In the spirit of Bruce Schneier’s “Amateurs hack systems, professionals hack people, ” I would like to look at the various attack vectors of social engineering and the defense options suitable for them in this blog post. Psychological and sociological relationships of people take the central role in this type of attack. With the constant technological advancements in information security, it is becoming more and more difficult for cybercriminals to penetrate companies and steal information. For this reason, more and more attacks are targeting the human vector.
Social engineering has evolved steadily since the first attempts at trickery, and attackers are getting better and better at their methods. A well-prepared attack remains predominantly undetected and is only recognized when the damage occurs. Most of the time, you are on your own and need a healthy gut feeling to recognize the scam of the social engineers. There are countless types of security awareness measures and guidelines to prepare employees for security incidents, but these are often not enough.
What exactly is social engineering?
Social engineering is the act of manipulating a person to either obtain information or trigger a particular behavior. To do this, attackers take advantage of major components of the human psyche. Influencing people requires good planning, deception, and a deep understanding of human behavior.
Who is attacking?
It is sometimes difficult to accurately categorize the perpetrators in industrial espionage, and competitive spying since only cases with known suspects and perpetrators can be evaluated. The number of unreported cases is difficult to estimate. The perpetrators have a good knowledge of information and communication technology and know-how about vulnerabilities in systems, processes, and exploiting people.
Professional criminals
Professional criminals pose a significant threat to a company. In most cases, they operate from within a criminal organization, which already has a very high degree of professionalism. They also offer services for the not-so-experienced attackers. That enables even the less well-equipped attackers or those less proficient in information and communication techniques to carry out far more complex attacks. The organizational structure of this category of cybercriminals is very similar to the hierarchical structure of a company. The diverse business models of the organization have a financial motivation to a large extent.
Internal perpetrators
The potential threat to a company posed by internal perpetrators is considerable and can sometimes be treated as the greatest danger to the company. Here, insider knowledge is deliberately used to gain an advantage. They may sell information to the competition gathered through accessing confidential data. Most of the attacks are performed by employees who have left the company, service providers who still have access to the company’s systems, and employees forced by criminals to perform damaging actions. They also use social engineering techniques to gain access to information to use this information to their advantage. Interaction with internal perpetrators can be initiated by competitors and provides other potential attack surfaces for corporate espionage or competitive spying. A negative working atmosphere favors the information leak. Employees who no longer identify with the company’s goals can become internal perpetrators. The so-called “internal resignation” represents a high risk for the affected companies since the employee no longer has a personal bond with the company. Thus, the inhibition threshold for intrinsically motivated offenses is lowered, making it easier to exert external influence. A lack of loyalty has very many causes. One contributing factor is when employees experience too little appreciation or career decisions favor another person for advancement. In addition, an unfavorable management culture can have a substantial impact on employee loyalty. Former employees can also be identified as internal perpetrators since they possess internal know-how and, in the most damaging case, also have access rights to the old company. The transfer of knowledge in outsourcing situations or when staff leaves also poses a potential threat. The offenses are usually motivated by the internal perpetrators who derive a personal or financial benefit from them. That can serve to finance a high standard of living or is motivated by the perpetrators’ desire to build prestige. Due to the lack of prospects in the company, the internal perpetrators also lack an awareness of injustice and thus increase their willingness to commit a crime.
Social Engineering Examples
To illustrate the nature and approach of a social engineer, I’ll give you a short description of one of the best-known social engineering attacks:
Stanley Mark Rifkin had carried out one of the first social engineering attacks in 1978. His target was the Los Angeles bank. Rifkin was an outside contractor helping to develop a system for the internal accounting department. This allowed him to learn the bank’s internal procedures for wire transfers. He was able to understand which bank employees were authorized to make wire transfers. These employees were given a new secret code every day so they could identify themselves when they called.
Since these employees did not want to memorize the code, it was written down on slips of paper visible at the workplace. Rifkin wanted this code, and came to the office with the pretense that he needed to check the system that had been developed. This procedure allowed him to read and memorize the code for that day secretly. Sometime later, he went to a payphone and dialed the booking department. Now he pretended that he was a colleague from the international department of the bank. He could quickly answer the query about the office number since he had researched it before. He was also able to name the transfer code. He wanted to have a transfer of ten million dollars made to an account he had set up in Switzerland. The counterpart asked for an office-internal account number, which he could not answer immediately. He asked for a moment and made another phone call. This time, he called another department of the bank and pretended to be an accounting department employee to get the internal billing number. This additional number was then used to initiate the wire transfer. A few days later, Rifkin flew to Switzerland, exchanged the money for diamonds, and returned to the United States.
I’ll explain another social engineering attack:
The competitor of an engineering company for technology wants to spy on the competitor, which has developed a new technology. The attacker discovers on the company’s homepage that the company’s CEO John Doe is away on a business trip. The social engineer dresses like a top manager, rents an expensive limousine, and takes a driver to the engineering office. To create the impression of a top manager, he also copies such people’s behaviors and body language. When he arrives at the company’s reception, he introduces himself as a high-ranking manager of a corporation. He is there to pick up the documents Johnny promised him. He also proves his identity with his fake business card. The attacker tells the receptionist that he met with the CEO at a trade show and told him about the deal. For this trade, he now urgently needs these documents to convince his colleagues in his company. The receptionist forwards his request to the deputy manager. The deputy gets the same presentation. He urges him to hand over the documents, knowing that the CEO is unavailable due to the time difference. The attacker threatens to withdraw the deal and give the money to another company. The deputy relents and hands over the documents. The attacker has learned of the CEO’s absence through social media and knows that he will not be continuously available due to the time difference.
Information extraction
Information is essential for the social engineer. The number of attack vectors increases the more information has been gathered. You can combare that to military reconnaissance, whereas as much information is gathered about the target and the circumstances. Even minor details about the target of an attack can be helpful. How is the information collected? As an example, a simple mail from a company already has strong telling power. A Mail usually contains the phone number, vacation absence, company name, position in the company, and suggests the culture. When an out-of-office message is displayed, attackers can assume that the person will not be available promptly. Attackers’ sources of information include search engines, forums, blog posts, company websites, and social media platforms.
Additionally, the social engineer performs personal reconnaissance. Observation of access points, surveillance systems, or entrances often provides insight into cleaners’ operations, delivery, and schedules. Dumpsters can be searched for paper to provide relevant information. Paper scraps, if not shredded small enough, can be recovered.
Pretexting
If you are playing a role and pretend to be someone else, that’s called pretexting. It involves creating a trust scenario to influence the target to reveal information or perform a specific action. The attackers imitate a person in behavior, pronunciation, appearance and create a suitable backstory. The foundation of a pretext is excellent research. The more information you have about the character you want to imitate, the higher the probability of success.
Elicitation
Elicitation is the process of obtaining information without directly asking questions. The goal is to get as much information as possible through a normal conversation without feeling questioned. The social engineer gets the proverbial foot in the door through flattery. Compliments make information gathering easier because people like to tell people about their accomplishments. False claims by the attacker are corrected by the victim because there is an intrinsic need for clarification.
Rapport
Rapport can create an atmosphere of trust so that someone is willing to reveal information or perform specific actions. As an example, people feel safer when they are among like-minded people. They feel connected and part of the whole. Most of the techniques for this come from NLP, Neuro-Linguistic Programming, when, for example, breathing is done at the same speed as the other person’s breathing. Adjusting tonality and body language are also among these methods.
How to manipulate people?
The social engineer uses the following methods to influence people unnoticed. Psychologist Robert B. Cialdini describes these techniques in his book Influence, The Psychology of Persuasion. I will briefly describe these principles.
Reciprocity
Reciprocity originates in sociology and refers to exchange and interaction. When someone gives something, there is an intrinsic expectation on the part of the recipient to do something in return or give something in return. An example is when someone holds the door open for you. Here the obligatory feeling arises to return the favor. Attackers can use this method to circumvent access systems by doing the target a favor just before the entrance door.
Commitment and consistency
People feel the need to be consistent in their statements, attitudes, and actions and portray this. Consistent behavior is given a high value by society and proves itself in everyday life. This reduces complexity because decisions that have already been made are not reviewed again. Once a decision has been made, pressure from society and pressure from within makes itself felt. This pressure reinforces the feeling of remaining consistent with the decision. This commitment increases relative to duration. The more time or effort that goes into something, the harder it becomes to change or deviate from it. A social engineer uses the first commitment because people are more likely to be open to requests and favors if they are consistent with the first commitment. For information gathering, as an example, each question is phrased to be answered in the affirmative. Through the positive answers, the victim gets into a consistent attitude, and it is difficult for the victim to deviate from it. The intrinsic aspect in this is that the victim also sees himself as consistent. Extrinsic motivation comes from society, as there is also a desire for consistency. It is not easy to move away from a public, verbal, and unenforced commitment.
Authority
People are taught from the ground up to respect parents, teachers, and police officers. This principle is taught to the child and continues into adulthood. People are elevated to a kind of position that others follow and adjust their behavior accordingly. How far people can go in this process is shown by the Milgram experiment. People were motivated to punish others with electric shocks in case of a wrong answer by a doctor’s instruction. Cialdini divides authority into three types, legal, organized, and social. Legal authority refers to the administration, executive, and public service areas. Police Officers, Notaries, Lawyers serve as examples. Authority through the hierarchy is called organizational authority. For instance, senior managers, chief compliance officers, and IT officers. Titles, clothes, and cars are symbols with which social authority is associated.
Social Proof
The principle of social proof comes from the need to belong to a group. People base their actions and views on the mainstream of humanity. Accordingly, ideas, beliefs, and activities are aligned to the mainstream. This extends to behaviors and also to risks. The more people hold an opinion, the more correct it becomes for others.
Sympathy
Humans prefer other individuals, which they know and find sympathetic. This behavior comes from the basic need to form and maintain relationships with others. Physical attractiveness plays a significant role along with similarity. Compliments have a strong positive effect on people and allow tricksters to use them specifically to build sympathy.
Scarcity
The scarcity principle describes that opportunities appear far more attractive and valuable to people if they are rare or difficult to obtain. An example would be the classic marketing slogan, “Only three left, grab them now”. What becomes apparent here is the fear of loss and a kind of deprivation of freedom. For example, a social engineer can pressure a person by pretending that a deal can only be closed for a certain amount of time.
Framing
The personality structure of people, which is formed from their emotional, psychological, and personal experiences, controls how they deal with experiences. A social engineer can thus identify a person’s motivations, making it easier to empathize with them by finding commonalities and targeting them.
Attack Vector
The outcome of the information gathering significantly influences the attack path and technique. I will briefly discuss the most commonly used attack vectors.
Attack from inside
The internal perpetrators themselves pose a significant threat to a company. However, the internal perpetrators also serve as a target for externally motivated attacks. In this attack vector, permissions are misused to access sensitive information and then pass it on. Obtaining information is ensured, among other things, by exploiting authorizations, copying documents without approval, or eavesdropping in on confidential conversations. The potential threat level of internal perpetrators increases with third parties and suppliers commissioned by the company. That includes outsourcing, consulting firms, and acquiring other companies. The more persons have access to company information, the higher the probability that information will be leaked.
Email and Phishing
Phishing mail is also a type of social engineering attack. Emails are sent to as many recipients as possible, containing links to fake websites intended to trick the employee into entering a password. However, these messages may also contain compromised attachments that execute malware on the system when opened. The primary use of these phishing emails is identity theft and intrusion into other people’s systems. Social engineers can also use them to target companies, for example, if they have previously learned through research that a bonus payment is due. It is then easy to compose an email containing a list of bonuses as an attachment. The probability that employees will click on this attachment is very high. Another method of phishing is CEO fraud. The attackers fake the identity of high-ranking employees to send a message in this name to hierarchically lower employees so that they then perform actions. For example, the employee may be ordered to transfer money or information. To carry out this type of deception, There has to be intensive information research to carry out this type of deception. Here, the attackers need internal knowledge and processes to redirect a money transfer to their account at precisely the right time.
Vishing
Vishing, derived from “voice” and “phishing”, refers to an attack by telephone call. Here, an attempt is made to elicit information from the victim by provoking and influencing, as described earlier. The social engineering attack on the Bank of Los Angeles described at the beginning uses this attack vector.
Physical
The physical attack requires confronting the victim in person. Here, the attackers use the method of pretexting. As an example of such an attack vector, the second described social engineering attack can be mentioned, in which the attacker pretends to be a top manager.
Baiting
USB sticks are deliberately placed on company premises or in parking lots near company buildings in this baiting method. These are prepared with malware to open access to the company network when inserted or played. The social engineer can then use this access for further attack methods.
Tailgating
This method uses reciprocity, among other things, to gain access to a protected area or to enter the company premises. Another way to get through an access door is for the attackers to force their way immediately behind the person with an access card. Additionally, attackers may carry a cardboard box as a pretext to symbolize no free hand to reach their access card and let those in front let them through.
Protection
How can companies protect themselves against social engineering?
The simple answer is to ask! If you are unsure about a request, simply ask your supervisor or colleague for help and don’t act on urgency. It also helps to have an essential awareness of this topic. If you are aware of the possibilities of manipulation, it is easier to recognize such patterns.
It is also important to be careful about what information you post on a social network. If you constantly update your status, a social engineer can use the information to infer internal procedures and processes or absences in a broader sense, and that’s not good.
Basic technical protection according to state of the art is always good.
Have a wonderful day!