I work with clients often that become victimized by social engineering. These tactics are at the core of the bag of tricks hackers use to gain access to exploit sensitive information. What exactly is social engineering? Merriam-Webster dictionary is a little behind on their definition of this phrase stating: “management of human beings in accordance with their place and function in society; applied social science, or the practice of making laws or using other methods to influence people.” This touches on the right path, though I found a recent commenter on the definition, CJ Johnson, put it very well: “Social engineering, as understood by someone in the IT world, is the use of sociological techniques in order to obtain without coercion, assistance or information from someone to a particular, and usually to an unethical end.” I would like to take a moment to highlight some of the common ways one might be exploited using these tactics, taking advantage of faults in the way we as human beings process situations and information.
Pretexting
A woman calls your support desk, claiming to be one of your employees. You have never met this person before, though that is not unusual for the large organization you work for. She says she is on maternity leave and needs to complete some work, but cannot remote into the office and needs help. There is a crying baby in the background on the phone, and she seems frustrated and embarrassed that she has forgotten her password, locking herself out of her account. She has a deadline to meet and is already behind. You reset her password for her and provide her with the login information. This elaborate situation was completely fabricated down to the baby and you just opened the gate to a stranger.
Pretexting involves fabricating a situation and building legitimacy in the mind of the victim in order for them to respond in the way the attacker intends.
Diversion Theft
You receive an email from a person that claims to be a consultant for your executive team to review financial reports you are preparing. It appears your boss is copied on the email and it is not uncommon for him to involve a third party to add value and knowledge in any given situation. You comply and send the drafts you have prepared so far for review, despite the fact that this person was not involved by your management team and they were not truly copied on the email. These sensitive reports were just exposed to a cyber-criminal.
Diversion Theft, also called the Corner Game has been used for some time to divert deliveries of merchandise or sensitive information to the wrong hands. The attacker convinces the target that their information or product delivery is needed elsewhere, exposing the valuable material to theft.
Phishing
An email comes in from what appears to be your bank that states that your password has changed. If you have not changed your password, select the link below to report and change the password back immediately. You feel a chill and your blood pressure climbs! Have your accounts been compromised?! You select the link immediately, which directs you to an official looking page which asks you to type in your existing username, password, and a new password for the account. You do so, fearing for your financial security, unknowingly providing the very access you had intended to prevent.
Phishing is the act of fraudulently obtaining private information. Typically, these attacks are launched via phone or email. They claim to be from a legitimate source you use and mimic the branding of the organization well.
Baiting
You receive an envelope with a flash drive in it from one of your clients. Their quarterly financial reports are due soon and you typically expect something from them around this time that has a copy of their accounting software database. You go ahead and plug it into your computer, which then automatically launches malicious code that infects your system with a method of remote access, encrypts your data to obtain a ransom, or aims to some other devious end.
Baiting could be considered a real life Trojan horse that relies on internal organizational knowledge, curiosity, or greed to be executed. This physical media could be found on the ground, in a bathroom, a breakroom, or in the mail. Typically, there is a label of some kind that peaks the victim’s interest in the contents of the storage object.
Quid Pro Quo
You receive a call from technical support. Lucky for you, there have been issues all day and you would be happy to have some help fixing the problem! You allow them to remote into your computer because that is how they fix these issues. The person remotes in, and compromises your machine with a virus.
Quid Pro Quo hopes to capitalize of the common occurrence of technical issues by contacting many people until they find someone with an actual issue they can “fix” and are expected to do so. Another example would be an innocent sounding survey asking sensitive questions for a reward.
Tailgating
You are walking into the office through the secure door after a brisk morning stroll around the building, thinking of the critical tasks that need to be completed next. A sharp dressed gentleman is close behind. There are many people that work in your building and in the surrounding areas. You wave your RFID security card and open the magnetically locked door, looking back to meet his gaze and smile. You hold the door open for him on your way in, he kindly thanks you for your courtesy, and you share a moment of human kindness. You go back to your desk thinking nothing of it, when unbeknownst to you, this person was not authorized in the building and was there to compromise information security.
Tailgating attacks rely on common courtesy to gain access to secure areas, knowing many people will not question someone of professional or uniformed dress. The attacker may even pretend to have an access card or official ID, though is not affiliated with the organization.
Technology fraudsters will often use the above techniques and more for nefarious self-benefiting ends. This can entail configuring a public Wi-Fi access point with a common name to trick users into joining the network, only to have their internet traffic sniffed, or credit card information stolen while masquerading as a paid wireless access point. They may also employ computer virus, required software, or update hoaxes by convincing the user to take action by installing malicious software on their computer. Another possible avenue for exploitation may involve blackmailing a victim, demanding money in exchange for not leaking sensitive information which the attacker may or may not have. It is important to maintain a healthy amount of skepticism and vigilance by checking in directly with collaborators, asking questions, and verifying identities in these situations. There are many ways these threats can be mitigated through proper technology leadership, policies, and training.