Human beings are predisposed to want to help others. It is in our nature. If you’re a receptionist or work at a help desk it might even be part of your job description. Even so, beware of social engineering. What is social engineering? It’s the subtle manipulation of staff in order to gain illegal access to your building, systems, and data.
- What Is Social Engineering?
- It’s Nothing New
- How Threat Actors Use Social Engineering
- How to Protect Against Social Engineering
Social engineering is hacking. But it’s not hacking into your network by exploiting a technical vulnerability. Social engineering is hacking your staff, the organic layer of your defenses.
Most of us share similar characteristics. Nobody likes having problems at work, and we feel sorry for those who do. We are inclined to help people who are wrestling with problems, even if it means we bend the rules slightly or break protocol for a moment. We’re even more likely to do this if we like or empathize with the person that has the issue. We’re also conditioned to obey authority figures. We want to be seen as capable of helping and willing to pitch in.
Skilled threat actors can exploit all of these traits and coerce people into doing what they want. It’s exploiting human psychology to steer the unwary into performing some action that benefits the perpetrator.
Social engineering attacks might happen in a single phone call or they may be played out over a period of time, slowly winning trust and acceptance. Their objective is to get through your security measures or to go around them.
Social engineering has been around as long as confidence tricksters have existed. There are techniques that work, so it was inevitable that they’d be picked up and used by the cyber threat actors. They work on people’s admirable qualities, like their kindness and desire to assist, or their poorer qualities, like greed and fear.
The threat actor might want to:
- Obtain credit card or other financial details.
- Get login credentials for a user account.
- Install malware such as key loggers so that the victim’s keystrokes are sent to the threat actor’s server.
- Install remote access software that lets the threat actors gain access to the victim’s computer.
- Install ransomware to extort money from the business.
- Gain physical access to your building to plant covert devices to manually install malware or to steal hardware.
In contrast with many cyber attacks, social engineering attacks are specifically targeted at their victims. This is in contrast to the “spray and pray” type of attacks such as phishing attacks or port scanning.
Social engineering attacks can involve phone conversations, email, or attending your premises in person. Quite often a blend of these techniques are used to suit the needs of the attack.
Threat actors will do intelligence gathering on the target within the company. They monitor Twitter and LinkedIn and look for information that gives them an edge. Social media is a two-edged sword. What you broadcast to the world can easily be turned against you.
A threat actor may see that a senior staff member is going to be out of the office at a conference. This is the sort of information they can use. It gives the threat actor an “in.” They’ll ring and ask to speak to that person’s PA. Because they are talking about a genuine event, the PA has no reason to suspect the caller is fraudulent. If the threat actor has “spoofed” the calling line ID, making the call appear to originate from the genuine phone number for the event, the illusion is even more compelling.
They will present a problem and ask for assistance to sort it out. “We have a record of his booking but no record of a deposit or payment. I’m going to be for the high jump if I can’t sort this out before I go off shift in the next ten minutes. I’m really hoping you can save my skin. Do you happen to have the details of the credit card the booking was made with so that I can look it up?”
The simplest attacks are often the best, and technical support is a common target. Their job is to solve problems. Their working day is devoted to trying to satisfy the caller’s needs and to make problems disappear.
Companies often make posts like this on LinkedIn or Twitter. “Welcome to the newest member of the company, Mr. New Person. He’ll be joining the XYZ team, etc.” A threat actor can ring your tech support team out of hours and pretend he is that person. They’ll tell them he’s just started working there—yeah, I’m in the XYZ team—but can’t access the office systems from his home. This scenario often works because new employees often have teething problems. They’re not expected to know their way around the systems yet, nor will it be suspicious if they can’t answer a question they may be asked. And because it is out of hours, there’s no one to cross-reference or check with. Typically the threat actor will work the conversation round to the point where the easiest thing for the tech support guys to do is perform a password reset and give the caller his new password.
Another ruse is to ring tech support and pretend to be someone from the HR Internal Investigations team, acting on a matter of sensitivity and requiring the utmost discretion. They’ll mention a real person in the business so senior that the tech support engineer has definitely heard of them. “They’re under investigation, I can’t tell you why obviously, but we need their account locked right away, and a new password set on it so that external auditors can get in but he can’t. This is the password to use…” Of course, the threat actor has simply picked a name from the Meet the Team page of the website. This ploy works by making the person being duped feel like they are party to something important, secret, and “big.”
An equally simple ploy is to ring tech support and go through the motions of describing a problem with the threat actor’s email. No matter what they try the issue remains. The threat actor will offer to send a screenshot or a log file to the support engineer from their personal email, which of course is still working. Primed and waiting for the email, as soon as the support engineer receives it he opens the malicious attachment immediately. The threat actor has successfully installed malware on the network.
Masquerading as tech support and ringing other staff members is favorite too. There are many variations of this scam. One technique is to ring reception. They ask for a name they’ve picked from LinkedIn or elsewhere. When they get through to them they explain they are tech support, or from the remote data center, or something similar. “You seem to be gobbling up hard drive space on the server, are you copying a lot of data or something?” Of course, the person says no, they’re not. After some more questions and frantic typing by the tech support engineer, they conclude that the staff member’s account has been compromised. It looks like someone is stockpiling company data ready to copy it out of the network. Sounding increasingly excited he gets them to log out, and back in again. “No, nothing has changed. It’s still going on.”
The tech support guy, audibly straining to stay calm, tells the staff member he’s going to forcibly kill all processes for that account. “If I do that though, I’ll have to log you back in, you won’t be able to do it. What is your username? OK, thanks. And what is your current password? Got it, OK, log out now.” After a short pause, the support engineer says, “That’s great, I’ve stopped it. Actually you can log back in and carry on as normal, I didn’t need to wipe your account after all.” They’ll be very grateful and thank the staff member for their help. They should be grateful. They’ve now got an account they can use to access your network.
These are examples of successful social engineering attacks that are happening today.
Gaining physical access to your premises allows the threat actor the opportunity to perform a variety of actions that further compromise your security.
Firewalls usually let traffic out of a network much easier than traffic can get in. Firewalls are border guards, and most of their attention is focused on what comes in over the border. Traffic going out is often a secondary concern. The threat actor can make devices out of inexpensive, single-board computers such as the Raspberry Pi that, once they are connected to a network, make an encrypted outgoing connection to the threat actor’s server. Typically a firewall isn’t configured to stop that. The threat actor then makes an encrypted connection back to the device he planted using the already established connection from the Raspberry Pi. This gives him remote access to your network. It’s a technique called a reverse SSH tunnel.
These covert devices can be hidden inside old laptop power supplies or other innocuous devices, and quickly plugged in behind equipment such as large printers. Printers need mains power and a network point. Network points are usually provisioned in pairs, as are power points. The printer only needs one of each. Behind the printer are the connections the device needs, and a nice hiding place.
The threat actor may simply pick a laptop and walk out. They may infect the network with malware from a USB memory stick. They may leave USB memory sticks seeded with malware near coffee machines, in restrooms, or on vacant desks. There’s usually a bunch of keys attached to the USB stick. When the USB stick is discovered the question in the staff member’s mind is “Who has forgotten their keys?” not “Hmm—here’s an anonymous USB stick.”
That slight shift in mental stance is important. Misplacing your keys is a big problem. The finder wants to get the keys returned to their owner. How can they find out? Maybe there is something on the memory stick that will identify the owner. There are files on the memory stick. They might look like a PDF or a Word document, but they are disguised malware. If they have eye-catching titles like “Redundancy Plans Phase 1” it’ll be almost impossible for the staff member not to click on them.
It is possible to auto-run programs as soon as USB droves are inserted, which means the staff member doesn’t even need to click on anything. But if auto-run is turned off—which it should be—having files with irresistible titles is a common fall back strategy.
A similar approach is for the threat actor to collect some promotional literature from a genuine business such as a courier firm. They attach a USB memory stick to each one. The threat actor appears at reception and hands over three or four copies. They ask the receptionist if they wouldn’t mind passing these on to the person in charge of shipping. Almost certainly the receptionist will put one aside for themselves and as soon as the threat actor has left the building they’ll try it on their computer.
To get past reception, threat actors have posed as all manner of delivery person. UPS, United States Postal Servants, flower deliveries, motorcycle couriers, pizza deliveries, and donut deliveries to name a few. They have posed as pest control agents, construction workers, and elevator servicing engineers.
Arriving to have a meeting with someone the threat actor knows is not in the office (thanks to Twitter or LinkedIn) is surprisingly effective. Of course, it is someone senior. The receptionist tries to ring the staff member and says they’re not answering their phone. The threat actor says they expected that. They’ve been having a conversation by text and the staff member said their previous meeting looks like it will overrun. “They suggested I wait in the canteen. They’ll come for me when they’re free. Could someone show me where it is, please?”
In tailgating, the threat actor uses someone else’s valid entry to the building as a means of going through the same door. One trick is to wait at an external smoking point and strike up a conversation. The threat actor introduces themselves. They get the name of the person they’re talking to. What they want to happen is for other people to arrive at the smoking point while they’re already in conversation. They will wait until the first staff member goes back into the building. They’ll say goodbye to them, address them by name.
The new arrivals won’t even question whether this person is a member of staff. He’s here at their smoking point, laughing and chatting to other members of staff and addressing them by name.
The threat actor then chats to the new arrivals. They ask them if they know the person who has just left, and tells them he’s a nice guy. When the second wave of smokers returns to the building the threat actor will accompany them. They let the staff members enter their code, or use their fob or key. When the door opens they will make a show of holding it open, and gesturing for the real staff to enter. He then follows them in.
We’re dealing with people so, needless to say, the defenses revolve around training, policies, and procedures.
- Rehearse procedures with teams, and consider involving role-play sessions by experienced, benign social engineers.
- Security firms can be engaged to use all of the techniques described here and more to try to penetrate your defenses. Where their attacks were successful will guide you in further tightening your security by improving procedures or applying more control to existing procedures. Just like penetration testing that probes your technical defenses, social engineering susceptibility should be tested periodically. You may choose to combine this with a benign phishing campaign.
- Turn off auto-run for USB devices. Treat anonymous USB memory sticks like Pandora’s Box.
- Have a policy for out-of-bound requests. These are requests that break protocol. They ask for something you wouldn’t usually comply with but you might be tempted to because it is an emergency. Or a one-off. Or special circumstances. Or this guy really needs a break. Don’t put your staff on the spot feeling torn between wanting to help and knowing they shouldn’t. Have a procedure they can adhere to.
- Perform network scans and identify and examine new devices that have been connected to the network.
- Never give technical support—or anyone else, for that matter—your login credentials. They will never ask for them. If you’re being asked for this type of information, they are a fraud.
- If you receive a telephone call asking for sensitive information you’ve previously provided, the safest thing to do is hang up and ring them back.
- Never leave visitors unattended and always escort them. Only let visitors wait for their contact in reception.
Fostering a security-minded culture in your business will pay dividends, and is a foundation of a multi-layered security approach.