Six social engineering tricks that can be avoided if you're careful

Social engineers work on multiple levels. The key to their success is to target human nature and emotion.

00 title

Six Social Engineering tricks that can be avoided if you're careful

Social Engineers work on multiple levels. The key to their success is to target human nature and emotion. However, some of their most common tricks can be avoided if their victims have advanced warning. With that said, here's six of the most common tricks, presented by someone who uses them often: Nathan Drier, the Principal Security Consultant at Trustwave.

More on social engineering:

01 tricky email

Tricky email messaging

"Sending phishing emails always returns a pretty high success rate. We usually pretend to be from IT or a trusted vendor and we require some sort of interaction on the client’s end such as opening an attached file or visiting a website that we control," Drier says.

Once you click, the damage has been done. The attacker has silently collected your domain username and password, and possibly gotten shell access to your workstation. From there, they'll setup shop on your computer and use it as a launch pad to attack the rest of the corporate network.

"One time we sent out emails telling all the employees that we upgraded them to a newer version of their external webmail service. Everyone started logging in – but instead of getting access to their email, we were collecting their usernames and passwords. One of those users happened to also have VPN access, which allowed us to VPN into the corporate network."

02 usb whiskey
Custom USB (Creative Commons BY or BY-SA)

Media drops (a.k.a. free stuff)

"People love free stuff," Drier said.

Nothing beats finding a shiny new USB thumb drive in the parking lot on your way into work.

"Careful, we’ve spent all week custom-coding a piece of hidden malicious software. The second you plug it in, it runs a bunch of code that takes over your computer and gives us remote access to it. From there, we can begin attacking other internal systems with minimal risk," Drier adds.

"For even greater success, we put them in a trusted location. Fill up a small basket with the drives and write ‘FREE’ on it. Walk in the front door, schmooze with the receptionist, and drop off the basket somewhere in the lobby. A couple hours later, all 30 drives are gone and beginning to phone home."

03 tailgating

Follow the leader (Tailgating)

People are busy. Sometimes, they are too busy to notice someone walking behind them on their way into the office.

"No, I don’t have a badge, and you haven’t seen me around before – but the office is large and I look like I belong. I’m dressed just like you. I’m typing an important email or talking on my phone, and I seem to know where I’m going. The majority of the time, I’ll smile and you’ll hold the door open for me…I must have forgotten my badge," Drier says.

"Once inside, I scout and find an empty cubicle off in the corner. I crawl under the desk and plug in a wireless access point. My cohorts in the minivan outside see the wireless network pop-up and begin using it to map out the internal network."

04 dumpster
Daneil Hsia (Creative Commons BY or BY-SA)

Your trash, their treasure (dumpster diving)

"A company’s trash is a goldmine of information. From vendor information, passwords, usernames, schematics, network information - it’s all there," Drier explains.

"Dumpsters are rarely locked (or easily picked), so it makes for an excellent recon mission at 3am after the building is empty. We jump in, grab bags full of papers, and run back to a home base for analysis. Once we found payroll data for employees including more than 10,000 social security numbers –all in the dumpster."

05 face to face

Face to face meetings

Having confidence and looking the part can get you into places, Drier said.

"I was working on an ethical hacking assignment for a business with a large public office area and stumbled on one of their unlocked workstations on the main floor. The machine was obviously for employees-only. I slid up to the keyboard and got to work escalating my privileges and installing a backdoor. A couple minutes in, an employee walks over and asks me what I’m doing. Before I can answer, she says ‘Oh, they FINALLY sent someone to fix my computer. I’ve been telling them it has been dog-slow for MONTHS!’. I smile and agree I’m here to solve that problem for her.

"She leaves, and I get back to work. Minutes later, a security guard comes hustling my way. I try to finish up installing my backdoor before he gets to me – but to my surprise that first employee cuts him off and says ‘You leave him be, he is from IT and is fixing my computer.’ She continues to tie up the security guard just long enough for me to finish up my work and disappear."

06 phone calls

Phone calls

The most direct way to get sensitive information from someone is to call them up and ask, Drier says.

With a little recon, a Social Engineer can come up with a pretty believable pretext and make some serious progress.

"I like to pretend I’m interested in a technical job they posted, and use that guise to get additional information from HR or wherever I happen to land. I can usually get them to ask for a resume, which makes for an excellent prelude for sending in some phishing emails," he explained.

"During one engagement, we had a target on the phone believing we were from IT. We were helping her ‘fix’ her computer, and during that process she had to change her password to a known value (letting us compromise her account). Once we were finished, she mentioned that everyone else in her department was experiencing the same fake problem, and she could help by having all her coworkers change their password to the same value. Why yes, that would be a huge help for us. Thanks!"

07 caged wolf

Knowing is half the battle

The previous slides are all examples of Social Engineering assignments taken on by Trustwave.

"It’s these kinds of services that help business defend against the latest threats and stay ahead of the criminals. Businesses should also have other security controls in place to help protect them from an attack," Drier says.

"These include anti-malware technologies that can detect and filter out malware in real-time, network access controls that limit network access to only those who need it, web application firewalls to block attacks and segment critical from non-critical data, intrusion detection and prevention controls and others.

"Another important layer of defense – people. Employees and management should go through security awareness education training to better understand best security practices."