Social Engineering: Eight Common Tactics

Stealing your company's hold music, spoofing caller ID, pumping up penny stocks - social engineers blend old and new methods to grab passwords or profits. Being aware of their tactics is the first line of defense.

Famous hacker Kevin Mitnick helped popularize the term 'social engineering' in the '90s, but the simple idea itself (tricking someone into doing something or divulging sensitive information) has been around for ages. And experts say hackers' tactics today continue to aim to steal password, install malware or grab profits by employing a mix of old and new tactics.

Here's a refresher course on some of the most prevalent social engineering tactics used by phone, email and Web.

Tactic 1: Ten degrees of separation

The number one goal of a social engineer who uses the telephone as his modus operandi is to convince his target that he is either 1) a fellow employee or 2) a trusted outside authority (such as law enforcement or an auditor). But if his ultimate goal is to gain information from or about employee X, his first calls or emails might go to a different person.

Also read CSO's Ultimate Guide to Social Engineering [13-page PDF - free CSO Insider registration required]

The old game of six degrees of separation has a few more layers when it comes to crime. According to Sal Lifrieri, a 20-year veteran of the New York City Police Department who now educates companies on social engineering tactics through an organization called Protective Operations, there might be ten steps between a criminal's target and the person he or she can start with in the organization.

"In my educational sessions, I tell people you always need to be slightly paranoid and anal because you never really know what a person wants out of you," said Lifrieri. The targeting of employees "starts with the receptionist, the guard at the gate who is watching a parking lot. That's why training has to get to the staff. The secretary or receptionist criminals start with might be ten moves away from the person they want to get to."

Lifrieri says criminals use simple ideas to cozy up to more accessible people in an organization in order to get information about people higher up in the hierarchy.

Also see Social Engineering: The Basics

"The common technique [for the criminal] is to be friendly," said Lifrieri. "To act like: 'I want to get to know you. I want to get to know stuff that is going on in your life.' Pretty soon they are getting information you wouldn't have volunteered a few weeks earlier."

Tactic 2: Learning your corporate language

Every industry has a short hand, according to Lifrieri. A social engineering criminal will study that language and be able to rattle it off with the best of them.

"It's all about surrounding cues," he said. "If I'm speaking a language you recognize, you trust me. You are more willing to give me that information I'm looking to get out of you if I can use the acronyms and terms you are used to hearing."

Tactic 3: Borrowing your 'hold' music

Successful scammers need, time, persistence and patience, said Lifrieri. Attacks are often done slowly and methodically. The build-up not only includes collecting personal tidbits about people, but also collecting other "social cues" to build trust and even fool other into thinking they are an employee when they are not.

Another successful technique involves recording the "hold" music a company uses when callers are left waiting on the phone.

"The criminal gets put on hold, records the music and then uses it to their advantage. When he or she calls the intended victim, they talk for a minute and then say "Oh, my other line is ringing, hold on," and put them on hold. "The person being scammed hears that familiar company music and thinks: 'Oh, he must work here at the company. That is our music.' It is just another psychological cue."

Tactic 4: Phone-number spoofing make a different number show up on the target's caller ID.

Criminals often use phone-number spoofing to

"The criminal could be sitting in an apartment calling you, but the number that shows up on the caller ID appears to come from within the company," said Lifrieri.

Also read Social engineering attacks: Highlights from 2010 [CSO Insider registration required]

Of course, unsuspecting victims are more than likely to give private information, like passwords, over the phone if the caller ID legitimizes it. And, of course, the crime is often undetectable after because if you dial the number back, it goes to an internal company number.

Tactic 5: Using the news against you

"Whatever is going on in the headlines, the bad guys are using that information as social engineering lures for spam, phishing and other scams," said Dave Marcus, director of security research and communications for McAfee Avert Labs.

Marcus said Avert has seen a rise in the number of presidential campaign-related and economic crunch-based spam emails lately.

"There have been a bunch of phishing attacks related to banks being bought by others," said Marcus. "The email will say 'Your bank is being bought by this bank. Click here to make sure you update information before the sale closes.' It's an attempt to get you to release your information so they can log into your account to either steal your money or sell your information to someone else."

Tactic 6: Abusing faith in social networking sites

Facebook, Myspace and Linked In are hugely popular social networking sites. And people have a lot of faith in them, according to Marcus. A recent spear-phishing incident targeted Linked In users, and the attack was surprising to many. Marcus said, increasingly, social networking devotees are being fooled by emails that claim to be from sites like Facebook, but are really from scammers.

"They will get an email that says: 'The site is doing maintenance, click here to update your information.' Of course, when you click on the link, you go to the bad guys' site." Marcus recommends advising employees to type Web addresses in manually to avoid malicious links. And also to keep in mind that it is very rare for a site to send out a request for a password change or an account update. (For more tips see How to Use Social Networking Sites Safely.)

Tactic 7: Typo Squatting

On the Web, bad guys also bank on the common mistakes people make when they type, according to Marcus. When you type in a URL that's just one letter off, suddenly you can end up with unintended consequences.

"Bad guys prepare for typing mistakes and the site they prepare is going to look a lot like the site you thought you were going to, like Google."

Instead of going where they wanted, unsuspecting users who make typing mistakes end up on a fake site that either intends to sell something, steal something, or push out malware.

Tactic 8: Using FUD to affect the stock market The security and vulnerabilities of products, and even entire companies, can make an impact on the equities market, according to new research from Avert. Researchers studied the impact of events such as Microsoft's Patch Tuesday on the company's stock and found a noticeable swing each month after vulnerability information was released.

"Publicly-released information has an effect on stock prices," said Marcus. "Another recent example is the fake information that was circulated a few weeks ago about Steve Jobs' health. Apple stock took a dive on that. That is a clear example of someone inserting FUD and a resulting effect on a stock." Presumably the culprits held a 'short' position which allowed them to profit from this trick.

The converse approach is to use email to execute the ancient 'pump-and-dump' tactic. A scammer can buy a large volume of a penny stock, the blast out emails under the guise of an investment advisor touting that stock's great potential (that's the 'pump'). If enough recipients of this spam email rush to buy the stock, the price will spike upward. The scammer then quickly 'dumps' his shares at a great profit.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies