ITS 4550 - Fraud Prevention and Deterrence


Chapter 13, Social Engineering

This lesson presents some material from chapter 13. Objectives important to this lesson:

  1. Social engineering definition
  2. Forms of social engineering
  3. Technology and social engineering
  4. Protecting passwords
  5. Social engineering and social networking
  6. Working a system
  7. Watching for danger
Concepts:
Chapter 13

The chapter begins with a bit of hope, telling us that the entire world is not against us. Then it begins a discussion of what I think has become the favorite topic of many authors: social engineering. We seem to find a chapter about this topic in every security text, so you have probably read several authors' ideas about it by now. Let's see what these authors can give us.

Social engineering, regardless of any technical aspect of the attack, means an attack in which the attacker relies on a victim to do something that makes the attack possible.The text points out that common attacks like Trojan horse programs and email attachments rely on a victim trusting that there is no attack. In that respect, those attacks are forms of social engineering. The attacker gains the victim's cooperation and the actual attack begins. A social engineer gains the cooperation of a victim which typically enables the engineer to use an exploit that will attract no attention. To the system, a reset password, a stolen ID, or a borrowed authorization all look as legitimate as any others that are being used properly by intended system users.

The text lists several categories of social engineering methods. Most require interaction with a victim.

  • phone scams - The attacker does not appear in person, but uses a story that fills the victim with sympathy, urgency, or both.
  • dumpster diving - The attacker gathers information from trash discared by a targeted organization or by its employees.
  • shoulder surfing - Potential victims are observed entering IDs and credentiails at any kind of device. This is often easily done in waiting rooms and airports, at ATMs and store checkout lanes, and at gas pumps, each of which require some kind of authenticaiton from the user.
  • social media attacks - Social media is probably the greatest curse on security in a generation. Too many people share too much information about themselves, making it easy to assemble profiles about them that can be used to steal their money and their identities.
  • persuasion/coercion - A primary aspect of social engineering is all about asking people for information they see no reason to keep secret, and help that they are already willing to give. The following is a list of six attitudes/approaches a social engineer might take when making a request for a password change.
    • Authority - pretend to be someone who has the right to make the request
    • Intimidation - in an oppressive environment, it may be easy to use fear of what would happen if the request is not granted
    • Consensus/social proof - tell a believable lie that others have granted this request in the past
    • Scarcity - tell the victim that you are short on time, or you have to get this before it can't be done
    • Urgency - tell the victim that you need this right now, and that you will complete the red tape later
    • Familiarity/Liking - act like one of the family, especially one who appreciate the work the victim does for the company
    • Trust - use details about the organization to make it seem like you are a part of it

    Someone who is practiced in manipulating people may be able to choose between these approaches easily, based on the attitude of the person on the other end of the phone, email, or messaging application. A skilled operator may be able to do much more if the can manipulate the person they are working on. Offering the person coffee, chocolate, or other simple gifts may make it easier to get them to do what you want.

Basic information about a target or a work site may be obtained from documents on a public facing website, a Facebook site, unshredded trash, or a phone call to the right person. This is some general advice from successful social engineers:

    • Ask for a little information from each of several people, building your required knowledge base without alerting the victims
    • Ask for what the victim is likely to be able to provide; don't ask for something inconsistent with the victim's job or role
    • Be pleasant and flattering, but in moderation
    • Don't ask for so much that it raises suspicion about you
    • Asking for help often triggers sympathy, thanking the victim helps them believe they have done something good

The best approach is to be a good actor, and to find the key to getting the right response from the victim. Take a look at this blog about acting. On the page that link leads to, there is some good advice about portraying emotion. In the context of this discussion, imagine yourself as the unsuspecting victim. Imagine the actress in the photos on the right as the grifter. Which of her expressions is the one you relate to the most? Which is the one you want to help? Now, what do you look like when you react in sympathy to her? You are communicating to her that you are ready to hear and fulfill her requests. (If you can't see her face clearly enough, follow the link to her page. The photos are much clearer there, and her advice about showing emotion may be helpful to you.)

There are several other approaches that can be used by a good social engineer:

  • Impersonation - An attacker might impersonate anyone who might seem to belong in the environment being surveilled or attacked. It is common to impersonate a help desk employee when calling a victim. It is also common to impersonate an employee, a delivery person, or a repair person when the ploy calls for infiltrating a site.
  • Phishing - Phishing is the solicitation of personal or company information, typically through an official looking email. Some variations on phishing:
    • Spear phishing - sending the email to specific people, customizing it to look like a message sent to them by an entity with some of their personal information already
    • Whaling - This is spear phishing but it focuses on big (wealthy or data rich) targets.
    • Pharming - sending an email that takes the person directly to a web site (the phisher's site) instead of asking the reader to follow a link
    • Google phishing - the phisher sets up a fake search engine that will send people to the phishing web site on specific searches (presumably it returns real search results on searches that would not lead to a page the phisher has prepared)
  • Spam - Spam is not just unsolicited email. Most spam may only be looking for a customer, but some spam is sent with the intent to steal, abuse, and sell the payment information that a person might volunteer to provide.
  • Hoaxes - In the larger sense, all social engineering involves a hoax of some kind. First the grifter finds a mark (a victim), then he tells the mark the tale, and offers the deal. A hoax is a distraction from reality, such as when the attacker pretends that there is a virus outbreak that is affecting the potential victim. It sets the idea in the victim's mind that the attacker is trying to help and should be assisted in his/her efforts.

On page 309, the text turns to some thoughts about using technology more defensively. Despite the topic, the suggestions will do little to counter social engineering.

  • use pop-up blockers in your browsers to avoid trouble
  • let your antivirus and antimalware products warn you about unsafe web sites
  • actually turn on the web protection features of your antivirus and antimalware tools
  • update all applications and products with suggested security updates
  • browse anonymously when possible to avoid leaving traces
  • avoid free wifi, since it is often unencrypted
  • don't access secure web sites except in private; don't invite shoulder surfing

In the section about passwords, the advice applies better to social engineering:

  • don't use passwords or security hints that people can guess or look up about you
  • if you don't know what the Internet knows about you, do some research and find out, then choose to never use publicly available information to protect your data
  • if you are using a social networking site, WHAT THE HELL ARE YOU DOING THAT FOR? Do we have your attention now? Review pages 314 through 321 for some scams that have shown up on social networking sites, and in plenty of spam emails.

 

Assignments

  1. Continue the reading assignments for the course.
  2. This week lot's of things seem to be due.
  3. Complete and submit outstanding assignments.