All Social Engineering techniques are based on flaws in human logic known as cognitive biases . For this reason many social engineering techniques are based on simple but very effective cons that have been
adapted to work within the bounds of the computing industry. The main difference between the old cons and the new adapted versions is that the
victims very rarely have the opportunity to see their attacker, since most communcation between the two is done via the internet or the telephone.
In all case the scam is essentially the same, the attacker, pretending to be something other then what he really is, starts a communication with
the victim and requests/steals personal information such as banking info, credit card info, secret questions, logins and passwords. Although, most
of these techniques are essentially the same, there are many different ways to accomplish the same goal and the next section will discuss proven
techniques that have been used in the past.
The techniques discussed below will include those that have been around for centuries and newer ones that rely on computing technology and malicious
Physical attacks are those attacks where the user gains access to a building and simply walks out with hardware, or is able to log into a network from
a workstation within the company. These attacks require a very bold attacker and are not as common out in industry where many offices require passcards
and have security cameras but still occur on school campuses worldwide, where students are often allowed access to all points on the campus and where
seeing a person walking with a laptop or logged into a computer station is a common site.
Quid Pro Quo
Quid pro quo is one of the oldest tricks in the book of cons and basically means that the victim gives something away to get something they might want.
There are two ways to go about this in the Information Technology (IT) community, the first involves the attacker offering the victim something of little
value, such as a pen or even something as exciting as a t-shirt, or the attacker might only offer a chance to win something of higher value, such as a
car, in exchange they will require the victim fill out a quick survey, in which questions regarding password information, company of employment and user
logins will be included.
The second way to do this is for the attacker to pretend to work for technical support and continuously call employees until
they find one that needs IT help, the odds of this happening within a large corporation are very high. Once a victim is found the attacker will request
the important personal information that will allow them access to the system.
Trojan horses, as the name implies, is much like the mythical trojan horse that the Greeks used to destroy Troy except that the horse is replaced with
an application and the 3000 Greek warriors are replace with a malicious, information gathering piece of software. The
application will be labelled something that the user may find interesting and the malicious software will install itself when the victim opens the
application. The software will gather information and send it back to the attacker. Once the attacker has the information, they can then use that
information in any way the choose.
Pretexting is, simply stated, an extremely elaborate lie, in which the attacker creates a scenario (the pretext) that will hopefully persuade a company
to give them confidential information about a victim. Often the attacker needs only to gather a lot of easily accesible information about the person
they are pretending to be, such as the person's name, their mother's maiden name, their date of birth, their Social Security number, etc, before
calling a company with their story to try and gain access to the users account information. In the United States, it is often the case that a company
uses only that information to authenicate a user, in which case, once the attacker has that data, they have total access to the victim's information.
If the company uses more advanced authentication methods, the attackers objective is to get a business to give them the access numbers, passwords and
other information that is not so easily accessible. This technique is often used by private investigators to obtain information that they need as
evidence, such as phone records. Even scarier to the victim is when this information is then used to make changes to or to withdraw money from an
account, which once the attacker has all the data that the company has, is quite easy.
Attackers, instead of pretending to be the victim, can also sometimes pretend to be someone else with ties to the victim or within another company
that might have some autority or right-to-know. The attacker could pretend to be family of the victim, a co-worker, an insurance agent, a bank employee,
the police or medical personal. The attacker still must conduct a lot of research to be able to answer authentication question that will be asked by
the organization that they are trying to gain access to but in some cases this information is easier to get, or easier to fake.
Phishing is a relatively new technique within social engineering as it only applies to email. The email appears to come from a legitimate business, in
some cases if the attacker has done some research or gets lucky, one that the victim regularly does business, such as a bank, credit card company or
online poker site. This email will request some kind of verification from the victim, such as an account number, PIN number or password and threaten
some kind of consequence if the victim does not comply, such as locking/seizing the victims funds or charging some sort of fee. The email notification
will often contain legitimate logos and look like many letters or emails that the organization frequently sends out. In some cases it may even contain a
link to a website that looks like a page of the company's website.
A road apple is a real-world variation of a Trojan Horse that uses physical media and relies on the curiosity of the victim. The attacker leaves a
malicious piece of media such as a CD or USB key in plain view in a public location where it is sure to be found, such as on the victims desk, in a
staff room, or as public as the sidwalk. The files on the media would be legitimately labelled and could contain legitimate information but would hide
a program that can send information to the attacker.
Since many of the above techniques can give an attacker vital information, not only of the victim, but of the entire computer network within a company
which would undoubtedly hold many trade secrets, it is of vital importance that the network is protected by these threats. Since the point of access for
the social engineer is the users of the network it is important to protect the users from themselves.
Lack of awareness is the most valuable tool in the social engineers arsenal, if a user is unaware of the current scam or of the threat of social
engineering itself, it is equivalent to leaving a computer in a public place with all the company files on it and forgetting to password protect it.
It is the security officers responsibility to be aware of the threats themselves and pass those warnings on to the users of the company's network. The
users must be informed of the dangers of giving out their passwords or of giving out confidential information to someone over the phone.
Many companies have security policies already in place but they need to be extended to include ways to combat social engineering techniques. Security
officers need to clearly outline that information that is not allowed to be shared with an outside caller, IT technician, or otherwise. Each employee
needs to be told how IT problems, lost passwords or other problems that occur regularly are to be handled. The policies should outline that no employee
should ever give out their password, login, or ID to anyone, regardless of the situation.
The hardest part about preventing social engineering attacks is that a lot of companies, especially banking institutions, have some sort of online or
telephone help line, where clients can log/call in and make changes to account information. Of course this is of huge security concern for any company
and to counter this concern most have a long list of questions that a client must answer before any information from the company to the client will be
exchanged. The biggest problem with this is that most of the questions that the company has the user answer have answers that can be found out through
public media, such as a mother's maiden name, or social security number, etc. Companies need to find a better way.
For this reason every securities policy within an organization should introduce policy that makes it mandatory for ever user of the system, client,
employee, or otherwise to have a discrete password, known only to them. This policy should also be extended to include regulations on what types of
passwords clients or employees can use, and ensure that the company has the technology that allows passwords to be entered discretely. That way no one
within the company will have access to the passwords of the clients and therefore will not be able to give them out.
The last part of introducing policy to combat social engineering is introducing ramifications if the policy is violated. If an employee bends or breaks
the policy in any way the ramifications should be severe. In a world where almost all information is stored in a computer, access to these computers is
of utmost importance, if an attacker gains access to a network, they should be treated as equals to the attacker.
- Mitnick, Kevin; Kasperavicius, Alexis: "Certified Social Engineering Prevention Specialist Course Workbook", unit 3. Mitnick Security Publishing, 2004.
- StationX Images. "Social Engineering" http://www.stationx.net/images/social_engineering.jpg. Retrieved 2007/04/02.
- Wikipedia. "Trojan Horses." http://en.wikipedia.org/wiki/Trojan_Horse. Retrieved 2007/03/28
- Wikipedia. "Social Engineering." http://en.wikipedia.org/wiki/Social_engineering_%28security%29#See_also. Retrieved 2007/03/28.
- Granger, Sarah. "Social Engineering Fundamentals, Part I: Hacker Tactics." http://www.securityfocus.com/infocus/1527. Retrieved 2007/03/28
- Granger, Sarah. "Social Engineering Fundamentals, Part II: Combat Strategies." http://www.securityfocus.com/infocus/1533 . Retrieved 2007/03/28.
Created by Jason Messier
This page was last modified on April 2, 2007