Social engineering – hacking humans if you will – it’s one of those sexy topics that comes up from time to time, usually from a warning.. “Beware of the social engineers!”. But what is it?
Logan and I did two podcast episodes on social engineering. Part one goes into the different tactics used by social engineers. The more we talk about what they are, the more we can protect ourselves from using social engineering against us in a malicious way. And who knows, maybe we can get an upgrade using it ourselves?
Let’s start by breaking it down a bit.
Social engineering focuses on the targeting of people, versus computers, and it primarily relies on individuals or groups of people breaking security procedures, policies, and rules. Really, a social engineer’s job is to find and exploit human weaknesses and behaviors to accomplish their goals. This can be done in person, over the phone, text message, email, or really any method where you can engage with the target. It requires a good understanding of human behavior and human weaknesses – you want to persuade your target to provide information or access that will allow you to succeed in your goals, such a during a penetration or “Red Team” test.
Now let’s take a look at some tactics used by social engineers. Let’s also note that these are primarily focused on those in the sense of performing a penetration test.
- Trust: trust is at the foundation of most social engineering attacks. The easiest way to get someone to do what you want is to build trust. And remember, most individuals unconsciously want to trust others – we really do tend to think the best of others.
- Reciprocation: this is going to rely on the target feeling indebted to you, or that they need to return a favor.
- Authority: focuses on making the target believe you have the power or right to ask them to perform actions or provide information. Think about how official someone looks when they’re walking around with a clipboard (and some confidence!).
- Urgency: this is the sense that an action needs to be performed – now (or else).
- Fear: fear that something will go wrong, or that the target would be punished if they do not respond or help in some way.
- Likeness or similarity: people want to belong, they want to feel liked; finding a common denominator with your target is a simple means of building trust. Does your target love the Chicago Blackhawks? Wear a Blackhawks shirt (and make sure you know at least some of their history or some unique facts).
- Social proof: this relies on persuading your target that they should do something because other people have behaved similarly. Think of it like guilt-ing someone into doing something “because everyone else does it”.
- Scarcity: this is related to a fear-based approach, but focuses on there being fewer rewards or opportunities, requiring someone to act fast. Anyone remember the Great Toilet Paper Scare of 2020?
- Helpful nature: my personal favorite, this is people’s inherent nature to be good people and to help others.
Now that we’ve addressed some of the tactics of performing social engineering – let’s break it down into in-person vs. computer based social engineering. Each method is going to require a different skill set, but both are going to require a good understanding of the target.
In-person social engineering provides us with the ability to read our target’s body language and use that to our advantage (or disadvantage). Some of the more well-known methods of it include:
- Elicitation: by definition, elicitation is getting information without directly asking for it. Magic. Right? Well, not exactly. Typically, asking for information directly can cause suspicious. If someone asked you what your password was you’d probably tell them off, wouldn’t you? Well, what if they ask you about your pets, or ask when your birthday is, or where you’re from? Those are somewhat innocuous questions that could arise throughout a normal conversation, but they provide quite a bit of personal information. Elicitation is all about asking questions or talking about seemingly unrelated topics that are used to lead a person to reveal the information you are looking for. One of the best ways to do this is through open-ended questions or leading questions.
- Interrogation and Interviews: interrogation questions typically involve you (the social engineer), asking most, if not all, of the questions which is also likely to make the target less comfortable. Interview question, on the other hand, typically put a person at more ease. Think about the difference between a cop show and an interview on an Anthony Bourdain episode.
- Impersonation: essentially, disguising yourself as another person to gain access to facilities or resources. This could involve claiming to be a staff member or wearing a uniform and presenting a false or cloned badge or ID.
- Shoulder surfing: this is truly just watching over someone’s shoulder to get information like passwords or access codes. I see this at coffee shops when I set up behind another table and can watch everything that person is doing, watching people enter their cell phone passwords, or even in an office building when someone swipes their badge and enters a pin. Sometimes you don’t need to be a cyber nerd that cracks passwords when you can just watch someone enter it themselves.
Social engineering over a computer allows us a little more flexibility (in methods, timing, targets, etc.). Instead of spending hours looking for a potential software vulnerability to exploit, like in the case of a “hacker”, a social engineer is more likely to pose as a support technician and trick an employee into giving them their login credentials.
- Bating: this involves leaving something for someone to find, relying on an individuals curiosity. For example, leaving a USB thumb drive (or two or three), that is loaded with malware of course, in a commercial parking lot, waiting for someone to see it and plug into their computer to see what’s on it, thus injecting malware into the computer/network. Bonus points for labeling the USB thumb drive with “Confidential” or “Bonuses”.
- Phishing: probably one of the most prevalent methods of obtaining information from an unwitting victim. All it requires is ending an email to a target, sometimes with a link to clink or an attachment to download, or simply questions to answer.
- Email hacking or contact spamming: how much more likely are you to read an email that is coming from someone you know? A lot, I’d assume. This is something we see coming from criminals who have gained access into an email account and then proceed to send out mass emails to the entire contacts list, hoping to then compromise additional accounts.
- Watering-Hole: compromising a website by modifying its code to include malware. This can be done on the code of the site itself, or code from ads or plug-ins. Now, when a target accesses that site, the site will be laced with malware unbeknownst to the target.
- Cloned website: Just as it sounds, creating a replica, aka clone, of a website. It will appear to be a real website, but it will instead capture any data that is entered and either pass it along to the real website (while keeping a cope of it for the attacker), or by redirecting the user elsewhere. This is a great way for obtaining login credentials, and as easy as copying and saving the code and then using a tool such as Social Engineering Toolkit.
Social engineering is always malicious. Penetration Testers and Red Teamers use it all the time in their attempts to compromise a site or network. I’ve seen it used at bars, at the airport, or anywhere someone is just trying to get something for a discounted price. Negotiation is social engineering to an extent. Want to get someone’s number at a bar, use some of the tactics I mentioned above. But remember, it’s going to take practice to get it “right”, you want it to feel natural. And yes, the “bad guys” use it all the time, and we should be able to recognize when someone is trying to social engineer us.
Originally posted on www.allymarie.net