Social Engineering is the art of manipulating and exploiting human nature. It is a craft of manipulating people into performing certain tasks or revealing information that violates security. Oftentimes a social engineer will construct certain situations where a victim will be guided to respond in a specific desired way due to the social context of the circumstance. Within the scope of security, humans are the weakest link in every organization. We are easily duped by our own nature. As humans, we tend to follow a herd mentality and always aim to fall in line with appropriate social norms. For the social engineer or con-artist, it is these inherent qualities that are their biggest marks.
The reason why social engineering is such an effective attack is because they circumvent traditional IT countermeasures. Instead, the best way to defend against social engineering attacks is through user training and awareness.
When personnel understand the purpose of cybersecurity, how it applies to strategic goals, and what impact it has – they can develop confidence in their ability to evaluate threats that seem out of place and contribute to the organization wide goal of security.
Here we will look at two different examples of social engineering attacks. First, perhaps the most pervasive modern social engineering attack: “phishing” by way of e-mail and it’s SMS cousin, “smishing.” Targeted phishing attacks have become easier with social media providing a deep well of information for open source intelligence gathering. An adversary might use LinkedIn to find employees of a certain target company to better craft an e-mail that is most fitting and least suspicious. While some of the “You’ve won a million dollars!” type of scams is easier to avoid, the specially crafted phishing e-mail that appears directly applicable to your business can remain imperceptible even to those who are always vigilant.
Second, I’d like to discuss “tailgating” and “piggybacking” as common tactics a person may use to gain unauthorized access into a restricted area. This is where someone tags along with another person who is authorized to gain entry. In an electronic sense, this is where a user fails to log off their terminal, allowing an unauthorized user to “piggyback” on the authorized user’s session. In a physical sense, this may be getting an authorized person to hold the door open for them (thus bypassing an RFID scanner or checkpoint) or pretending to be a member of a crowd that is entering largely unchecked.
Phishing and Smishing
A well-crafted phishing e-mail is one that appears legitimate on every front. It copies the structure of the e-mail it is trying to imitate. Some of the largest hacks we have seen in the past 10 years begin with a phishing e-mail where the victim unknowingly clicks through to a malicious link or downloads a malicious file. The surge of ransomware attacks in the past few years are often a result of people falling victim to phishing e-mails. “Spearphishing” is a phishing attack that is directly targeting a high-level executive of an organization. These are particularly pernicious as executives may have access to very sensitive information. As mentioned earlier, with the ubiquity of social media and public sharing, creating a personalized phishing e-mail has become much easier and as a result, much more effective.
In addition to phishing, there is “smishing” where an adversary attacks through text messaging.
Most often these attacks use spoofed numbers to send links where a fake webpage prompts the victim to enter their personal information. It is very common to see a fake banking website created to steal legitimate user credentials.
A recent, highly technical, smishing technique has been revealed by Google’s Project Zero which exploited a vulnerability in Apple’s iMessage where one function of the application shows the user a “preview” what’s inside of a .zip file when they have received one. By way of this preview function, the malicious file can execute and initialize a backdoor for an attacker to remotely read files on the device. This is a technical vulnerability that persists regardless of a user taking any action. In other words, the victim did not need to click on or open anything for the malicious attack to be initiated successfully.
Tailgaiting and Piggybacking
It is most common that penetration tests involve an ethical hacker breaking into computer systems, enterprise networks, or testing a web application in search of security vulnerabilities to exploit. However, a physical penetration tester is one who tries to infiltrate their way into a company’s office space while remaining undetected.
Once a physical penetration tester gains physical access to an organization’s building, they might plant nondescript hardware to employ man-in-the-middle attacks, capturing LAN packets and exfiltrating data or they may simply steal physical documents or company devices.
Sophie Daniel, more commonly known by her online pseudonym ‘Jek Hyde,’ is a professional physical penetration tester known for her social engineering prowess. Organizations hire Sophie, and others like her, to test and evaluate the security controls of their company. One of her more “fail-proof” social engineering tactics involves a combination of known attacks: impersonating an authorized employee and manipulating and exploiting a person’s empathy to achieve her goal: tailgating through an RFID entry point to ultimately gain full unauthorized access into her target’s building.
Her strategy involves wearing a ‘pregnancy belly’ prosthetic while making sure she keeps her hands full (e.g. holding a purse, a laptop, and a Starbucks coffee cup). All Sophie will do is follow an authorized employee as they approach a secure entry point where they have to scan their RFID card. Due to the social context of the situation she orchestrates (i.e.: a struggling pregnant woman), the authorized employee will demonstration decency and help her out by holding the door open. It is akin to offering a pregnant woman your seat on public transportation. She explains how she has yet to fail in her attempts using this tactic to have someone hold the door open as she seemingly struggles to keep up with them as they enter the building. Understandably so, I have a difficult time imagining someone closing the door on a straining pregnant woman’s face in order to uphold a security policy.
Sophie Daniel ingeniously exploits the most basic of human behaviors, revealing how social context can easily trump company policy. She shows how effective unassuming tactics can be when employed by adept social engineers when it comes to gaining unauthorized physical access. Tactics like these are very difficult to overcome. However, with extensive security training and awareness, an organization can mitigate some of the risk.
Organizational leadership will set the tone for a cyber-secure mindset and should model good personal security habits based on sound guidelines.
All users can be trained in order to recognize common social engineering attacks, for example: identifying and avoiding phishing e-mails or being trained to not allow piggybacking. Conducting internal phishing exercises can be used to raise user awareness and provide an opportunity for users to practice identifying threats. It is important not to threaten harsh punishments for failing these exercises as this will not foster understanding but instead lower morale and sow paranoia amongst personnel. The objective of cybersecurity training is to develop confidence, not paranoia.
For your listening pleasure…
I first encountered Jek Hyde’s stories through Darknet Diaries. There are so many wonderfully produced stories – virtually every episode is worth the listen. Finally, for those interested in social engineering, I also highly recommend the exploits of @TinkerSec outlined in Episode 36: Jeremy From Marketing.