You can install the industry’s strongest and most expensive firewall. You can educate employees about basic security procedures and the importance of choosing strong passwords. You can even lock-down the server room – but how do you protect a company from the threat of social engineering attacks?
From a social engineering perspective, employees are the weak link in the chain of security measures in place. Humans are not only susceptible to basic human error but also targeted attacks from individuals hoping to convince them to give up sensitive information. Today we’ll be exploring some of the social techniques used to deceive and defraud.
The Basics of Social Engineering
Social engineering is the act of manipulating a person into gaining access or sensitive data by preying on basic human psychology. The difference between social engineering attacks and, for example, a hacker attempting to gain access to a website is the choice of tools used. A hacker might look for a weakness in security software or a vulnerability on the server whereas a social engineer will use social techniques, coercing the victim into freely giving away information or access.
These tactics are nothing new, and have existed for as long as people decided that deceiving each other was an acceptable way of making a living. Now that society has evolved to rely on the immediate nature of the internet and on-demand information, more people than ever are being exposed to social engineering attacks on a large scale.
Much of the time the attacker will not come face to face with his or her victim, instead relying on email, IM and telephone calls to carry out the attack. There are a variety techniques that are widely regarded as social engineering attacks, so let’s take a look at them in more detail.
Social Engineering Techniques Explained
By far one of the better-known techniques thanks to awareness raised by email providers like Google and Yahoo, phishing is a fairly basic and very widely used example of social engineering.
Most commonly conducted via email, this technique is a type of fraud that involves convincing the victim that you are legitimately requesting sensitive information. One of the most common types of phishing attacks involves requesting victims “verify” their bank account or PayPal information to avoid having their accounts suspended. The attacker, or phisher, will often purchase a domain that is designed to imitate an official resource, and discrepancies in the URL often give the game away.
Online phishing is becoming easier to spot and report thanks to filtration techniques used by email providers. It’s also good practice never to divulge sensitive or financial information via email – no legitimate organization will ever request you do so – and to double-check URLs for legitimacy before entering important credentials.
Telephone Techniques or “Vishing”
Interactive voice response (IVR) or vishing (voice phishing) involves using similar techniques to those described above via a telephone or a VoIP interface. There are a number of different vishing techniques, and they are:
- Directly calling the victim using an automated “your credit card has been stolen” or “urgent action is required” scam, then requesting “security verification” in order to restore normal access to the account.
- Emailing the victim, instructing them to then call a phone number and verify account information before granting access.
- Using faux interactive telephone techniques or direct human interaction to extract information, e.g. “press 1 for…” or “enter your credit card number after the beep”.
- Calling the victim, convincing them of a security threat on their computer and instructing them to purchase or install software (often malware or remote desktop software) to fix the problem.
I’ve personally been on the receiving end of the software phone scam and, though I didn’t fall for anything, I wouldn’t be surprised if someone did thanks to the scare-tactics employed. My encounter involved a “Microsoft employee” and some viruses that didn’t exist. You can read all about it here.
This particular technique preys on one of humanity’s greatest weaknesses – curiosity. By deliberately leaving physical media – be it a floppy disk (unlikely these days), optical media or (most commonly) a USB stick somewhere it is likely to be discovered, the scammer simply sits back and wait until someone makes use of the device.
Many PCs “autorun” USB devices, so when malware such as trojans or keyloggers are bundled on the USB then it is possible for a machine to become infected without the victim even realising. Scammers often dress up such devices with official logos or labels that might arouse interest in potential victims.
This technique involves convincing the victim into giving up information using an invented scenario. The scenario is usually derived from information gathered about the victim in order to convince them that the scammer is in fact an authoritative or official figure.
Depending on what information the scammer is after, the pretext may involve basic personal information like a home address or date of birth, to more specific information like transaction amounts on a bank account or charges on a bill.
One of the few techniques listed here involving the scammer being physically involved in the attack, tailgating describes the practice of gaining access to a restricted area without authorization by following another (legitimate) employee into the area. For many scammers this removes the need to acquire access cards or keys and presents a potential serious breach of security for the company involved.
This particular tactic preys on common courtesy such as the act of holding a door for someone and has become such a problem that many workplaces have taken to tackling the problem head-on with notices on entrances, like the notice used by Apple in the picture above.
There are a few other techniques associated with social engineering, such as the something-for-something “quid pro quo” technique often used against office workers. Quid pro quo involves an attacker posing as, for example, a tech support employee returning a call. The attacker keeps “calling back” until he or she finds someone in genuine need of support, offers it but at the same time extracts other information or points the victim to harmful software downloads.
Another social engineering technique is known as the “diversion theft” and is not really associated with computers, the Internet or phone phishing. Instead it is a common technique used to convinced legitimate couriers into believing a delivery is to be received elsewhere.
If you suspect an individual is trying to dupe you with a social engineering scam then you should notify the authorities and (if applicable) your employer. Techniques are not limited to what has been mentioned in this article – new scams and tricks are devised all the time – so stay on your guard, question everything and don’t fall victim to a fraudster.
The best defense against these attacks is knowledge – so inform your friends and family that people can and will use these tactics against you.
Have you had any run-ins with social engineers? Has your company educated the workforce about the dangers of social engineering? Add your thoughts and questions in the comments, below.