It doesn't matter how many locks you put on the door that is your security plan, because criminals who use social engineering techniques will still sail right in. Why bother breaking down the door if you can simply ask the person inside to let you in? That is the question posed by Lenny Zeltser, head of the security consulting team at Savvis and a SANS Institute faculty member.
"There is often a debate about what is more prevalent and more dangerous: Is it the outsider threat or the insider threat?" said Zeltser. "Once you accept the success of social engineering, you will recognize there is no distinction anymore. If you have an outsider, and they use a social engineering technique, they become an insider."
Also get CSO's Ultimate Guide to Social Engineering [13-page PDF - free CSO Insider registration required]
Zeltser, who frequently presents at security conferences around the country, lays out the four ways social engineers compromise a person's security defenses and gain easy access to sensitive information.
1. Alternative communication channels
Scam artists make use of alternative channels of communication because they catch people off guard, said Zeltser.
"Attackers find their victims are more susceptible to influence when the attacker engages them using a different medium than the victim is use to," he said.
He pointed to the example of a scam that used windshield flyers. The flyers alerted drivers that their car was "in violation of standard parking regulations" and asked them to log onto a site where they could get more information.
"If you got a spam message that said this, you probably would have disregarded it," noted Zeltser. "But when people got this notice in the physical world, outside of the normal channel they are used to being on guard in, they went to horribleparking.com and they saw some pictures of improperly parked cars in their own town. Of course, if they wanted to see their own vehicle parked improperly, they had to download this media player. If they downloaded it, they infected themselves with a fake antivirus tool."
Zeltser also pointed to vishing scams, where victims receive voice mails asking them to contact their bank about fraudulent account activity as another variation of this kind of attack. People call the number and are prompted by a series of voice commands to enter sensitive information, or they are connected with someone claiming to be a bank representative.
Also read Social engineering attacks: Highlights from 2010 [CSO Insider registration required]
"People tend to trust phone communication more than they trust email communications," said Zeltser.
And USB keys are another example of an alternative-channel exploit. Zeltser referred to a recent example of an attack using USB keys that spread the Conficker worm, and noted that victims are often not suspicious of USB keys and put them right into the machine without a second thought. While it used to be standard for computer users to scan floppy disks for problems, the same protocol does not exist with USB keys.
"Floppys went away, and we forgot about security," he said
2. Personally-relevant messaging
People don't want to just get e-mail, they want me-mail, according to Zeltser. A message that is more personally interesting is going to get more attention, and criminals know that.
He referred to one worm variant that spread by spamming victims with messages that claimed to contain breaking news that just occurred in their local town.
"They caught the victim's attention," said Zeltser. "How? Because they used the geo-location database to determine where victims were coming from and then customized this link."
Of course, if the recipient of the fake message wanted to "read more" about the local news story, they had to down load a video player, and instead ended up with malware.
Another variation on this kind of scam involves spoofing messages to look like they come from a trusted source. One common attack lately uses delivery company UPS as the scapegoat. The message from "UPS" claims there was a failed attempt to deliver a package, and asks the victim to print out an invoice to take to the UPS center to pick it up.
"If I print it, it's probably going to be a malicious executable or a malicious PDF file, and that's how they got me," said Zeltser. "How do we tell our users not to open attachments from people they don't know? It's not very useful advice anymore. Because the messages that come to them are from people they are likely to know. So it's impractical. We need to figure out something else to tell our users."
3. Social compliance
It is human nature to want to do what others are doing, noted Zeltser. And our tendency to follow the crowd can also make us social engineering victims. Criminals know you will be more inclined to trust something that is popular, or recommended by trusted sources.
It's this kind of psychology that lead to the success of the recent 'likejacking' attacks on Facebook earlier this month. Facebook users were fooled into 'liking' websites that claimed to have information about celebrity secrets or photos. Instead, victims found themselves clicking on a maliciously-created website produced by hackers who had hidden an invisible button under the mouse. Clicking on the website hijacked the mouse click and secretly caused users to 'like' the webpage. This activity was then published the victim's Facebook page, and gave the malicious page legitimacy, causing others to also 'like' it.
Criminals have also exploited social compliance by uploading malicious software onto a file sharing site where software junkies go to find the latest and greatest products, said Zeltser.
"The worm then kept hitting the download to artificially inflate the counter so the file would float to the top and appeared as the most popular download," he explained. "If other people like it and download it, I want to see what others download and I download it."
4. Reliance on security mechanisms
Because we are so used to certain security mechanisms, and often take them for granted, they are no longer protecting us, according to Zeltser.
Zeltser retold the tale of a scam that featured a social engineer dressed as a police officer who comes into a store. He tells the clerk there have been counterfeit bills passed in the area, and gives the clerk a special pen, which he says can be used to verify real or fake money and will turn red on bills that aren't legitimate.
Later, someone else comes in and passes a fake bill. The clerk flags the bill as possibly fake and uses the pen. But the ink turns green, which indicates it's OK. But in reality, the pen itself was fake, too, and would never have uncovered a fake bill in the first place. But the clerk's trust in the police makes this con work.
The same holds true for the many security updates computer users have become accustomed to getting. Flash updates, for example, have been used in this type of exploit.
"You go to site, you get an error message that says you need to download the latest version of Flash," said Zeltser. "The victim has no way of knowing if they are downloading a legitimate tool, and in many cases they are not. But our victims have been subjected to these messages over and over again and they are so used to the pseudo-security mechanism of the Flash upgrade, that at this point an attacker can use it against them."
So how do we keep outsiders out?
What do these four strategies mean for security? That the outsider can very easily become an insider, said Zeltser. And so far, training employees to be aware of social engineering has failed.
"When we look at our security architecture, we need to start thinking less, and focusing less, on external barriers," he said. "Focus more on what goes on inside the organization. We need to be putting more focus on internal segmentation of resources and internal monitoring of traffic that goes within and outside of your environment . And focus on giving your users as little privilege as they need. Not because you don't trust them, but because you know they can easily be scammed and you are trying to protect them."