Social Engineering is one of the most terrifying aspects of trying to secure anything in any way. Unfortunately, most people lack the ability to understand they’re being engineered and act on that realization.
Social engineering attacks rely on common tropes, which can easily be learned if you understand:
- when compassion is necessary
- how to pay attention to questions
- how to recognize when you’re being encouraged to "fill in the blank"
- the need to look objectively at situations
Often, gaining a piece of information is painfully simple. We'll highlight 3 scenarios, two of which highlight of a pentester in recon who's been tasked with gathering as much information as he can about an organization.Scenario 1
The pentester decided to phish for an unlisted email address of a CFO in the at-risk company. He starts by calling the CFO's administrative assistant:
Assistant: Acme Products, this is Madison, how can I help you?
You: Hi Linda, this is Jesse, I’m a new hire down in Budgets trying to update some contact lists. Do you have Mr. Charles Foster Offdenson’s email address for our records?
Assistant: I do, but that’s not often given out, you can just use my address for most things it is Madison@ac.me
You: I know that, but I’m being put through the ringer down here and I was supposed to have this on my manager’s desk an hour ago and now he keeps checking up on me and I just started this job and I’ve …
Assistant: All right, I understand, you can calm down. The email address is CFO@ac.me
This scenario may seem farfetched in written form, but change a few names and it quickly becomes real life (I've seen this exchange more times than I’d care to admit).
The assistant’s compassion allowed our intrepid social engineer to get two pieces of information he may not have gotten (at least not that early on). Yet, the real tragedy is how simple this phishing success could have been avoided.
If the assistant had simply told the social engineer she’d call back after verifying the need with the budget manager, the scene would have played out differently. When information is requested, it's wise to get a second opinion on whether it should be released.
The pentester wants to enter the building without proper access rights. After days of standing outside a secure entrance to Acme, looking anxious, the pentester feels the time is right. He recognizes a man who often comes through this entrance and approaches him.
Pentester: It’s been a hell of a week huh?
Man: Yea, I guess it has.
Pentester: I left my ID in my car, and my car’s in the shop… I guess you really SHOULD get an oil change every 3000 miles.
Man: Ha! Yea, I guess you should.
As the man walks inside, he holds the door open for the pentester.
The man might have been suspicious of the pentester at first, but he’s seen him around, and he shared a bit of his personal life. He even made a joke. That connection stirred some compassion and let him in the door.
Once inside the building, there are so many opportunities for a social engineer.
In a better world, the man would verify who the other guy was by asking for his name and position in the company. With that information, he'd find someone who knows him and let him in, or wait for a co-worker to come up and inquire about the other person. In many cases, efforts to verify identity is enough to deter social engineering attempts.
Compassion is a great thing to have when a friend loses a loved one or a pet or when someone passes out on the street. It’s not so good when a slip up causes the release of an email address or allowing a potentially crazed man inside a secure facility.
Even if an office is open to the public, act as if the facility is like Fort Knox. No one gets in or out without identity verification and information doesn't get shared until it's cleared internally. These two approaches would make the world a very different place.
This is a bit of tangent, but hear me out. When speaking with a group of people who want to someone in the audience hear from a loved one, Psychic Mediums often say something like “I’m getting a J, does anyone here have a first name that starts with a J?”
Once some hands inevitably start shooting up, the Medium will ask “It sounds like a man’s voice, potentially a father, could this be anyone’s father?” This series of vague questions will produce one person who will come up on stage and hear their dead loved ones say things about how everything is OK, they can move on and they’ve been forgiven for that something they did when they were younger. This is master level social engineering.
The Medium was able to get enough information about the person to give them a convincing story about their dearly departed. If this is spun around a little bit and someone calls into a company asking a series of vague and leading questions, beware.
When unknown person calls the office and says “I spoke to someone in HR about my job application, he said his name started with a B, or a V, I’m so bad with names. Do you know who I mean?”, be skeptical and ask more questions. Eventually, you made to just hang up.
If you feel someone is leveraging social engineering, press the person and ask for their name, email address, job title, etc. and they’ll likely abandon the pursuit. Bullies don’t like to be bullied and hackers don’t like to be noticed.Scenario 3
This scenario focuses on your behavior (hopefully, this won't be too uncomfortable). Start to notice when vague question lines get strangely specific over time. This is likely a good, old-fashioned game of "fill in the blank."
When was the last time someone said something like, “Yea! It was like in that one Bond movie, Goldeneye, oh, what was that actor’s name? He was Bond, he was in Dante’s Peak?” or something along those lines and you blurt out “Pierce Brosnan!” to much celebration and mild envy from a friend who's clearly deficient in knowing great actors from awesome movies.
People like to be smart. There’s no shame in it. That’s why trivia games exist, people watch Jeopardy and most of us have filled in at least one Sudoku book in our lives. We especially like being smart when we can get recognized for it.
Now, think about when someone calls saying “I’m trying to call, whatsername, in accounting, always real flirty, never stops talking…” and you suddenly share the name of the annoying girl in accounting. That might earn celebration and mock envy from the engineer on the other end of the phone, but your impulses just gave something away.For one week, write down every urge you have to blurt out information someone’s seeking or struggling to remember. You’re not likely to actually write these down, but every time it happens, it’ll make you think for a second. Try it - it’s creepy how often it comes up. Bonus
What I'm about to share will help you in more than potential social engineering attacks. When you’re in any situation - good or bad - step back and look at it objectively. Notice what information is moving, what favors are being done, why it’s important, what the implications are if the information moves or if the favor is granted and what the best and worst outcomes of the situation are.
If you really look at situations, many can start to seem a little fishy:
- “Why is this guy in Budget making a contact list?”
- “How come the guy outside the building hasn’t gone to the auto shop to get his ID when he needs it every day?”
- “Why can’t he remember her name when everyone knows her?”
Social engineering attacks are dangerous. Not because we need to remember harder passwords or remember our IDs at work, but because they don’t require a change in knowledge. Changes in knowledge are actually easy to adapt to. There are tricks to remembering things.
Stopping these attacks requires a change in behavior and there aren't any tricks to make that easy. Changes in behavior require changes in mindsets and paying closer attention. But, why would people would they want to do that? This means they can’t sit at their desk and play Angry Birds while the nice man on the phone commiserates with them about Felicity in Accounting.