Social Engineering: The Basics
What is social engineering? What are the most common and current tactics? A guide on how to stop social engineering.
By Joan Goodchild , Senior Editor
Sneaky stuff. Give me some specific examples of what social engineers say or do.
Criminals will often take weeks and months getting to know a place before even coming in the door or making a phone call. Their preparation might include finding a company phone list or org chart and researching employees on social networking sites like LinkedIn or Facebook.
In the case of Roberts, he was asked to conduct a pen test for a client who was a high-net-worth individual to see how easy it would be to steal from him. He used a basic internet search to find an email address for the individual. From there, it snowballed.
"We searched for the e-mail address online were able to find a telephone number because he had posted in a public forum using both," said Roberts. "On this forum, he was looking for concert tickets and had posted his telephone number on there to be contacted about buying tickets from a potential seller."
The phone number turned out to be an office number and Roberts called pretending to be a publicist. From there he was able to obtain a personal cell phone number, a home address, and, eventually, mortage information. The point being from one small bit of information, a social engineering can compile an enitre profile on a target and seem convincing. By the time Roberts was done with his pen test, he knew where the person's kids went to school and even was able to pull a Bluetooth signal from his residence.
Once a social engineer is ready to strike, knowing the right thing to say, knowing whom to ask for, and having confidence are often all it takes for an unauthorized person to gain access to a facility or sensitive data, according to Nickerson.
The goal is always to gain the trust of one or more of your employees. In Mind Games: How Social Engineers Win Your Confidence Brian Bushwood, host of the Internet video series Scam School, describes some of the tricks scam artists use to gain that trust, which can vary depending on the communication medium:
-- On the phone:
A social engineer might call and pretend to be a fellow employee or a trusted outside authority (such as law enforcement or an auditor).
According to Sal Lifrieri, a 20-year veteran of the New York City Police Department who now educates companies on social engineering tactics through an organization called Protective Operations, the criminal tries to make the person feel comfortable with familiarity. They might learn the corporate lingo so the person on the other end thinks they are an insider. Another successful technique involves recording the "hold" music a company uses when callers are left waiting on the phone. See more such tricks in Social Engineering: Eight Common Tactics.
-- In the office:
"Can you hold the door for me? I don't have my key/access card on me." How often have you heard that in your building? While the person asking may not seem suspicious, this is a very common tactic used by social engineers.
In the same exercise where Nickerson used his thrift-shop shirt to get into a building, he had a team member wait outside near the smoking area where employees often went for breaks. Assuming this person was simply a fellow-office-smoking mate, real employees let him in the back door with out question. "A cigarette is a social engineer's best friend," said Nickerson. He also points out other places where social engineers can get in easily in 5 Security Holes at the Office.
This kind of thing goes on all the time, according to Nickerson. The tactic is als o known as tailgating. Many people just don't ask others to prove they have permission to be there. But even in places where badges or other proof is required to roam the halls, fakery is easy, he said.
"I usually use some high-end photography to print up badges to really look like I am supposed to be in that environment. But they often don't even get checked. I've even worn a badge that said right on it 'Kick me out' and I still was not questioned."
Social networking sites have opened a whole new door for social engineering scams, according to Graham Cluley, senior technology consultant with U.K.-based security firm Sophos. One of the latest involves the criminal posing as a Facebook "friend." But one can never be certain the person they are talking to on Facebook is actually the real person, he noted. Criminals are stealing passwords, hacking accounts and posing as friends for financial gain.
One popular tactic used recently involved scammers hacking into Facebook accounts and sending a message on Facebook claiming to be stuck in a foreign city and they say they need money.
"The claim is often that they were robbed while traveling and the person asks the Facebook friend to wire money so everything can be fixed," said Cluley.
"If a person has chosen a bad password, or had it stolen through malware, it is easy for a con to wear that cloak of trustability," he said. "Once you have access to a person's account, you can see who their spouse is, where they went on holiday the last time. It is easy to pretend to be someone you are not."
See 9 Dirty Tricks: Social Engineers Favorite Pick-up Lines for more examples.
Social engineers also take advantage of current events and holidays to lure victims. In Cyber Monday: 3 online shopping scams and 7 Scroogeworthy scams for the holidays security experts warn that social engineers often take advantage of holiday shopping trends by posioning search results and planting bad links in sites. They might also go as far as to set up a fake charity in the hope of gaining some cash from a Christmas donation.