Social engineering is the science of conning people into doing what you want them to do, usually without them being aware of what you are doing. Some folks might get upset about using the terms science and cons in the same sentence, but if you look at the con’s methodology dispassionately, there is elegance to some of what they do. From the victim’s perspective that doesn’t mean that you don’t want to rip them to pieces and put them through a paper shredder.
Here are a few social engineering tricks that if you know them, you might avoid being the victim.
#1 – Candy drop. I am not sure who coined the term, but I know that a few three letter agencies (like the CIA) have used this technique for years. A candy drop is when bad guys drop USB flash drives on the ground in popular areas like smoking break areas or near the entrance to a target’s office hoping that someone will pick it up (like thrown pieces of candy at a parade) and put it in their computer. What happens next is one of three things. (a) there is a piece of malware on the flash drive that runs when the flash drive is plugged in, (b) the firmware on the flash drive has been modified by someone (like the CIA) to contain malware and that gets loaded into the computer when the drive is plugged in or (c) the flash drive contains files that tempt people (often ‘nude photos of xyz celebrity’) that people just HAVE TO open and poof, the computer is infected.
Obviously, at this point, the malware can do whatever the attacker wants it to do from wiping out that computer to sending all your data to the attacker half way around the globe in an unfriendly country.
Moral of the story, DO NOT plug strange hardware into your computer.
#2 Phishing Emails. I will write an entire chapter on this at some point, with examples, but for now, suffice it to say that phishing emails (named for the fact that the early versions of these emails were fishing for your credit card information) and their kissing cousin, spear phishing emails (which are similar but targeted to a specific person or group of people) are still very popular and very effective. Amazingly so. With phishing emails, the attacker sends out a million emails and waits for someone to click on the wrong thing. When they do, the attacker figures out what to do next. With spear phishing emails, the attacker sends out 1 or a few emails, say to certain executives at a particular company and hopes one of them clicks on it.
There are really two things that might happen after you click on it. First is the traditional approach – you go to a web page and they try and trick you into entering personal information – it could be a login page for (supposedly) your bank – then they have access to your bank account. Or it could be a page asking for your credit card information. Or a thousand variations of this. The second thing the attacker might do when you click on the link is install a piece of malware on your computer. At that point, the attacker owns your computer, the data on it, and anything you type on the keyboard from that point forward.
Sometimes the emails are in broken English from a guy in Nigeria trying to share millions of dollars with you. Hopefully, you don’t fall for those. The others look like they came from your boss or your bank. It looks like it came from the appropriate email address and often includes the appropriate logos. Those are much harder to spot. Often, the emails appear to come from friends or social media. That happens because they didn’t follow this rule and the attacker is trying to find more victims.
Two morals for this story – if it looks too good to be true, it is, and click on delete instead of the link. And, if it looks legit, but something raises your suspicions, call (don’t email – the attacker could be monitoring that email address) or walk down the hall and verify it is real.
#3 – The Telephone. It is amazing what people will tell strangers on the phone. Look at how successful telemarketers are and all they want to do is get a small piece of your money. They might even give you something useless in exchange.
There is a social engineering contest at one of the big computer security conferences each year. The process varies from year to year, but basically the contestants are giving the company’s web site address, a phone and a short amount of time (like a half hour) and they have to collect enough information from people to plan (BUT NOT EXECUTE) an attack on the company. They could pretend they are from the help desk and get people to give them their password or a thousand other things. It is amazing what people will give out over the phone.
In one real world attack, the mark is called from someone pretending to be from Microsoft (or pick your vendor) and they are calling because you have a virus and they need your help in removing it. If you don’t hang up, all you are doing is helping them put malware on your computer.
Moral of this story – be at least a little bit suspicious of strangers (and by the way, someone you don’t know who said your boss asked you to talk to them is still a stranger) and be even more afraid when that stranger wants you to go to some web page.
One very effective technique for dealing with these folks if you think it might be legit is to say that you are about to go into a meeting and need to call them back. DO NOT let them call you back. If they won’t give you a name and number, that increases the odds that it is a scam 10x. Then really do talk to your boss or corporate security or someone and figure out whether it is a scam or not.
#4 – Guard your email. Since your email account is often the mechanism that web sites use to allow you to reset your password, if the attacker has access to your email, they have access to most any account they want. DO NOT use easy to guess passwords. Do not leave your email logged in – log out when you are done (that does not mean just close the browser window). Even ignoring the password reset, your email is a treasure trove of your life and makes social engineering of you much easier.
#5 – Physical Security. Physical security is still very important. From the days of the old spy movies where they planted a bug in the target’s office to today where they might plant a keystroke capture gizmo on the keyboard of your computer or a micro camera and microphone, physical security is still king. If the bad guys come and steal your computer or your company’s servers, they can attack them at their leisure. That is why crooks often steal a safe instead of breaking into it there. That way if it takes them a couple of hours, who cares.
In an office environment, walking in with a uniform that looks like a janitor, exterminator or electrician – in broad daylight – along with a little bit of shmoozing – can get you in to many offices. Trust me, I know.
Moral of this story – Locks, alarms, lighting, security cameras and suspicious neighbors are all still very useful.
Note: The idea for this chapter came from an article in Network World – http://www.networkworld.com/