May 3, 2007
Social engineering is the manipulation of individuals into giving out vital
information by use of a collection of techniques. Social engineering is compared
nowadays to a very confident trick or a simple fraud which tricks people for
gathering information or computer system access. In most cases, the attackers
never come face to face with their victims because it is done by anonymous
actions. Actions such as through email, phone, impersonations, Rogue Interactive
voice response systems, and physical medias. Social engineers will do just
anything to receive valuable information and rely on people’s inability to keep up
with a culture that relies heavily on information technology. Social engineers will
go through dumpsters looking for valuable information; they would look over
one’s shoulder to get and memorize the access codes, or they would take
advantage of people who choose meaningful passwords but can be easily guessed.
Many users tend to use the same password on every account making it easier for
the social engineers to obtain quick access to all the accounts that the user has.
Most techniques could be difficult but it takes a lot of research and careful
planning to make the execution successful.
Techniques used for social engineering can be very manipulative. It
depends which technique to use can be easily chosen only if they know from
which group of people they are willing trick. They are numerous amounts of
techniques done for manipulation. Here are some techniques that are most
commonly used by social engineers today:
1. Pretexting – this is the act if creating or inventing some sort of scene
manipulating the target to release information over the phone. This trick is
often used to manipulate businesses into handing out customer information
such as date of birth, social security number, or last bill amount. This
technique can be also performed as an impersonation of a co-worker at the
business. As an impersonator, they ask a series of questions to other co-
workers of the target and are prepared with answers if they are questioned
back. One usual sub-technique with pretexting is the voice over IP
programs which gives the user feel safer and comfortable knowing that they
are not using traceable number and the lesser chance of getting caught.
2. Phishing - this technique involves emails sent to legitimate businesses and
companies requesting verification of information. Also sent with it is a
warning that if the information is not verified, they will consequences to
consider. The letter of course will contain a link that will take the user to a
website that looks legit because of the logos and content. This website will
also contain a form requesting for some even more valuable information
such as a home address or an ATM’s card PIN.
3. IVR phone phishing - this technique is very manipulative if performed
right. It’s basically an exact duplicate of a business’s or a company’s IVR
system. Of course the social engineer is behind the copy of the IVR system.
What social engineers do with this is send an email (phishing) to the victim
prompting them to call a toll free number to verify information. The system
will continuously continue to reject the logins ensuring that the user enters
their information multiple times. If the system transfers the user to a
customer representative, the attacker will likely play the role for further
questioning and answers.
4. Trojan horse/gimmes – Gimmes is a type of malware that brings curiosity
and greed to users. Gimmes are most sent through email attachment
containing something interesting that would catch the eye of the user.
Things like free ringers or screensavers, a free system upgrade, or a free
trial of a new antivirus would definitely receive attention from the user.
5. Road Apple – one of the slickest techniques out there. The attacker leaves a
malware infected media, such as floppy disk or CD-Rom, and leaves in a
location where it is surely to be found. Afterwards, the attacker waits for
the business or company to use it. Of course, the media will have a type of
official logo on it so that the victim can think that it belongs to them.
6. Quick pro quo – This is like basically saying: Something for something. An
attacker calls random numbers of certain companies acting as a technical
support representative. Somehow, they will grab someone that is in need of
assistance. At this point, the attacker will “help” the victim and in so doing
so will manipulate the victim into typing in commands that will give the
attacker full access to the system.
What can be done to prevent these types of attacks? I would have to say
that there are chances to protect a business or company from being attacked or
robbed. The best combat strategy is user awareness that these attacks do happen.
By doing the top business practices, there might be a lesser risk of not getting hit
with these trick techniques. Such practices are to train the employees never to give
out passwords or vital information over the phone. Businesses can update their
security policy to address social engineer attacks and their incident-handling
procedures to include social engineering attacks. When typing in a password,
make sure that no one else is looking. Passwords are the most important part of
logging in. They should require that all guest to be escorted because once they are
inside, they have full access. They look around and see where the information is
kept and what users use to enter the system. They should keep all the trash secured
and in monitored areas. Once they are done with important and sensitive data, they
should consider shredding them so that no one can read or obtain it. Finally, they
should conduct periodic security awareness training programs to keep everyone in
the business or company alert.
In businesses and companies today, many people are hired. Employers tend
to hire people that they feel they can trust and confide in. But in most cases, once
the individual has the respectability in the business, others do not automatically
view their activities with suspicion. Every honest person assumes that the others
are similarly well intentioned. The intruder also takes advantage of the natural
tendency to relax one’s guard when things appear to be secure. Most companies
spend tons of money to improve the hardware and software in order to block
attacks. It’s up to the end users to follow good security practices. Kevin Mitnick
once said: “The biggest threat to the security of a company is not a computer virus,
an unpatched hole in a key program or a badly installed firewall. In fact, the
biggest threat could be you.” This, in fact, could be true if one intends to betray
the business in the near future.
Behaviors could be one weakness to the businesses out there. Behaviors are
very vulnerable to social engineer attacks. One must know if another can be
trusted. I mean if they have the direct approach and are a technical expert, than
they don’t belong there in the first place. Another behavior would be to have the
desire to be “helpful.” If they have the direct approach, act like a technical expert,
and have the voice of authority, then something is wrong there. They are there for
something else. If they wish to get something for nothing, they are up to
something. An example of this would be a Trojan horse-chain email. Curiosity is
another behavior that workers tend to characterize often. If one convinces another
to open lets say a Trojan horse that has an open email attachment from unknown
senders, that’s not an authorized employee at the business. Ignorance is a
behavior of social engineering as well. Dumpster diving and a direct approach are
signals of this behavior. Last but not least, carelessness. Signs of this are
dumpster diving, spying, and eavesdropping on others people’s privacy. All the
Social Engineering methods of attack target some very natural human attributes. In
order to prevent this, just watch how everyone acts around you and learn their
routine of everyday work.
There are many social engineers all around the world. Some have made
headlines and some have made controversy all around the globe. In the United
States, a hacker by the name of Kevin David Mitnick practically popularized the
social engineer term. He was convicted of illegally gaining access to computer
systems and obtaining intellectual property in the late 90s. Some consider him a
criminal while others think he was made a scapegoat for the crime. After the court
appearances, he decided to head a different way and is now working as a computer
security consultant. Another social engineer would be a white hat hacker by the
name of Archangel who is nicknamed the “greatest social engineer of all time”.
This hacker had some many amusing techniques. This hacker has demonstrated
such techniques that would gain everything from passwords to pizza to
automobiles to airline tickets. Other hackers in this category would be Frank
Abagnale, David Bannon, Peter Foster, Steven Jay Russell, and possibly Pappy
Social engineering has been used in all sorts of popular culture. For
example, in the film Hackers, the protagonist uses a technique from social
engineering in which one character gains access to a TV network’s control system
by posing as an executive and asking for a modem number from one of the guards.
This method that was shown in the movie showed how powerful social
engineering can be. In the internet gaming community, there are rumors that
involves befriending a user to have access to the account passwords and game
serial numbers that so that previous banned cheaters can have access to online
play. A video podcast named The Broken was released in 2002 showing how one
is able to receive free pizza for life by a simple social engineering trick. The host
explained his technique steps and demonstrated it one by one. All the host had to
do was wait for a customer to make an order. When the customer entered the
pizzeria, the host entered with him/her. The customer ordered his pizza while the
host of the show recorded down his/her name, phone number, and the pizza order.
Later, he called the pizzeria claiming to be the customer who ordered before and
complained that the pizza was terribly bad. The host ordered another pizza for not
filing a complaint against the pizzeria and order another pizza in which he picked
up later. This technique used was the impersonation trick also known as
pretexting. This gets to show us that social engineering is done in both the real
world and in the movie world as well.
Currently, there are training programs for this sort of category. One of the
training program is currently being operated by Kevin Mitnick who I mentioned
earlier is one of the highly controversial social engineer of the 90s. This program
is to become a Certified Social Engineering Prevention Specialist (CSEPC) which
is referring to both an individual Mitnick Security Consulting certification and a
broader professional certification program. Of course, to attain the certification,
the candidate must attend the training courses and pass the exam, which was
created by Kevin Mitnick, prior to completing the course. This course’s main
objective is all primarily focused on how Social Engineering works throughout
multiple case histories. It more specifically focuses on how attackers use Social
Engineering to obtain accesses to computer systems by manipulating the targets
and what could be done to minimize this problem. The entire program costs
$2,300 per person which the course will only take two days to complete. It’s a
great start for any business or company employees in case this occurs during work.
It might be a bit expensive since the course only takes two days to complete but
the outcome will result in less attacks and harsh entrances to the system of your
Social engineering has its goods and its bads. Social engineering is harsh
when one tries it on employed workers at companies they would like to harm.
Sometimes it can be ok like with the pizza example that I explained earlier. See, in
that example, nobody’s system is getting infected. The pizzeria did lose some
money but it didn’t lose any information nor will it be closing down soon because
of that incident. Though the host did get away with free pizza, he only used it as
an example to show people that social engineer is not only done with the computer
but in the outside world as well. It’s not his fault either for getting free pizza using
social engineering. Any employee or manager should keep alert for people trying
to bring them down. In this case, it was a free pizza. So in closing, keeping an eye
out for people who are suspicious at your business could result in safe
environmental work place.