SOCIAL ENGINEERING

Introduction
As technical attacks on systems have increased, so have numerous technology based
countermeasures being used successfully to thwart them. As a result, attackers are
shifting their focus and are increasingly targeting people through the use of social
engineering methods, often gaining unnoticed access to computer systems and sensitive
data. This is due to the widely accepted fact that People are the ‘weakest links’ in a
security framework. In the era of laws and legislations such as SOX (Sarbanes-Oxley),
GLBA (Gramm-Leach-Bliley Act), HIPAA (Health Insurance Portability and Accountability
Act) and more, it becomes imperative for everyone to prepare, defend and react to these
attacks.

What is Social Engineering?

Social engeneering is same as hacking but it is termed as social engneering because here
attacker uses human interaction (social skills) to obtain information about an organization
or its computer systems. An attacker may seem trustworthy or reliable and respectable,
possibly claiming to be a new employee, repair person, or researcher and even offering
credentials to support that identity.

Social Engineering is a collection of techniques used to manipulate people into

performing actions or divulging confidential information. While similar to a confidence
trick or a simple fraud, the term typically applies to trickery for information gathering or
computer system access. In most of the cases the attacker never comes face-to-face
with the victims and the latter seldom realize that they have been manipulated.

Why Social Engineering?

Social Engineering uses human error or weakness (i.e. ‘cognitive biases’) to gain access
to any system despite the layers of defensive security controls that may have been
implemented. A hacker may have to invest a lot of time & effort in breaking an access
control system, but he or she will find it much easier in persuading a person to allow
admittance to a secure area or even to disclose confidential information. Despite the
automation of machines and networks today, there is no computer system in the world
that is not dependent on human operators at one point in time or another. Human
interfaces will always be there to provide information and perform maintenance of the
system.

Key Challenges
Despite the humungous security threat posed by Social Engineering, very little is ever
highlighted about it. Primary reason for the lack of discussion about Social Engineering
can be attributed to shame. Most people see Social Engineering as an attack on their
intelligence and wit, and no one wants to be considered ignorant or dumb to have been
duped. This is why Social Engineering gets hidden in the closet as a "taboo" subject,
whereas the fact is that no matter who a person is, he / she may be susceptible to a
Social Engineering attack.
Behaviors Vulnerable to Social Engineering Attacks
Social Engineering has always been prevailing in some form or the other; primarily
because of the some very natural facets of human behavior. A social engineer exploits
these behavior patterns to drive the target towards becoming a victim in the attack.
Common human behaviors that are exploited by social engineers are shown in the
image provided hereunder.

Social engineering is still the most effective and probably the easiest method of getting
around security obstacles. Sign of a truly successful social engineer is that, they extract
information without raising any suspicion as to what they are doing.

Reverse Social Engineering on the other hand, describes a situation in which the
target itself makes the initial approach and offers hacker, the information that they want.
Such a scenario may seem unlikely, but figures of authority - particularly technical or
social authority - often receive vital personal information, such as user IDs and
passwords, because they are above suspicion. In this ‘cake-walk’ scenario for a hacker,
the victims themselves reveal information or provide the access, without someone trying
to manipulate them.
Categories of Social Engineering
There are two main categories under which all social engineering attempts could be
classified – computer or technology based deception, and purely human based
deception.
The technology-based approach is to deceive the user into believing that he is
interacting with a ‘real’ application or system and get him to provide confidential
information. For instance, the user gets a popup window, informing him that the
computer application has a problem, and the user will need to re-authenticate in order to
proceed. Once the user provides his ID and password on that pop up window, the
damage is done. The hacker who has created the popup now has access to the user’s id
and password and is in a position to access the network and the computer system with
credentials of that user.
Attacks based on non-technical approach are perpetrated purely through deception; i.e.
by taking advantage of the victim’s human behavior weaknesses (as described earlier).
For instance, the attacker impersonates a person having a big authority; places a call to
the help desk, and pretends to be a senior Manager, and says that he / she has
forgotten his password and needs to get it reset right away. The help desk person resets
the password and gives the new password to the person waiting at the other end of the
phone. The attacker now has all the access to perform any malicious activity with the
credentials of actual user.
Technical Attack Vectors

Phishing
This term applies to an email appearing to have come from a legitimate business, a
bank, or credit card company requesting "verification" of information and warning of
some dire consequences if it is not done. The letter usually contains a link to a
fraudulent web page that looks legitimate with company logos and content and has a
form that may request username, passwords, card numbers or pin details.

Prevention: If you received a unknown email message, do not respond to it. and don’t
even click on the links you received from the unknown users.

Vishing
It is the practice of leveraging Voice over Internet Protocol (VoIP) technology to trick
private personal and financial information from the public for the purpose of financial
reward. This term is a combination of "voice" and phishing. Vishing exploits the public's
trust in landline telephone services, which have traditionally terminated in physical
locations which are known to the telephone company, and associated with a bill-payer.
However, with the advent of VoIP, telephone services may now terminate in computers,
which are far more susceptible to fraudulent attacks than traditional "dumb" telephony
endpoints.

Prevention: Don’t give any financial information or personal information to unknown

people over phone , confirm to whom you are speaking and cross check with the concern
company or bank before giving any information

Spam Mails
E-mails that offer friendships, diversion, gifts and various free pictures and information
take advantage of the anonymity and camaraderie of the Internet to plant malicious
code. The employee opens e-mails and attachments through which Trojans, Viruses and
Worms and other uninvited programs find their way into systems and networks. He or
she is motivated to open the message because it appears to offer useful information,
such as security notices or verification of a purchase, promises an entertaining
diversion, such as jokes, gossip, cartoons or photographs, give away something for
nothing, such as music, videos or software downloads. The outcome can range in
severity from nuisance to system slow-down, destruction of entire communication
systems or corruption of records.

Popup Window
The attacker’s rogue program generates a pop up window, saying that the application
connectivity was dropped due to network problems, and now the user needs to reenter
his id and password to continue with his session. The unsuspecting user promptly does
as requested, because he wishes to continue working, and forgets about it. Later it is
heard that there has been an attack on the system, but it never realized that that he /
she was the one who opened the gate!
BATING

Baiting is like the real-world Trojan Horse that uses physical media and relies on the
curiosity or greed of the victim. in this attack, the attacker leaves a malware infected floppy
disk, CD ROM, or USB flash drive in a location sure to be found (bathroom, elevator,
sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply
waits for the victim to use the device.
For example, an attacker might create a disk featuring a corporate logo, readily available
from the target's web site, and write "Executive Salary Summary Q2 2010" on the front.
The attacker would then leave the disk on the floor of an elevator or somewhere in the
lobby of the targeted company. An unknowing employee might find it and subsequently
insert the disk into a computer to satisfy their curiosity, or a good samaritan might find it
and turn it in to the company.In either case as a consequence of merely inserting the disk
into a computer to see the contents, the user would unknowingly install malware on it, likely
giving an attacker unfettered access to the victim's PC and perhaps, the targeted
company's internal computer network.

Prevention: Don’t insert any devices which left unattended or given by unknown person

Quid pro quo

Quid pro quo means something for something:

 An attacker calls random numbers at a company claiming to be calling back from

technical support. Eventually they will hit someone with a legitimate problem, grateful
that someone is calling back to help them. The attacker will "help" solve the problem
and in the process have the user type commands that give the attacker access or
launch malware

 In a 2003 Information Security survey, 90% of office workers gave researchers what
they claimed was their password in answer to a survey question in exchange for a
cheap pen.Similar surveys in later years obtained similar results using chocolates and
other cheap lures, although they made no attempt to validate the passwords.
Non-Technical Attack Vectors
Pretexting / Impersonation
This is the act of creating and using an invented scenario (the pretext) to persuade a
target to release information or perform an action and is usually done over the
telephone. It's more than a simple lie as it most often involves some prior research or set
up and makes use of pieces of known information (e.g. date of birth, mother’s maiden
name, billing address etc.) to establish legitimacy in the mind of the target.

Prevention: Be cautious because strangers try to fool you by creating false situation and
make you to believe inorder to collect the confidential information.

Dumpster Diving
Seldom would someone think that throwing away junk mail or a routine company
document without shredding could be a risk. However, that is exactly what it could be, if
the junk mail contained personal identification information, or credit card offers that a
‘dumpster diver’ could use in carrying out identity theft. The unsuspecting ‘trash thrower’
could give the Dumpster Diver his break. Company phone books, organization charts
and locations of employees, especially management level employees who can be
impersonated to the hacker’s benefit. Unshredded procedure and policy manuals can
help the hacker to become knowledgeable about the company’s policies and
procedures, and thus be able to convince the victim about their authenticity. The hacker
can use a sheet of paper with the company letterhead to create official looking
correspondence. A hacker can retrieve confidential information from the hard disk of a
computer as there are numerous ways to retrieve information from disks, even if the user
thinks the data has been ‘deleted’ from the disk.

Prevention: Don’t dump any confidential papers into trash, before dumping make sure
you don’t have any important information in it.

Spying and Eavesdropping

A clever spy can determine the id and password by observing a user typing it in
(Shoulder Surfing). All that needs to be done is to be there behind the user and be able
to see his fingers on the keyboard. If the policy is for the helpdesk to communicate the
password to the user via the phone, then if the hacker can eavesdrop or listen in to the
conversation, the password has been compromised. An infrequent computer user may
even be in the habit of writing the id and password down, thereby providing the spy with
one more avenue to get the information.

Acting as a Technical Expert

This is the case where an intruder pretends to be a support technician working on a
network problem requests the user to let him access the workstation and ‘fix’ the
problem. The unsuspecting user, especially if not technically savvy, will probably not
even ask any questions, or watch while the computer is taken over by the so called
‘technician’. Here the user is trying to be helpful and doing his part in trying to fix a
problem in the company’s network.
Hoaxing
A hoax is an attempt to trick an audience into believing that something false is real.
Unlike a fraud or con (which is usually aimed at a single victim and are made for illicit
financial or material gain), a hoax is often perpetrated as a practical joke, to cause
embarrassment, or to provoke social change by making people aware of something. It
also may lead to sudden decisions being taken due to fear of an untoward incident.

Prevention: Beware don’t believe the e-mails received from unknown and don’t ever
give the financial information.

Authoritative Voice
The attacker can call up the company’s computer help desk and pretend to have trouble
accessing the system. He / she claims to be in a very big hurry, and needs his password
reset immediately and demands to know the password over the phone. If the attacker
adds credence to his / her story with information that has been picked up from other
social engineering methods, the help desk personnel is all the more likely to believe the
story and do as requested.