Inside the mind of a social engineer

Inside the mind of a social engineer

Wikipedia defines social engineering as "the act of manipulating people into performing actions or divulging confidential information," which pretty much sums it up.

But how does a social engineer think, and what tricks of the trade do they employ? Davey Winder has been finding out...

Tricks of the trade

The days of dumpster diving have long since vanished, as far as the hacker is concerned, mainly because there are much easier methods to exploit in order to get access to data and resources.

The social engineer looks for human vulnerabilities, not technological ones, and as far as I'm aware there is no patch for human trust.

As Dave Waterson, chief executive (CEO) of SentryBay points out, at its simplest, human hacking in the workplace can be an email instructing the recipient that their password strength needs testing, with a link to click of course.

"It sounds pretty stupid when you read it here" Waterson admitted, but he insisted this 'pure phishing' technique "can get success rates of 50 per cent or more," especially if it appears to come from a client, colleague or partner.

Which is where the simple email steps up to the next level and becomes a spear phishing attack. This uses information, often garnered from social networking account activity, which is in the public domain, to target specific individuals within the enterprise.

"The social engineering aspect of a spear phishing attack allows the attacker to establish a level of implied trust with the victim by mining social websites for personal information about them," said Paul Henry, Forensics and Security analyst at Lumension.

"By revealing some of this personal information in the email to the victim, the attacker increases the chances of securing the necessary level of implied trust".

Think about it: "Hey Bob, this is Tony again from research in the Boston office how is life in Cleveland? I really enjoyed your pictures of fishing on Lake Thompson with your son Adam last weekend. My son Stephan is the same age as Adam and wanted me to share the attached video of the huge striped Bass he caught last week when we went spot fishing at Boston Harbour" is more convincing than "Hey Bob, this is Tony from research in the Boston office I thought you might like the attached video."

Curiosity killed the firewall

The beauty, if that's the right word, of the social engineer is that he or she can circumvent the most complex of firewalls by exploiting simple human curiosity to the max.

USB seeding is one such example, and still in play today despite being a well known ploy. The hacker just drops cheap and cheerful USB sticks outside the target place of employment, or a coffee shop used by employees or even directly into the handbag or pocket of a mark.

Curiosity will get the better of many folk who 'find' a 'lost' memory stick and plug it in to see what is on it. Bazinga!

Also an old favourite, dating back to 2005, but one that has set the benchmark for social engineers the world over, is the 'Israeli Trojan' as explained by Guillame Lovet, head of the Threat Response Team at Fortinet.

"A programmer operating in London was hired by various companies in Israel to penetrate and steal data from competitors," he explained.

"The contracted programmer wrote a simple Trojan, burnt it on CDs, and sent those CDs to the targeted individuals at those companies via the regular post, advertising them as "demo CDs". Some of the targeted employees' first move was to put the demo CD in their computer to see the promotional material... and got infected immediately."

Not all social engineers need to exploit out curious nature, some just exploit technological loopholes instead. Such as the common use of Called-ID spoofing from mobile phones, for example, which is as easily accomplished as it is widely exploited.

"Called-ID spoofing can be used to place calls while pretending to be someone else, for example a customer or another employee, in order to obtain information from a victim," explained Ron Gula, CEO of Tenable.

"Additionally, many mobile phones are shipped with voicemail boxes that don't have a password so a social engineer making use of called ID spoofing can listen to a voicemail and gain sensitive information."

Impersonation is the highest form of hacking

Sometimes though, the social engineers don't have to use any technology at all.

The concept of the 'silent cleaner' applies to any hacker visiting the premises in person. This takes a lot of chutzpah, but it can pay huge dividends as Pete Wood, a member of the ISACA Security Advisory Group and CEO at First Base Technologies, knows from first hand experience.

He tells me that by using the silent cleaner technique, he was able to "walk around every floor without challenge, read personnel information and customer contracts in unlocked cabinets, steal the contents of post trays and obtain a staff list containing names, job titles, e-mail addresses and phone numbers."

The really savvy social engineer will also take particular note of the contents of any bins marked 'For Shredding' or even 'For Recycling' as these can often contain network diagrams and personnel information.

Even simple shoulder surfing while in silent cleaner mode is profitable, looking over someone's shoulder to see door entry codes, passwords and the like.

Combating the con-men

"Curiosity and Schadenfreude are the elements that make us human," said Ed Rowley from M86 Security. They are also the weak points exploited by your average social engineer.

This applies just as much in the workplace as it does at home, and Rowley argues it is unrealistic to try and separate employees from consumers in this regard.

"Whilst inside the corporate network, many employees may let their guards down assuming that corporate safeguards are protecting them," he said.

So how can the enterprise best protect itself from this modern-day con artist?

Obviously the implementation of security technology is a given, but without end user training and education as well as an enforceable acceptable use policy it cannot stop the social engineer.

"Training doesn't need to be complicated or expensive," Rowley concluded. "A simple guide to best practices and an overview of how the criminals try to trick their victims into opening an email or an attachment or visiting a website should help reduce the problem considerably."

Interview with a hacker

Neil O'Neil is a certified ethical hacker, and qualified forensics investigator, with secure payment specialist The Logic Group. As an ethical hacker he employs social engineering techniques to extract the information he needs during penetration testing exercises.

"The method I personally use is to understand the animal I am dealing with, which will be based on their dominant human traits of fear (dog), lethargy (slug) and accommodation (sheep)," said O'Neil.

He defined these as follows:

The Dog: In business, especially the highly-wired corporate treadmill, people fear that their performance is always being observed. This means they will make every effort to show-off their knowledge, experience and opinions. Which makes it easy, with some ego stroking and sycophantism, to get a vast amount of data out of them as they fear failure or criticism.

The Slug: The not so high-flyers, or those already passed over for promotion, go into autopilot and just go through the motions. I always agree with these slugs in that life is unfair and befriend them by sharing my own woes with them. In return they share theirs and away we go.

The Sheep: Then come the rest of the crowd, those on the lower rungs of the ladder. Their behaviour is driven by human nature rather their position in the company. Human nature predicates that we accommodate our fellow humans and try to be nice and helpful; it is less effort to say yes' as a no' could lead to conflict.

Case Study: VeriSign attack

Ramses Martinez, director of Information Security for VeriSign, is also a member of FIRST, a body which brings together internet emergency response teams from more than 200 corporations, government bodies, universities and other institutions around the world.

He told IT PRO how, in late 2009, VeriSign was subjected to an unsuccessful, yet sophisticated social engineering attack.

"In this case the person, or people responsible, employed a number of tactics - some quite technically sophisticated - in an attempt to hijack a registrar's access to the registry," said Martinez.

"The attacker created a VOIP infrastructure that he used for all voice communication with the customer service desk during the attack. He also compromised a number of personal computers, which he then used to conduct all IM chats with the customer service desk. All of these systems were in a geographical region (at an ISP) near the person he was impersonating."

"He provided very specific and sensitive information relevant to the person he was pretending to be this was done in an attempt to convince the customer service representative that he (the attacker) should be granted access to the data he was requesting. We suspect that he prepared for the attack by using open sources and the knowledge of the DNS industry that he likely gained through several attacks he had conducted in the past against entities other than VeriSign."

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.