Human Hacking: Social Engineering 101

Human Hacking: Social Engineering 101

 Typically, people are the weakest link in a security chain lifecycle; therefore, they – not technology – become the priority of a hacker.  In the most of high-profile data breaches, hackers used some form of social engineering.Companies may spend millions of dollars to protect their data with the latest technologies and security services, but their critical data could still remain vulnerable to old-fashioned human manipulation.  Most people think that hacking is mostly technical, utilizing the technical flaws in the system that the hacker is able to exploit.Social engineering is a non-technical kind of attack that tricks people into performing malicious actions or giving away confidential data.  The bottom line is that social engineering uses organization’s employees to bypass organization’s security controls.The purpose of social engineering is the same as technical hacking: to gain unauthorized access to critical information and systems, identity theft, or to disrupt the service.  Social engineers always try to gain the trust of an authorized user, and get them to provide information they need to perform an attack.Social engineers often believe that people are not aware of the value of the data they have. They also take advantage of our willingness to trust and help others.  Social engineering takes place via email, phone, or walking in the front door behind someone with an authorized badge.Social engineering is not a new concept; Victor Lustig is a prime example of social engineer that was born in 1890. Victor who is perhaps best known as the man who sold Eiffel Tower twice, had used social engineering tactics 100 years ago to convince people to give him what he wanted. We often hear there is a psychological aspect to social engineering such as human buffer overflow and amygdala hijacking (emotional hijack). The amygdala is a section of brain responsible for detection and immediate response to fear. In terms of social engineering, it is an automatic, overwhelming emotional reaction that a potential victim experiences and later realizes that it was inappropriate reaction to a given situation.Social engineering is a creative art and it takes many forms:

·         Phishing – Tricks a user to click/download a malicious link.

·         Spear phishing – Targeting a specific organization and/or individual.

·         Whale phishing – Targets specifically individuals such as CEOs.

·         Vishing – Targeting individuals over the phone.

·         Pretexting – Presents oneself as someone else.

·         Tailgating (piggybacking) – Unauthorized person gains access to restricted area by following an authorized person. 

·         Water-holing – Hacker compromises a third party website in order to compromise a person who visits that website to deliver a malware.

·         Dumpster diving – Collects information about a company and/or individual by going through the trash.

·         Reverse social engineering – It’s not a hacker who initiates a contact, but a potential victim themselves.

·         Baiting –  The hacker might drop a portable USB drive in the company parking lot or elevator on the chance that an employee will plug it into a work computer.

·         Quid pro quo – Hacker requests private information such as username and password in exchange for gift such as a gift card.

·         Scareware – To scare/manipulate a person to buy unwanted software and/or to download a software (which is malicious) to fix a problem.

·         Malvertising – Spread malware by online advertising on popular websites.  

Scenarios/examples:

1.      A social engineer is targeting XYZ organization and performs the following:

o   Learns e-mail addresses of several employees simply by conducting an online research about the company

o   Conducts research about famous non-chain restaurants within the 5 miles radius from the company

o   Crafts an e-mail and sends it on Friday morning

§ Subject: 50% OFF Coupon for ABC restaurant

§ Body: Today we celebrate our 10^th anniversary. Print the attached coupon and save 50% on your lunch today. (Restaurant’s logo and owner’s name included)

§ Attachment: A document with embedded malicious payload

§ Result: 3 out of 4 employees opened the attachment 

2.      A social engineer is targeting XYZ organization and performs the following:

o   Goes to company’s XYZ career website and screens the open positions

o   One particular position was very interesting – IT Administrator

o   The job description included hardware, software, and software versions used by XYZ organization

o   Social engineer maps known vulnerabilities to software versions

o   Conducts additional research and learns the external IP addresses

§  Result: Compromise of an externally facing web server

3.      A social engineer is targeting XYZ organization and performs the following:

o   Learns the CEO’s name from the company web site

o   Locates the CEO on social media and learns about his interests and previous employment

o   Social engineer learns that CEO’s favorite soccer team is ABC

o   Social engineer learns that in the recent past the CEO went to the ABC’s game

o   Social engineer crafts an email and sends it to the CEO

§ Subject: 4 Free tickets for ABC Game

§ Body description: The email was addressed directly to the CEO. The email mentioned the most recent game that the CEO attended and how his ticket was the winning one. He was asked to open the attachment and print his free tickets.

§ Attachment: A document with embedded malicious payload

§ Result: CEO clicked on the attachment and his computer got compromised.

4.      A social engineer is targeting company XYZ’s software development manager and performs the following:

o   Social engineer leverages popular social networking sites to learn about the manager

o   Social engineer learns about manager’s personal life such as the schools attended, family birthdays, favorite sporting teams and books, etc.

o   Social engineer discovers an external portal publically available that XYZ leverages for a customer demos

o   The portal requires username and password for successful authentication.

o   Social engineer discovers that there is the “password reset” option on this portal

o   The manager’s email address was previously discovered and it is “xxyyzz@xyz.com”

o   Social engineer tries to use “xxyyzz” as the username and clicks on the option to reset the password

o   Social engineer is now prompted with the two options to reset the manager’s password:

§ Reset link via e-mail

§ Answer secret questions previously set by the manager

o   Social engineer chooses the 2^nd option and is prompted with 3 security questions.

o   Social engineer answers all 3 secret questions correctly based on what he has learned about the manager

o   Social engineer now gains access to the portal as the software development manager.

 So, what can we do to cover all these different aspects of social engineering in order to protect our employees so that they can recognize it?  The answer is establishing and maintaining a proper security education and awareness program.Proper security education and awareness program is extremely important to ensure hackers don’t have the future in social engineering. Social engineering has been and will remain one of the greatest threats to security, therefore, ensure to develop a security program which by the way is an “Achilles’ Heel” of your overall information security program.