Inside the mind of a social engineer

Wikipedia defines social engineering as “the act of manipulating people into performing actions or divulging confidential information,” which pretty much sums it up.

But how does a social engineer think, and what tricks of the trade do they employ? Davey Winder has been finding out...

Tricks of the trade

The days of dumpster diving have long since vanished, as far as the hacker is concerned, mainly because there are much easier methods to exploit in order to get access to data and resources.

The social engineer looks for human vulnerabilities, not technological ones, and as far as I'm aware there is no patch for human trust.

As Dave Waterson, chief executive (CEO) of SentryBay points out, at its simplest, human hacking in the workplace can be an email instructing the recipient that their password strength needs testing, with a link to click of course.

"It sounds pretty stupid when you read it here" Waterson admitted, but he insisted this 'pure phishing' technique "can get success rates of 50 per cent or more," especially if it appears to come from a client, colleague or partner.

Which is where the simple email steps up to the next level and becomes a spear phishing attack. This uses information, often garnered from social networking account activity, which is in the public domain, to target specific individuals within the enterprise.

"The social engineering aspect of a spear phishing attack allows the attacker to establish a level of implied trust with the victim by mining social websites for personal information about them," said Paul Henry, Forensics and Security analyst at Lumension.

"By revealing some of this personal information in the email to the victim, the attacker increases the chances of securing the necessary level of implied trust".

Think about it: "Hey Bob, this is Tony again from research in the Boston office – how is life in Cleveland? I really enjoyed your pictures of fishing on Lake Thompson with your son Adam last weekend. My son Stephan is the same age as Adam and wanted me to share the attached video of the huge striped Bass he caught last week when we went spot fishing at Boston Harbour" is more convincing than "Hey Bob, this is Tony from research in the Boston office I thought you might like the attached video.”

Curiosity killed the firewall

The beauty, if that's the right word, of the social engineer is that he or she can circumvent the most complex of firewalls by exploiting simple human curiosity to the max.

USB seeding is one such example, and still in play today despite being a well known ploy. The hacker just drops cheap and cheerful USB sticks outside the target place of employment, or a coffee shop used by employees or even directly into the handbag or pocket of a mark.

Curiosity will get the better of many folk who 'find' a 'lost' memory stick and plug it in to see what is on it. Bazinga!

Also an old favourite, dating back to 2005, but one that has set the benchmark for social engineers the world over, is the 'Israeli Trojan' as explained by Guillame Lovet, head of the Threat Response Team at Fortinet.

"A programmer operating in London was hired by various companies in Israel to penetrate and steal data from competitors,” he explained.

“The contracted programmer wrote a simple Trojan, burnt it on CDs, and sent those CDs to the targeted individuals at those companies via the regular post, advertising them as "demo CDs". Some of the targeted employees’ first move was to put the demo CD in their computer to see the promotional material... and got infected immediately."

Email to a friend

Print this page