Breaking bad and good habits
Understanding social engineering is the first step to overcoming it. Danny Bradbury reports
Complicated malware infections and cross-site scripting attacks are great techniques to compromise a company, but why use them when you can whisper in someone’s ear instead? Some of the most successful attacks involve nothing more than a phone, some self-confidence, and an innate understanding of what makes people tick.
Successful data breaches need not require expensive technology, massive deceptions, or even expertly faked credentials. Sometimes all it takes is a phone call to the help desk and a request for assistance logging in. You do not even have to be a legitmate user if you are convincing enough.
Social engineering is one of the least expensive, most powerful tools in a hacker’s toolbox. In the SC Media Special Report My Friend My Enemy, we surveyed the social engineering landscape. In this report, we will venture deeper into topic and detail the reasons why it works and how to defend against it.
Social engineers have two primary goals, according to Steve Healey, chief technical officer at social engineering and security consultancy Pratum. The first is to obtain information. “Depending on the business and the industry there are all kinds of information with different values assigned to it,” Healey says, adding that customers’ records can be a high-value target in industries such as healthcare.
He also sees an increase in corporate espionage, as social engineers manipulate people inside companies to steal intellectual property and other confidential data.
Other goals are as simples as theft or malicious mischief. Sometimes it is financial theft by hijacking a company’s money transfer processes and diverting funds to an attacker’s account, or the attacks can also be ideologically motivated. “Someone might want to target a particular organization because of some vendetta or hacktivist claim,” he adds.
Sometimes social engineering attacks are part of a broader campaign, he notes. Manipulating employees might increase the chance of successfully installing ransomware, again a crime of financial theft.
On rare occasions, the attack might be part of a diversionary tactic to misdirect a company’s resources away from another, high-value attack.
No matter what the goal, the successful social engineer will pursue it by getting inside someone’s head, says Shawn Moyer, CEO and founding partner of penetration testing firm Atredis Partners. Social engineering is a big factor in his penetration testing and red teaming practice where his consultancy works with corporate management to find vulnerabilities in a company’s defenses.
“People tend to like people who are like themselves,” he says. “If you’re doing social engineering in Utah and you’re not a Mormon, there are little pins you can buy on Amazon that Mormons all use to identify themselves to each other,” he says. Using these pins as an example, he adds: “If you’re walking around a building and you have a pin like that, people will be more likely to respond.”
Making someone like you by finding common ground is one of several principles from a favorite book of Moyer: Influence: The Psychology of Persuasion, by Robert Cialdini, a former Stanford professor of marketing, business and psychology. In the book Cialdini categorizes several techniques used to influence people, such as social proof (doing what you see others doing), along with enforced scarcity (limiting the time that you give someone to respond to a request).
This psychological manipulation is the basis of all social engineering, Moyer says, pointing out that the term was popularized by business leaders that wanted to manipulate their employees en masse to improve performance. In fact, social engineering has much deeper roots. Dutch industrialist Jacque Marken coined the term more than a century ago in the 1890s as a way to describe a method of improving what was wrong in the world’s social environment.
Today’s attacker hacks their target’s psychology in similar ways that marketers do, exploiting innate desires and fears to achieve a set goal. “It’s the overlap between social sciences and dirty applications,” Moyer says.
Psychological manipulation is where UK-based social engineering consultant Jenny Radcliffe focuses her efforts. As a teenager, she says she would spend her time infiltrating buildings for kicks with her friends to stave off boredom and earn bragging rights. As an adult, she focused her attention on human psychology and eventually became a negotiation trainer. She quickly began mixing these skills to conduct penetration tests for corporate clients, teaching them how to protect themselves from low-tech, old-school con artist attacks.
Radcliffe is an expert at exploiting a company’s biggest weakness: its employees. “I talk about three M’s: Mistake, mischief, and malice. They are the three kinds of insider threat,” she says.
Individuals will often help her towards her goal by unwittingly providing her with sensitive information. She can also manipulate employees to help her by playing on their weaknesses. “There are a lot of people who are not happy in an organization and whose level of loyalty to the company is quite low,” she says. These can be excellent targets for an attacker hoping to get someone on the inside working for them If all else fails, malicious manipulation of an employee through blackmail is an option, although this is a slower process. She draws an ethical line here when engaging in social engineering tests for clients.
Before she does any of that, though, Radcliffe spends a lot of time simply observing the company, people and processes. She begins most social engineering jobs with a reconnaissance phase. “Once hired, I would look at an organization as a business first. I look at its culture and setup. It’s a macro analysis,” she says. These are the same techniques that she uses in negotiation research.
She reads articles and reports that help her understand how the company celebrates its successes and how it treats employees who fail. She analyzes how the company markets itself, how it grows, and identifies its competition. It gives her a picture of the kind of person that works there. She does all this before she singles out a selection of individual targets.
“Those would be people who are chatty on social media. Those who have left the company, too. I try and narrow it down to between a dozen and 20.”
Advanced reconnaissance helps Radcliffe to prepare her for all future interactions, including physical intrusions.
“By the time I make that initial contact or turn up at that site, I already know as much as any outsider could know and probably a bit more about that company so that it’s natural for me to be there. It’s not a big ask because I’m already familiar with everything that goes on.”
Radcliffe will often use social media to find a person’s weaknesses. She has found evidence of employees’ unusual sexual proclivities online, and also sees staff members consistently posting on social networks about how much they dislike their jobs. Each of these could be exploitable in different ways by a malicious actor, she says.
Moyer’s approach often includes looking for people on the fringes of a company when he is identifying targets. “I go for remote workers, branch offices, and small locations. They won’t be as consistently enforced and inculcated into the culture as the people in headquarters,” he says.
Moyer researches individual targets heavily on social media. He surfs Facebook, Instagram and other social media accounts looking for useful assets. Some people post their business card on their timeline to celebrate a new job, he says. Others scan receipts or other documents using their phone, unwittingly storing them on a public cloud account in the process. Physical access to a building can itself be a useful form of surveillance. If an attacker wants to access digital resources, then stealing a laptop from inside the office is often a great way to do it, explains Moyer. To do this, he uses another of Cialdini’s psychological manipulation techniques: authority.
Social engineers convey authority by merely wearing the right outfit. Moyer has a collection of telecom worker overalls in his office and can often be found walking through a target’s corridors in a uniform with a company logo, having tailgated his way into a building. This gives him access to building layouts and contents. Most people won’t question him because they assume he’s working there, he says.
Some social engineers go for old-fashioned dumpster diving during the reconnaissance phase. Healey uses this old-school hacker technique to find useful insights into a company. This might include anything from a list of employee IDs to a staff directory; even an email printed off with a list of recipients can be helpful when mounting an attack.
Phishing for secrets
Armed with reconnaissance information, the savvy social engineer will then mount an attack on a target. This happens in several ways, but phishing is the most prevalent, experts agree. In many cases, phishing attacks target financial gain. Business email compromise (BEC) scammers either spoof a senior executive’s email account or use stolen email credentials to hijack the real account.
They then email another executive within the same company or at a supplier, asking for an urgent wire transfer to solve a fake problem such as an outstanding invoice. The victim faithfully sends the money straight into the attacker’s bank account.
These social engineering attacks are now rampant. In February 2018, researchers from a major systems manufacturer identified a massive BEC campaign targeting Fortune 500 companies designed to trick victims into fraudulent wire transfers. The attack started in the fall of 2017 with spear phishing emails that told victims their signature was required on a document about stocks they owned. A fraudulent “DocuSign” portal was used to collect the confidential data. The attacks are believed to have generated hundreds of millions of dollars for the attackers, the vendor’s report said.
In the past, phishers simply altered the headers of their emails to spoof a legitimate address, explains Chris Hadnagy, CEO at Social-Engineer and author of several books on social engineering, including Social Engineering: The Art of Human Hacking. Today, companies use technologies such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to help thwart those attacks. SPF authenticates the IP address used to send the message against a list provided by the sender. DKIM uses private/public key pairs to encrypt and verify message headers. Finally, messaging parties can use the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol to indicate that they are using SPF and DKIM to protect their messages.
That’s all very well, says Hadnagy, but it doesn’t stop more nefarious phishing methods. These include registering domains that look like legitimate ones at first glance. “Our eyes fill in gaps that we expect,” Hadnagy says.
For example, let us assume an attacker creates an email using the standard Opentype font Cantoria MT Standard found in Microsoft Word and other popular word process applications. In that email, the attacker is trying to send a victim to a fake website that looks like a valid one. If the site, for example, was app1e.com, it would be almost impossible for the recipient to realize that the site is not actually Apple Inc.’s apple.com site. In the font Cantoria MT Std, the number 1 and the lower-case L look virtually the same — 1 and l. Can you tell which is which? (As of this writing, the domain app1e.com is for sale for $3700 and is not owned by Apple.)
Psyops on the Phone
“Vishing” (voice phishing), also known as pretexting, is another favorite tool. Attackers misrepresent themselves on the phone and use psychological manipulation to achieve their goals.
Pretexting is easier than phishing because phone numbers are notoriously easy to spoof, warns Hadnagy. “This has increased 100fold. Voice servers are cheap and easy to set up,” he says. “Phone lines are still basic, so whatever [number] I shove down the phone line is what pops up on your phone. I can change my phone number to yours. There’s no authentication in the phone system.”
Criminals can use pretexting to siphon funds directly from their targets. In December 2013, crooks telephoned the CFO at U.K. hedge fund Fortelus Capital Management on a Friday night, pretending to be from its bank, Coutts. The caller warned of potentially fraudulent activity and asked the CFO to generate access codes using his smart card. The attackers then transferred some £742,668 ($1.2 million) from the Fortelus account to a variety of other accounts. The company later dismissed and sued its CFO.
Pretexting isn’t unique to cybercriminals; it is used in corporate investigations and espionage, too. Hewlett-Packard admitted that an agency it hired might have used pretexting to obtain access to its own directors’ phone records in 2006.
Following the rules
Having security policies and procedures in place to protect the company is a fundamental requirement, say experts. Always wearing a security badge while in the building and verifying someone’s identity before giving out sensitive information should be standard procedure, but even that is not foolproof; a smart criminal can duplicate security badges as well. The real trick is getting users to follow the policies, says Moyer. Part of that involves using the same psychological techniques on employees, he suggests. “When you’re creating an awareness program and building resilience against different techniques, you’re trying to modify people’s behavior,” he explains.
As an example, he uses another of Cialdini’s psychological pillars: Commitment and consistency. This technique relies on an individual’s need to live up to what they have publicly said they will do and have written down. Making someone declare that they are a custodian of sensitive data and that their job matters — and to feel that sense of responsibility — is a powerful tool, he asserts. “When you train someone that they have those feelings of responsibility and accountability, you’re setting up commitment and consistency.”
Social engineering’s low barrier to entry has always been part of the allure of the attack. As companies improve their technical protections, social engineering is becoming a go-to technique for criminals and spies. While technology protections grow stronger, human weaknesses stay the same. The challenge companies face today in reducing vulnerabilites is not only becoming more secure by breaking bad habits that some employees have, but breaking some good ones too.