Social engineering is one of the most threatening forms of hacking attacks: traditional technology defenses that security professionals are accustomed to using fall flat on their face when it comes to social engineering. Rebuilding and upgrading an information technology infrastructure (system hardening, firewall deployment, IDS tuning, etc.) protects against network and other technology attacks. However, users cannot be rebuilt or retrofitted. True, they can sometimes be trained, but it is often easier (and thus cheaper) to “train” an IDS to look for attacks than to train the help desk operator to fend off sneaky persuasion attempts. Sometimes humans can be removed from the security loop, but eliminating IT users is not an option for most companies.
As appealing as it might seem, it is impossible to patch or upgrade users. Humans are the weakest link in the security chain—especially poorly trained and unmotivated users. Even in tightly controlled environments, assuring that technical security measures are in place is easier than assuring that users don’t inadvertently break a security policy, especially when subjected to expert social engineering assaults.
Social engineering attacks are simply attacks against human nature. A human’s built-in security mechanisms are often much easier to bypass than layers of password protection, DES encryption, hardened firewalls, and intrusion detection systems. In many cases, the attacker needs to “just ask.” Social engineering exploits the default settings in people. Over the years, such “defaults” (or “faults”) have proven time and again that social engineering can breach the security of corporate research and development projects, financial institutions, and national intelligence services. Some of those defaults—such as a helpful response to an attractive stranger—are known to be unsafe, while some are condoned by our society as polite or useful.
Social engineering is not simply a con game; while it might not be apparent at first glance, social engineering is more than prevarication. In fact, many attacks don’t involve a strictly defined deception, but rather use expert knowledge of human nature for the purpose of manipulation.
There are various definitions of social engineering. Here are a few:
The art and science of getting people to comply to your wishes. (Bernz, http://packetstorm.decepticons.org/docs/social-engineering/socialen.txt)
An outside hacker’s use of psychological tricks on legitimate users of a computer system, in order to obtain information he needs to gain access to the system. (Palumbo, http://www.sans.org/infosecFAQ/social/social.htm)
...getting needed information (for example, a password) from a person rather than breaking into a system. (Berg http://packetstorm.decepticons.org/docs/social-engineering/soc_eng2.html)
Sarah Granger, who compiled these definitions, states: “The one thing that everyone seems to agree upon is that social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust” (http://online.securityfocus.com/infocus/1527). The most important term here is natural. It implies that overcoming the efficiency of a social engineering attack is similar to going against nature: it may be possible, but it is difficult.
Although perfect machine-level security is improbable (unless the system is turned off, cemented into a box, and locked in a room with armed guards), you can nevertheless get close by making a concerted effort. Unfortunately, sometimes security is achieved by sacrificing a substantial amount of functionality. Likewise, security is sometimes passed over in favor of higher functionality. This is especially likely to happen when proper risk assessment is not performed.
Every organization makes a decision on where to stand in the spectrum: either closer to perfect functionality (less security), or closer to perfect security (less functionality). Most companies implicitly choose functionality over security, for various reasons—such as pressure to deliver or lack of budget, knowledge, or personnel—and such unconsidered decisions can lead to security breaches. Unfortunately, with social engineering, you often do not have the opportunity to make a choice. Tight system security and user education offer surprisingly little protection against insidious wetware attacks.[1]
Corporate user education for social engineering usually consists of nothing more than an annual memo stating “Don’t give your password to anyone.” Unlike technical countermeasures, protection from human-based attacks is poorly developed and not widely deployed. One novel solution is to fight fire with fire; i.e., to proactively social-engineer people into compliance and a heightened defensive posture. Most security awareness training programs offered by companies can be categorized as social engineering of sorts, or as engineering policy compliance. Only time will tell if this solution proves effective by any measure. It is also possible that it will run counter to perceived civil liberties and freedoms. After all, the noble goal of policy compliance probably does not justify the “zombification”[2] of users. The issue is how far a company is willing to go in order to stop the attacks and whether they care about obtaining the willing support of the users. The opposite argument is valid as well: some believe that only aware and supportive employees, trained to think before making a decision (such as to disclose data), are in fact more effective in stopping the attacks.
Little can be done by traditional security measures to protect your network resources from advanced wetware attacks. No firewall, intrusion detection system, or security patch is going to do it. Nevertheless, there are some newer methods that may help: for example, penetration testing can be very effective if it includes mock wetware attacks.
A human controls every computer system, and that human is often the weakest link in the information security chain. Since the golden age of hackers like Kevin Mitnick, stories of social engineering have enthralled the public. The targets of such attacks have ranged from an AOL newbie (in order to harvest a username and password) to an R & D department engineer (in order to harvest microprocessor schematics). For example, one CERT advisory[3] reports that attackers used instant messages to backdoor unsuspecting users with offers of free downloads including music, pornography, and (ironically) antivirus software. The attack qualified as social engineering because users themselves were engineered to download and run malicious software: no computer system flaws were being exploited.
The myth about social engineering is that few people do it well. Unfortunately (or fortunately, depending upon which side you are on), it’s not true. Another misconception is that being a social engineer is “evil.” While social engineering comes with a stigma, having the skills of a social engineer is like possessing a vulnerability scanner. Unless you use them for a crime, such skills are perfectly legal. In fact, social engineering attacks are highly valued as part of a complete penetration test—the Open Source Security Testing Methodology Manual (OSSTMM, available from http://www.OSSTMM.org) even contains guidelines for conducting social engineering testing as part of auditing.
What results might you seek to achieve with social engineering, whether in a real attack or in penetration testing? Useful information for obtaining access or for testing can be grouped into the following categories:
Physical access (to steal, modify, destroy, or violate any or all of the three components of the CIA model—confidentiality, integrity, and availability—of protected resources)
Remote access credentials (password and other access credentials for phone, computer networks, and other equipment)
Information (data, source code, plans, customer data, and other proprietary, confidential, or secret data)
Violation of other security controls (such as making victims run code, transfer funds, or perform other actions on behalf of the social engineer)
For the purpose of this chapter, we divide social engineering attacks into active and passive. Active probes directly interact with the target and elicit its response, whereas passive attacks acquire information with stealth.
Active social engineering involves interaction with target personnel in order to obtain security-relevant information, gain access privileges, or persuade someone to commit a policy violation or act as a proxy on the attacker’s behalf. In contrast, passive attacks include eavesdropping and observation and subsequent analysis of the results. Passive attacks often seek to acquire seed information with which to launch further active social engineering or network-based physical attacks.
It is also important to note that intelligence gathering in the form of passive social engineering and surveying open source intelligence is crucial for preparing a social engineering attack or test. People are much richer systems than computers. Thus, the process of “reading the manual” is more complicated when studying humans.
Active attacks elicit the required response through basic human emotions. The following are some methods for a successful attack:
- Intimidation
This method uses “hardball” tactics—threatening and referencing various negative consequences resulting from noncompliance with the attacker’s request.
- Impersonation
Involves posing as somebody else—a classic trick of social engineers. Note that while it is sometimes beneficial to assume a position of power, the opposite comes in handy as well.
- Blackmail
Does not necessarily translate to criminal offences, and might involve emotional blackmail.
- Deception
The broad category of deception covers many of the other attack methods. Many attack methods may be enhanced with deception.
- Flattery
Many people are surprisingly vulnerable to this simple ploy. Flattery is known to open doors to economic spies and con men.
- Befriending
People do things for friends that they would never do for a stranger. If an attacker manages to position himself as a friend, many avenues for attack open up.
- Authority
Related to intimidation, this tactic exploits a fear many people have of authority figures such as police officers, bosses, and others seemingly “above” the victim.
- Pressure
Bad decisions are often made under pressure—including decisions to disclose confidential information. High-pressure sales tactics also fall in this realm.
- Vanity
Similar to flattery, an appeal to vanity often facilitates the connection between victim and attacker.
- Sympathy
Earning the sympathy of a victim is likewise desirable in many cases.
Combination attacks (such as intimidation and impersonation) can be much more effective than individual attacks. Note also that not all of the tactics are applicable to every possible goal of social engineering. For example, it is unlikely that anybody ever obtained a password with a flattery attack.
The social engineer may consider the three positions in Table 7-1 before launching an attack.
Table 7-1. The attacker/target relationship
Position | Examples |
|---|---|
Attacker in weak position | In need of help or guidance |
Attacker in strong position | Abusive superior |
Lateral position | Posing as a friend or colleague |
Depending upon the circumstances and personal preference, the attacker might play a helpless victim, if intelligence gathering indicates that this approach will be effective. On the other hand, an angry boss position of superiority works wonders sometimes. Finally, claiming to be an equal or a friend often yields results when the first approaches fail.
Let’s examine some sample attacks using the positions and methods outlined above.
The attacker pretends to be a mailman in order to obtain access to a company facility. In this case, the attacker places himself in a lateral position, using just an impersonation technique to get privileged physical access.
The attacker pretends to be a system administrator’s superior and calls the sysadmin for a password. This method is more effective in a large organization, where many layers of hierarchy exist and people might not know their boss’s boss. While this attack might sound easy, success depends on the attacker’s knowledge of how to approach the victim in a convincing manner, as well as flexible conversation skills.
Information gained in the past can be leveraged for access to more information via blackmail. If this word smacks of bad crime novels, you may prefer the modernized “leveraging acquired information assets to gain further ground” instead. This definition emphasizes this technique’s need for careful research, so that the attack may be optimized using knowledge of the victim’s past transgressions.
To pick roles for impersonation during the social engineering attack, consider the following list. On the defense side, be prepared for anybody initiating communication with you to use one of these tactics. We do not advise complete paranoia—just a healthy helping of it. This list illustrates the thinking patterns of potential attackers, who might select a circuitous route to the goal—one that may not be on the radar screen of the defending party.
- Coworker
Subordinate, boss, new hire, intern, temp worker, consultant
- Outside authorized party
Postman, janitor, building maintenance, delivery driver, repairman, partner-company employee, customer, research student, job applicant, ex-employee, vendor/contractor personnel, law enforcement/government agent
- Social acquaintance
Friend, neighbor
In a social engineering attack exercise, you can select from these roles, depending upon your goals. Let us now turn to possible communication channels for the attack. Social engineering attacks can be conducted through various communication media, including the phone, mail, email, the Web, instant messaging or chat (IRC), or a mailing list or discussion forum. They can also take place in person.
The following are some examples of attacks using the above media:
Social meeting (meet the target employee for coffee, and pump him for useful information)
Facility tour (ask the future employer for a facility tour, and come back with passwords and network topology data)
Sales call or job call (promise to solve their security problems, and meanwhile learn about their current IT defenses)
Web survey (add a couple of questions about security devices to an innocent survey, and you have the inside scoop)
Faked web site to collect login information (people naturally reuse passwords; thus, a password to one web site can open the way to corporate email)
Paper mail survey (a formal survey to get details on their technology infrastructure)
Target selection is often based on initial information gathering and the possible roles we’ve mentioned. Common targets of social engineering attacks include help desk, tech support, and reception personnel. This list is by no means comprehensive, but these positions are consistently vulnerable to wetware attacks.
The attack comes after an initial sweep for information via public sources (i.e., passive social engineering or technology-based attacks such as network surveying). The methods we’ve described are combined with various communication media, using a social engineering action plan, or “toolkit.” The action plan involves maneuvers based on the chosen target, along with any supporting information, followed by a determination of the sequence of attacks to try. It is a simplified framework for creating social engineering attacks. Table 7-2 gives a summary of sources that can be used as part of an initial sweep and information-gathering mission.
Table 7-2. Information gathering sources and methods
Source | Nature of the obtained information | Methods of obtaining the information |
|---|---|---|
Company web site | Names, positions, contact information, IT resources, occasionally descriptions of physical security measures | Investigating via search engines, limiting the search to the site only, downloading the web site locally for analysis, browsing |
Search engines | Habits of employees (search for company email addresses), hobbies, past histories, and other private details | Various search queries organized as a search tree, aimed to cut down to a specific piece of information needed for the attack |
Various web databases (such as Lexis-Nexis) | Background information, names, positions, contact information of employees | Various search queries |
Business publications | Names, positions, other information on employees | Searching publications for references to the company |
Partner and technology vendor web sites | Utilized IT and physical security controls and processes | Various search queries |
Trash | Various internal documents |
A social engineering action plan welds the social engineering attack components into one truculent blade. These are the steps of a planned social engineering attack:
Identify the target company.
Determine the desired outcome (access credentials, proprietary information, subversion, etc.).
List all people at the company who may have access to the desired information or be useful for the outcome (use publicly available information from the initial sweep).
Choose the individual targeted for attack.
Acquire more information about the victim, using passive social engineering tactics or other methods.
Decide on the type of communication media (in person or by phone, email, the Web, etc.).
Pick a social engineering method (impersonate, intimidate, blackmail, deceive, flatter, befriend, etc.) based on the victim’s characteristics.
Run an attack.
Document the obtained information (especially if the obtained information is not exactly what was required) and evaluate the victim as a potential source for more information or “help.”
Adjust future strategy based on results.
Several of the steps in the action plan need additional clarification. For example, how does the attacker choose the best individual to target? While we are attempting to define social engineering attacks in terms of technology, the social engineer still relies heavily on experience and intuition. The final choices will likely be made on a hunch. In many scenarios, several unrelated targets are pursued, in order to “converge” on the desired information.
The following example is based on our action plan.
Example Electronics, a small manufacturer of components, is the target company. They have hired you to perform a social engineering attack on their network administration as part of a security audit.
The desired outcome is access to CEO correspondence (email, voice mail, and paper mail).
Individuals with access to the target resources include the CEO herself, the postman, a secretary (paper mail), a system administrator (email), and a PBX operator (voice mail).
You choose to attack the secretary and the system administrator.
The results of initial information gathering are as follows: the system administrator likes to play online games (she was observed posting to a forum on the topic using company email), and the secretary hangs out at Saloon X (he was seen there).
The selected communication channels for the attacks are in person for the secretary, and through web media for the system administrator.
Now, select the type of attack to employ. For the secretary, you decide to make friends and then obtain access to the company premises. In the case of the system administrator, you choose to send a web survey claiming to offer a prize, in order to get further information about email handling at Example Electronics.
Arrange a meeting in a social environment with the secretary and email the survey request to the system administrator.
After carrying out the attacks, document your findings: the secretary tells you that almost everybody leaves for lunch at 1:00 p.m. and the mailroom is left unlocked. From the survey completed by the system administrator, you discover that Example Electronics uses an outsourced email service that can probably be breached.
Your renewed strategy is to use the information you’ve gathered to gain further access to Example Electronics.
The action plan is flexible and does not need to be followed verbatim. Rather, it is merely a framework on which to build audits. Documentation is essential for reports on penetration testing and in order to evaluate the vulnerability of the company to social engineering attacks. In fact, accurate documentation is of even greater value for these tests than it is for technology-based tests, since the course of action must be constantly adjusted in a social engineering attack. People are more complex than computer systems.
Some additional tips:
If you are taking the authority route of attack, forge credibility. Fake business cards have been reported to work.
Use a team (it is often much easier to persuade a victim while working as a group).
Aggressively chain contacts: when you obtain a single contact name, ask for more names and then contact those people, or impersonate using the previous person as a credibility prop. Keep detailed log data describing all contacts in order to evaluate their security awareness and resistance to attacks, and also to better target future attacks.
Sometimes calling and asking people directly gets sensitive information. Many people are naturally trusting and will give social engineers the information they need without further action.
If you are conducting social engineering attacks in the context of legitimate penetration testing (the only way we recommend doing it), here is a template for optimizing information collection.
This template outlines the documentation of information collected in social engineering attacks. It focuses on three areas: the company, its people, and its equipment (including computer systems).
Company ----------------------- Company Name Company Address Company Telephone Company Fax Company Web Page Products and Services Primary Contacts Departments and Responsibilities Company Facilities Location Company History Partners Resellers Company Regulations Company Infosecurity Policy Company Traditions Company Job Postings Temporary Employment Availability /* get a job there and hack from inside */ Typical IT threats People -------------------------- Employee Information Employee Names and Positions Employee Places in Hierarchy Employee Personal Pages Employee Best Contact Methods Employee Hobbies Employee Internet Traces (Usenet, Forums) Employee Opinions Expressed Employee Friends and Relatives Employee History (Including Work History) Employee Character Traits Employee Values and Priorities Employee Social Habits Employee Speech and Speaking Patterns Employee Gestures and Manners /* used for creating and deepening "connection" during social interaction */ Employee Login Credentials (Username, Password) for Various Systems Equipment ------------------------ Equipment Used Servers, Number and Type Workstations, Number and Type Software Used (with Versions) Hostnames Used Network Topology Anti-virus Capabilities Network Protection Facilities Used (with Software Versions) Remote Access Facilities Used (Including Dial-up) Routers Used (with Software Versions) Physical Access Control Technology Used Location of Trash Disposal Facilities
Every attack exploits a weakness. In warfare, it might be a weakness in defense technology, troop morale, or inferior numbers. In computer attacks, the weaknesses are in design, implementation, configuration, procedure, and proper use of technology. Risk analysis is a process by which to identify those weaknesses and mitigate them in a cost-effective way. It is rarely possible to cancel out all risks. In social engineering, it is never possible. The weakness here is the frail human psyche.
As an aspiring social engineer, you must concentrate on two areas in order to hone the effectiveness of your attacks. First, you must develop the ability to feel comfortable around people and to make other people comfortable around you. This can be as simple as smiling, or as complicated as advanced rapport-building skills. Rapport is a state in which you feel strongly connected to another person, begin to like him, and feel that you have many natural similarities. The Merriam-Webster dictionary defines rapport as “a relation marked by harmony, conformity, accord, or affinity.” This state is achieved by matching verbal (what you say) and nonverbal (how you say it) components of human interaction. In a state of rapport, other people will like you more and will like what you say more than if you just blurt it out. They will tend to think you have their best interests at heart, since they perceive you as so much like them.
Second, give some thought to the state of mind you should be in while carrying out a social engineering performance. This question might sound irrelevant, but consider this analogy: would you launch an attack on a system from a machine that runs out of memory and has a slow hard drive, a faulty CPU, and a blinking monitor? Why run a social engineering attack while stammering, distracted, and with a confused look on your face? Focusing your state of mind is crucial for effective social engineering. If you are in the proper state of mind, your language flows more easily and you can establish rapport. You sound more convincing and you get the information you want faster. Moreover, it is likely that this equanimity will spill over onto your targets, creating a relationship that can later be used to elevate privileges or to achieve other goals.
Finally, social scientists have summarized several “weapons of persuasion” that we can use for social engineering. Dr. Robert Cialdini, a leading expert on persuasion and influence, has defined six conditions that launch automated subroutines in people. These subroutines, or shortcuts, can be used to deal with complicated interactions in everyday life. They include:
- Reciprocation
This is the tendency in humans to respond in a like manner. A con man might exploit this by letting you “guard” his luggage before stealing yours. Similarly, an organization might send you gifts and then hint at needing a small donation. These kinds of situation have been confirmed in psychological experiments as creating reciprocity. If you share a secret with a system administrator, you have a good chance of learning a secret yourself. Hold that door open for an employee, and watch him hold another door for you—perhaps into a restricted area.
- Commitment and consistency
People tend to act in accordance with prior commitments. That sounds obvious, before you think of the implications. If a person promised to help you, she made that decision internally and will likely act on it in the future. Soliciting the initial commitment is left as an exercise for the reader.
- Social proof
This principle of dubious ethics in part drives retail trade and television advertising. To appear cool, they instruct, you should drink this beer. After all, those people on your television do! Canned laughter on a situation comedy is a manifestation of the same principle: we tend to laugh more if other people are already laughing. Just think of all the ways this technique can be used for gaining access and convincing targets to part with the crown jewels.
- Liking
This is another concept that sounds trivial, but it is nothing of the sort. People tend to perform favors for someone they like. According to Dr. Cialdini, in order to be liked, you need to appear similar to the person you are approaching. Your life experience probably confirms this “law of influence.” Compliments also work wonders in this department. If your targets like you, a large part of the attack is already done.
- Authority
Classic Milgram obedience experiments in psychology confirm that under pressure from authority, people will do things they would never do on their own. Assuming a position of authority is extremely helpful in social engineering.
- The scarcity principle
People perceive what is unavailable as valuable. All those “while supplies last only” sales work on the scarcity principle. If you position yourself as unavailable, people will flock to you for advice. Just advise them in a manner conducive to your attack goals.
These concepts merely scratch the surface of psychological persuasion and its use in social engineering. Even more advanced manipulation techniques exist. If you think this material is purely theoretical, you will be surprised to learn that at least one celebrated hacker was formally trained in these advanced influence techniques by the famous persuasion trainer. Others are sure to follow.
Social engineering resources. (http://packetstorm.decepticons.org/docs/social-engineering/)
NLP-powered social engineering. (http://online.securityfocus.com/guest/5044)
Social Engineering Fundamentals, Part I: Hacker Tactics. (http://online.securityfocus.com/infocus/1527)
Social Engineering Fundamentals, Part II: Combat Strategies. (http://online.securityfocus.com/infocus/1533)
CERT® Advisory CA-1991-04 Social Engineering. (http://www.cert.org/advisories/CA-1991-04.html)
“Art of Deception,” Kevin Mitnick (the king of social engineering).
Influence: The Psychology of Persuasion, by Robert Cialdini, Ph.D. Quill, 1998.
“The Milgram Experiment.” http://www.new-life.net/milgram.htm and http://www.stanleymilgram.com/milgram.html.
[1] The term wetware indicates the “software” running on a human computer—the brain—and the corresponding “hardware.”
[2] The term zombification refers to zombies, those mythical undead creatures who act under the complete control of an evil magician.
[3] “Social Engineering Attacks via IRC and Instant Messaging.” (http://www.cert.org/incident_notes/IN-2002-03.html)