Digital Information Age Deception – Social Engineering

Social engineering has been around for as long as there have been human societies and individuals willing to try to manipulate others. Social engineering is the art and the science of getting what you need or what you want by using deception and other techniques based on the fundamentals of human psychology.

Many examples of social engineering were seen during World War II and the Cold War.

One classic example from World War II was the Normandy Invasion (D-Day), on June 6, 1944. The invasion involved a long-range deception plan on a scale the world had never before seen. The deception misled the Germans as to the time and place of the invasion and was one of the pivotal aspects that allowed the allied invasion to succeed, surprising the Germans and giving the allies a significant advantage.

In computer security, social engineering describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. Such social engineering activities are going on everyday, all around us, and they are occurring in a war nearly all of us are fighting: the Digital Information war. In this war, thieves try to steal our identities and other personal information in order to commit fraud and other types of financial crimes. However, even though we are all aware of crimes such as identity theft, these incidents often do not receive much media attention as many are perpetrated against individuals and businesses and occur too often to report.

The single largest case involving social engineering in recent years was the case of Kevin Mitnick, one of the most well-known computer hackers ever to be caught and jailed. He was arrested by the FBI on February 15, 1995, and was eventually convicted of wire fraud and of breaking into the computer systems of Fujitsu, Motorola, Nokia, and Sun Microsystems. He served five years in prison and was released on January 21, 2000. During his supervised release, which ended in 2003, he was restricted from using any communications technology other than a landline telephone.

Although often portrayed as a technical expert, most of Mitnick's attacks were based on social engineering techniques rather than sophisticated technical methods or expertise. Indeed, although hackers are commonly thought of as people who use their knowledge of computers and computer programming to remotely break into computer or network systems, they can also be people who simply use various electronic means, such as email, to gain information for malicious or criminal purposes.

So what are some of the common methods of social engineering?

Dumpster Diving

Dumpster diving or trashing—literally going through an individual’s or a company’s trash—is one of the earliest methods of social engineering. One would be surprised by how much information can be gained from the contents of a company’s trash.

Typical information that hackers are looking for includes, but is by no means limited to, company directories, organizational charts, employee handbooks, calendars, policy manuals, memos, printouts, source codes, disks and tapes, outdated hardware, etc.

It is not hard to imagine if some or all of the above items were obtained, how hackers could use them to piece together the intelligence needed to gain access to company files or systems, or to expand their social engineering efforts by using the information obtained to further their social engineering activities and gain additional information. 

On-Line Scouting

The Internet has become an extremely fertile ground for all kinds of computer hacking, including social engineering. Instead of dumpster diving which involves physically going through the target’s trash, the hackers can now get the same or similar intelligence by scouting for information virtually, via the Internet.

Much information scouting comes in the form of “phishing” (also read our white paper on The Convergence of Virus & Spam Threats). Phishing is email fraud where the perpetrator sends out legitimate-looking emails that appear to come from well-known and trustworthy Web sites in an attempt to gather personal and financial information from the recipient. Many of us have heard of or even received mass-targeted phishing messages, but may not be as aware of or vigilant against phishing requests that are highly customized and targeted at specific individuals and their information. 

Phone Calling & Phishing

Sophisticated hackers and scammers usually do not just rely upon common social engineering strategies to gain access to the information they want. By the time they place their phone call, they already have armed themselves with enough intelligence and information about the target to sound quite legitimate and convincing.

Typical techniques used by these phone call hackers are to imitate or impersonate someone of authority, and also to try to intimidate their mark to get the information they need. To achieve both, hackers need some inside information, and by the time they make the call, they usually do have enough basic information to try to convince the mark that the call is legitimate. Consider the following phone conversation:

“Hi, my name is Mary Doe and I work for John Smith—you know, our CFO. John is on vacation, and I need to get into his account to find some information so that I can prepare a contract for him to sign when he is back next week. This is extremely urgent—we are talking about millions of dollars, and your and my jobs could be on the line. John gave me his password; it’s ‘1234wxyz’ but it doesn’t work for me for some reason even though I used it before. Can you verify that this is the password, or can you help me reset it?”

The same could come in form of email phishing.

“Hi, this is John Smith, the CFO. I am on vacation, and I need to get into my account to get some information so I can prepare a contract to sign when I am back next week. This is extremely urgent—we are talking about millions of dollars, and your and my jobs could be on the line. My password is ‘1234wxyz’ but it does not work for me for some reason even though I used it before. Can you verify that this the password, or can you help me to reset it? Please email me back the new password if you need to reset it.”

Persuasion

To be successful in social engineering, hackers need to be very persuasive. Besides attempting to impersonate someone and also intimidate the mark, other techniques involve ingratiating themselves with their target, conforming to expectations, diffusing responsibility, shoulder surfing, and merely being friendly. These are just some of the skills hackers use to try to be persuasive. Experienced hackers usually do not ask for too much information from one source; they prefer to gather the information from multiple sources so that their identity is better protected. 

Reverse Social Engineering

Reverse social engineering is probably the most sophisticated and complex method to both set up and execute. It takes considerable planning and researching to succeed. Reverse social engineering requires the hackers or their agents to be put in a position from which intelligence can be gathered first-hand. Often the hackers will create the condition necessary so that they are in the position to take advantage of the situation that they themselves helped to create.

Regardless of the methods used, the goal is always to gain unauthorized access to systems or information, so that such access can be used to commit fraud, espionage, identity theft, or network intrusion.

Social engineering attacks the weakest point of any IT security defense system: the people within the organization. So how can we prevent ourselves from becoming victims of social engineering?

Below is our Air-Tight, Multi-Layer IT Security Defense Systems™ Solution Matrix described in our earlier white paper entitled Air-Tight, Multi-Layer IT Security Defense Systems.

Air-Tight, Multi-Layer IT Security Defense Systems™ Solution Matrix

	Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
	Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
	Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
	Don't send sensitive information over the Internet before checking a web site's security (see protecting your privacy for more information).
	Pay attention to the URL of a web site. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
	If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a web site connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org/phishing_archive.html).
	Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.