most people are now aware of these scams, there are other ways to pull information from victims that can be used in subsequent attacks.
This is more common for home users from what I have seen, and have had friends/family subjected to this. Scareware tricks the victim into thinking there computer is infected with malware. The attacker then says that they can help and will ‘fix’ the problem, causing more malware to be installed.
Common examples of Scareware I have seen ‘support engineers’ from ‘Microsoft’ supposedly remote in and reconfigure settings to make the computer ‘Faster’, where in reality they were exposing ports, installing backdoors and gaining info to gain access. These attacks are based on people’s fears. They will normally ask if your computer is slow, let’s face it, computers get slow after a while so most of the time this will be a yes.
By far the most used Social Engineering attack, executed mainly by emails but also from things like IM and SMS (Any messaging medium). Phishing attacks aim to obtain personal information generally by having the user click on a link that redirects them to a malicious or cloned site with the intent of obtaining personal information. Generally, Phishing will use fear to provide a sense of urgency to see a user act quicker. Phishing attacks can be anything from password resets to authenticating to use a document, in any case the attacker will attempt to lift this login information and use it elsewhere.
Common Examples would be emails with a fabricated scenario designed to create urgency to click a link and sometimes log in. We have all seen these kinds of emails for things like tax rebates and free uber rides. In the enterprise and business world, these phishing attacks can be more tailored and targeted to your organisation.
One such attack I have seen uses a user’s leaked/breached password from another source to bait them into clicking onto a link
While there are a number of mail solutions that filter out these kinds of attacks and provide URL filtering/sandboxing, its worth noting that the key to the attack is a user actually clicking and sometimes entering in information. Therefore, training users to spot phishing emails is key. Phishing links and attacks can also be delivered by IM and SMS, any messaging medium can be used by an attacker.
Baiting – Baiting is an interesting attack method which leverages some of the phishing and pretexting techniques. What makes it different is the promise of an item or service that will encourage victims. Hackers can use things like free music or free subscriptions to trick a user in giving up their credentials or security questions. Baiting is not limited to just the download of free services for information but can also extend to physical items such as USB drives and other physical media, what’s worse is that this media could be infected with malicious content that can be used in the next stage of the attack.
Another form of baiting is leaving infected devices like USB sticks in a public place where people where find them and most likely plug them in, infecting their device. These USB sticks will most likely be named with something tempting to read or view, like ‘Confidential’ or ‘Sensitive’, playing on the human curiosity. A while back this was done with CD/DVDs that would be sent to a business with strange or misleading instructions that would prompt the victim to put the disk into a PC or Laptop, infecting the device.
Preventing Social Engineering
Most prevention means of Social Engineering is down the victim and how much education and awareness they have of social engineering and some of the tactics that are used by attackers. In the business and enterprise space, there are tools that can help. Such as: email filters for phishing emails, Web filtering for malicious links and user awareness training for employees. However these tools alone will only do so much, there needs to be a process involved for users to know about these tools and potential attacks to a business, there also needs to be a change in culture that not everyone can be trusted and if something doesn’t seem right then it should be challenged.
Asides from the above, the following is recommended to help prevent and mitigate social engineering attacks:
Work on emotional responses and awareness, this is crucial given that social engineering works on taking advantage of the victim’s emotions. This can be anything from curiosity, confusion, guilt or fear. Generally, positive seems to work the most, with people opening up to someone giving them some form of comfort or common ground. The solution is not to trust no one, but to question the intention of the person and to think before you act in any situation where you are speaking to someone that you do not know.
Some of the time, social engineering is planned, and by planned I mean that the attackers have done some form of recon on the victim, this could be from browsing there social media to further create a back story or construct a phishing email more relevant. While it’s nice to post personal stuff about yourself, keep in mind that some information can be used against you, so try not to overshare as this could make you a higher/easier target.
If the attacker is after credentials, then it makes sense to lock down your accounts with strong passwords, enable MFA wherever possible and review your security questions to ensure they cannot be found online (eg. pets name or mother’s maiden name are pretty easy to pick up on someone’s Facebook). In the realm of Facebook and Instagram, it might be best to adjust the privacy settings, so less information is displayed publicly.
To bullet point and summarise some of these, for users/personal:
- Challenge people you don’t know that might be looking for additional information
- If something is too good to be true, it normally is!
- Your information is important! Don’s go telling everyone everything about yourself
- Review your personal security regularly, check your security questions and passwords
- Enable MFA on as many accounts as possible, this may get a little annoying but for the sake of security this will help
- Be sceptical when finding USB Sticks on the ground or in public places, be sceptical!
As for businesses, some of the below will help in preventing and mitigating social engineering attacks:
- Educate your users, this should be done at induction along with a few top-up sessions a year. Key objective is to raise awareness.
- Implement processes to deal with potential social engineering attacks to understand the nature of the attack and what can be learnt from it.
- Adjust the culture to challenge individuals for the sake of security (ie. you see someone wondering around the office without a badge then ask politely, rather than letting them continue)
- Invest in an email filter, phishing attacks are very common by email, businesses are usually targeting with very specific crafted emails.
- Where possible, implement MFA on your applications. Most cloud applications come with MFA, however you can use single sign on (SSO) tools to consolidate and control access.
- Most endpoint protection solutions will have capabilities to block and monitor USB devices that are plugged in. These USB devices could contain a malicious payload.
While hacking can be done with a computer, unauthorised actions and data gathering can be accomplished without a computer. Hackers and malicious individuals will use a combination of computer and psychological based methods to execute there attacks and increase the chances of success of compromising a target user. When we look at Cyber Security as a whole, we cant just rely on security solutions to protect us, we need to have adequate user training to ensure that our users can spot these attacks and report them quickly. While there are tools and techniques to mitigate this within a business, we all need to do out part given that social engineering techniques are used in both business and personal attacks.
This was only an introduction about social engineering, there are plenty of techniques and variations of techniques. I may add some more in the future, but hopefully this article raises some awareness of what to look out for.
Thanks for reading and as always, feel free to drop some thoughts in the comments box.