Social engineering

Click the banner for the site map of NoticeBored.com, the information security awareness service

Social engineering & pretexting

This academic paper, although rather abstract, is a good survey of the research into social network data gathering, as well as a particular de-anonymizing attack. It points out the dangers of data aggregation inherent to social networking.

The social engineering Capture The Flag competition at DefCon 2010 was remarkable both for the widespread concern it caused ahead of the event, and for the amazing successes the contestants achieved on the day.

Reasonable people agree that Pranknet oversteps the mark in using social engineering techniques to fool hotel guests into trashing their rooms, setting off fire alarms etc. However given that criminals are unethical, Pranknet’s tricks are a salutary lesson on the power of social engineering.

Simple psychological manipulation tricks may be part of a social engineer’s toolkit but the article doesn’t scratch the surface. Persuading other people to do what we want them to do, or to allow us to do what we want to do, takes more than just parlor tricks.

It might be old news but it’s legendary: read about the entrepreneurial social engineer who allegedly extracted $millions from targets on the Forbes rich list. He even invested $thousands in the technology to exploit his victims but, as with many fraudsters, greed eventually got the better of him.

Read about cyberstalking on Wikipedia.

The man who posted a video on YouTube of himself speeding through Oxfordshire at 130 mph probably regrets releasing the personal information, having landed a 12 week prison sentence as a result. Another gentleman who bragged about his hangover on Facebook was forced to back down on his request for a sick day after his boss read the brag.

A fake uniform and maybe an advance phone call or two is about all a social engineer, physical penetration tester or indeed bank robber/identity thief needs to obtain confidential information and even complete systems from nearly 1,000 sleepy US bank branches. [Now there’s a sales opportunity for a security awareness firm!]

Find out how social engineering attacks work and get some ideas on thwarting them from this CERT podcast and EDPACS article by our CEO.

A useful guide from Microsoft explains a range of controls to reduce the threat of social engineering attacks. It's a 37-page Word document.

Brazen robbers conned their way into a shared data centre in London by posing as Policemen with a convincing story about intruders on the roof.

No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing (~US$39 from Amazon) looks like an interesting book by Johnny Long, famous for his earlier book Google Hacking, and Kevin Mitnick, fa Read our book review mous for the hacking exploits that landed him in jail and his earlier books The Art of Deception and The Art of Intrusion.

The Art of Deception by Kevin Mitnick and William Simon (~$18 from Amazon) is reviewed elsewhere on this website. It describes social engineering techniques. Kevin’s original first chapter didn’t make it into the book mysteriously appeared on the web. The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders, and Deceivers is another Kevin Mitnick and William Simon book (also ~$18 from Amazon). This book tells other hackers’ stories in nine main chapters. A tenth chapter gives further, albeit fairly basic advice on social engineering controls. .

Zen and the Art of Information Security by Ira Winkler is reviewed here. It’s a gentle introduction to information security for those with little if any prior exposure. Ira admits it is a book version of popular presentations he has given to non-technical audiences worldwide: we were left wanting more depth but then we are not the target audience.

‘Catch Me If You Can: the True Story of a Real Fake’ is the title of a biography and movie starring Tom Hanks based on the life of Frank W. Abagnale, a famous fraudster. The descriptions of Frank’s brazen social engineering attacks are both entertaining and informative. Paperback ~$10 from Amazon. DVD $12.

In a story about the Chinese attacking Western companies to obtain commercial advantage, The Times briefly mentions an alleged social engineering compromise of Royal Dutch Shell in Houston, Texas, by 'special interest group' of Chinese nationals.

A social engineer has been stealing the personal data of thousands of American corporate executives, including senior execs at Fortune 500 companies such as airlines, banks, manufacturers and pharmaceuticals, using ‘spear phishing’ (targeted emails).

Nigerian fraudsters are breaking into Web-based email accounts, impersonating the owners and sending pleas for money to everyone in their address books, asking them to wire emergency money to Nigeria. The emails weave some story about getting mugged or losing a wallet while on a trip to Nigeria.

“Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.” [Wikipedia]

Kevin Mitnick’s entertaining autobiographical speech at the H.O.P.E. conference in July 2004 was recorded for posterity and is available as a streaming MP3 here and here. His 2005 keynote presentation at the Citrix iForum conference in Australia highlighted the threat of social engineering: “Mitnick said social engineering appeals to hackers because the Internet is so widespread, it evades all intrusion detection systems, it’s free or very low cost, it’s low risk, it works on every operating system, leaves no audit trail, is nearly 100 percent effective, and there is a general lack of awareness of the problem.”

A Dutch bank has been stung to the tune of £15m by a gentleman thief who used his persuasive charms and chocolate to obtain a key to the diamond safe.

In spam that delivers a pink slip, Computerworld presents a case study on an organization whose staff received spear phishing emails. “Last week, a handful of employees at Dekalb Medical Center in Decatur, Ga. , received e-mails saying they were being laid off. The subject line read ‘Urgent - employment issue,’ and the sender listed on the message was at dekalb.org, which is the domain the medical center uses. The e-mail contained a link to a Web site that claimed to offer career-counseling information. And so a few employees, concerned about their employment status and no doubt miffed about being laid off via e-mail, clicked on the link to learn more and unwittingly downloaded a keylogger program that was lurking at the site.”

The US Senate looks likely to vote through a pretexting law on a fast-track procedure. Pretexting in general is already outlawed in California and throughout the US if used to obtain financial information.

Here’s a short security awareness video (low or high resolution) and article from the University of Delaware about the dangers of revealing too much information on ‘social networking’ sites such as MySpace, Friendster or FaceBook.

“‘Phone Phishing’, a method of stealing confidential information over telephone, is on a steady rise and awareness is the key to tackle it, according to security experts here. The most prevalent method of gaining access to personal data is the simple process of picking up a phone and calling a customer service call centre of a service provider, they said. Customer service agents are trained to ‘take care’ of callers and often they are more than willing to help.” So says a piece in India’s Economic Times.

Hear someone turn the tables on a telemarketer, using ‘social engineering’ methods to persuade them they have called a police officer attending a serious crime scene. Very amusing.

Mike Berryclearly has a lot of fun baiting the 419 scammers through 419eater website, even getting one to send impressive wooden sculptures of Creature Comforts characters and a Commodore 64 computer ... but there’s a serious undercurrent to this form of social engineering. Estimates vary but thousands of dollars are thought to be lost to 419ers every day and the scams remains as popular as ever

Read NZ Ministry of Economic Development’s scamwatch website.

One way to get personal information out of people is through fake job ads. Candidates expect to supply a fair amount of information about themselves as part of the application process and, perhaps because of their circumstances, their guards are down. Enterprising social engineers are evidently using the opportunity to obtain sufficient information to commit identity theft.

Social Engineering, the USB Way is a worrying report into a successful penetration test using a mixture of social engineering and malware techniques. One morning before work, the testers scattered USB thumb drives containing Trojans in the parking lot and smokers’ corners outside their target credit union premises. The workers duly discovered the ‘lost’ drives, took them in, plugged them in and compromised their systems security. The worrying part is the success rate, the potential impact and the likelihood of success elsewhere. Possible controls include security awareness training, antivirus tools, IDS and USB blocking software.

Identity theft often involves a social engineering element. A Cyber Security Tip from CERT offers some practical advice to reduce the chances of being taken in by the identity thieves, and to identify and respond to them if you are.

Gartner predicted that social engineering is “the single greatest security risk in the decade ahead” [... or at least until Gartner’s next security report ...].

A US-CERT Cyber Security Tip offers basic advice to reduce the risk of social engineering and phishing.

How to Defend Your Network Against Social Engineers recommends, amongst other things, developing and enforcing a security policy addressing social engineering, and training users in how to recognize a social engineering attempt. [Naturally, we’d recommend NoticeBored for that, and more].

Sarah Granger wrote a good overview of social engineering including suitable controls. Part 1. Part 2.

Social Engineering 101 is an unmoderated bulletin board system where people post questions and answers about social engineering. The techniques described are pretty naive ... but are probably quite effective nonetheless.

Social engineering & pretexting

Related NoticeBored links collections