Eikonal Blog

2010.12.07

Social engineering

Sites

Articles

  • article on Social Engineering at WikiPedia – http://en.wikipedia.org/wiki/Social_engineering_%28security%29
    • List of techniques: Pretexting (using invented scenarios/pretexts to persuade victim in veracity of social engineer), Diversion theft (persuading delivery personal that delivery location has shifted), Phishing (fradulently obtaining private information), Phone Phishing (= IVR [Interactive Voice Response]), Baiting (using greed of victims to plant malware into their systems), Quid Pro Quo (getting victim to share its private information for something offered to them fro free), Tailgating (getting access to restricted areas by following on somebodies coattails)
    • “Confidence Trick” article at WikiPedia – http://en.wikipedia.org/wiki/Confidence_trick
  • “Social Engineering: The Basics” by Joan Goodchild (CSO; 2012.12.20) – http://www.csoonline.com/article/514063/social-engineering-the-basics
    • What is social engineering? What are the most common and current tactics? A guide on how to stop social engineering.
  • “3 tips for using the Social Engineering Toolkit” by Joan Goodchild (CSO; 2012.04.26) – http://www.csoonline.com/article/705106/3-tips-for-using-the-social-engineering-toolkit
    • Dave Kennedy, author of social-engineer.org’s social engineering toolkit offers advice for getting the most of using this pen testing program
  • “How to sneak into a security conference” by Joan Goodchild (CSO; 2012.02.28) – http://www.csoonline.com/article/701040/how-to-sneak-into-a-security-conference
    • A social engineering expert details how he managed to go anywhere he wanted at RSA 2012, and then got a free conference badge under a pseudonym to boot
  • “5 more dirty tricks: Social engineers’ latest pick-up lines” by Joan Goodchild (CSO; 2011.09.26) – http://www.csoonline.com/article/690451/5-more-dirty-tricks-social-engineers-latest-pick-up-lines
    • From a new twist on tech support to playing the odds with a large number of desperate job seekers, today’s social engineers are getting very specific in their plans to manipulate their marks:
      • 1) “This is Microsoft support —we want to help”
      • 2) “Donate to the hurricane recovery efforts!”
      • 3) “About your job application…”
      • 4) “@Twitterguy, what do you think about what Obama said on #cybersecurity? http://shar.es/HNGAt
      • 5) “Get more Twitter followers!”
  • “Social engineering techniques: 4 ways criminal outsiders get inside” by Joan Goodchild (CSO; 2011.09.26) – http://www.csoonline.com/article/596512/social-engineering-techniques-4-ways-criminal-outsiders-get-inside
    • Your security plan goes from locked down to wide open when a social engineer pulls off these techniques to gain insider access
    • 1) Alternative communication channels – Scam artists make use of alternative channels of communication because they catch people off guard, said Zeltser. “Attackers find their victims are more susceptible to influence when the attacker engages them using a different medium than the victim is use to,” he said. He pointed to the example of a scam that used windshield flyers. The flyers alerted drivers that their car was “in violation of standard parking regulations” and asked them to log onto a site where they could get more information.
    • 2) Personally-relevant messaging – People don’t want to just get e-mail, they want me-mail. A message that is more personally interesting is going to get more attention, and criminals know that. One worm variant that spread by spamming victims with messages that claimed to contain breaking news that just occurred in their local town. They caught the victim’s attention. How? Because they used the geo-location database to determine where victims were coming from and then customized this link. Of course, if the recipient of the fake message wanted to “read more” about the local news story, they had to down load a video player, and instead ended up with malware. Another variation on this kind of scam involves spoofing messages to look like they come from a trusted source. One common attack lately uses delivery company UPS as the scapegoat. The message from “UPS” claims there was a failed attempt to deliver a package, and asks the victim to print out an invoice to take to the UPS center to pick it up. “If I print it, it’s probably going to be a malicious executable or a malicious PDF file, and that’s how they got me.”
    • 3) Social compliance – It is human nature to want to do what others are doing. And our tendency to follow the crowd can also make us social engineering victims. Criminals know you will be more inclined to trust something that is popular, or recommended by trusted sources. It’s this kind of psychology that lead to the success of the recent ‘likejacking’ attacks on Facebook. Facebook users were fooled into ‘liking’ websites that claimed to have information about celebrity secrets or photos. Instead, victims found themselves clicking on a maliciously-created website produced by hackers who had hidden an invisible button under the mouse. Clicking on the website hijacked the mouse click and secretly caused users to ‘like’ the webpage. This activity was then published the victim’s Facebook page, and gave the malicious page legitimacy, causing others to also ‘like’ it. Criminals have also exploited social compliance by uploading malicious software onto a file sharing site where software junkies go to find the latest and greatest products. “The worm then kept hitting the download to artificially inflate the counter so the file would float to the top and appeared as the most popular download,” he explained. “If other people like it and download it, I want to see what others download and I download it.”
    • 4) Reliance on security mechanisms – Because we are so used to certain security mechanisms, and often take them for granted, they are no longer protecting us.There is the tale of a scam that featured a social engineer dressed as a police officer who comes into a store. He tells the clerk there have been counterfeit bills passed in the area, and gives the clerk a special pen, which he says can be used to verify real or fake money and will turn red on bills that aren’t legitimate. Later, someone else comes in and passes a fake bill. The clerk flags the bill as possibly fake and uses the pen. But the ink turns green, which indicates it’s OK. But in reality, the pen itself was fake, too, and would never have uncovered a fake bill in the first place. But the clerk’s trust in the police makes this con work. The same holds true for the many security updates computer users have become accustomed to getting. Flash updates, for example, have been used in this type of exploit. “You go to site, you get an error message that says you need to download the latest version of Flash,” said Zeltser. “The victim has no way of knowing if they are downloading a legitimate tool, and in many cases they are not. But our victims have been subjected to these messages over and over again and they are so used to the pseudo-security mechanism of the Flash upgrade, that at this point an attacker can use it against them.”
  • “Social engineering: 3 examples of human hacking” by Joan Goodchild (CSO; 2011.02.09) – http://www.csoonline.com/article/663329/social-engineering-3-examples-of-human-hacking
    • Social engineering expert Chris Hadnagy shares juicy tales of successful cons he’s seen as a security consultant, and six prevention tips
  • “Social Engineering: Manipulating Caller-Id” (Jock Today; 2010.02.08) – <http://www.jocktoday.com/2010/02/08/social-engineering-manipulating-caller-id/
  • “Mind Games: How Social Engineers Win Your Confidence” by Joan Goodchild (SCO; 2009.07.22) – http://www.csoonline.com/article/497836/mind-games-how-social-engineers-win-your-confidence
    • Brian Brushwood, founder of Scam School, demonstrates the four simple psychological mechanisms underlying social engineering mind games.
    • 1) Social engineers are confident and in control of the conversation: Advise employees not to become too comfortable with allowing outsiders into the building. Visitors (and service providers) should have credentials checked thoroughly — even if they are familiar faces.
    • 2) They give you something: Advise employees to be skeptical of anyone who tries to give them something. Depending on how big the stakes are, an experienced criminal may even spend weeks laying the ground work to form a reciprocal relationship with staff that can result in access to sensitive or secure areas.
    • 3) They use humor: In a breach or criminal scenario, the social engineer might try and chat with an employee to get information out of him. One good example is the fake IT call, where the caller asks for an employee’s password. It is much more likely that sensitive information will be volunteered if the conversation is fun, and puts the employee at ease.
    • 4) They make a request and offer a reason: It’s important to slow down and look and listen to what is happening and what is being said in a work environment. During a hectic day, it may seem easier to wave someone by, or give up information when it is requested. But awareness and presence of mind are paramount to prevent a criminal from taking advantage of you.
  • “9 Dirty Tricks: Social Engineers’ Favorite Pick-Up Lines” by Joan Goodchild (CSO; 2009.02.16) – http://www.csoonline.com/article/480589/9-dirty-tricks-social-engineers-favorite-pick-up-lines
    • Congrats on your inheritance! Okay, you knew that one’s the start of a scam. Here are other come-ons you’ll encounter when criminals come knocking.
    • Social networking scams:
      • 1) “I’m traveling in London and I’ve lost my wallet. Can you wire some money?”
      • 2) “Someone has a secret crush on you! Download this application to find who it is!”
      • 3) “Did you see this video of you? Check out this link!”
    • Office offenses:
      • 4) “This is Chris from tech services. I’ve been notified of an infection on your computer.”
      • 5) “Hi, I’m from the rep from Cisco and I’m here to see Nancy.”
      • 6) “Can you hold the door for me? I don’t have my key/access card on me.”
    • Phishing lures:
      • 7) “You have not paid for the item you recently won on eBay. Please click here to pay.”
      • 8) “You’ve been let go. Click here to register for severance pay.”
  • “Social Engineering: Anatomy of a Hack” by Joan Goodchild (CSO; 2009.02.04) – http://www.csoonline.com/article/479038/social-engineering-anatomy-of-a-hack
    • How a social engineering expert gained access to extremely sensitive information with little more than a thrift-shop shirt, a plate of cookies and a Linksys box
  • “Social Engineering: Eight Common Tactics” by Joan Goodchild (SCO; 2008.11.06) – http://www.csoonline.com/article/460135/social-engineering-eight-common-tactics
    • Stealing your company’s hold music, spoofing caller ID, pumping up penny stocks – social engineers blend old and new methods to grab passwords or profits. Being aware of their tactics is the first line of defense.
    • 1) Tactic 1: Ten degrees of separation: The number one goal of a social engineer who uses the telephone as his modus operandi is to convince his target that he is either 1) a fellow employee or 2) a trusted outside authority (such as law enforcement or an auditor). But if his ultimate goal is to gain information from or about employee X, his first calls or emails might go to a different person. … criminals use simple ideas to cozy up to more accessible people in an organization in order to get information about people higher up in the hierarchy.
    • 2) Tactic 2: Learning your corporate language: Every industry has a short hand, according to Lifrieri. A social engineering criminal will study that language and be able to rattle it off with the best of them. “It’s all about surrounding cues,” he said. “If I’m speaking a language you recognize, you trust me. You are more willing to give me that information I’m looking to get out of you if I can use the acronyms and terms you are used to hearing.”
    • 3) Tactic 3: Borrowing your ‘hold’ music: Successful scammers need, time, persistence and patience. Attacks are often done slowly and methodically. The build-up not only includes collecting personal tidbits about people, but also collecting other “social cues” to build trust and even fool other into thinking they are an employee when they are not. Another successful technique involves recording the “hold” music a company uses when callers are left waiting on the phone. “The criminal gets put on hold, records the music and then uses it to their advantage. When he or she calls the intended victim, they talk for a minute and then say “Oh, my other line is ringing, hold on,” and put them on hold. “The person being scammed hears that familiar company music and thinks: ‘Oh, he must work here at the company. That is our music.’ It is just another psychological cue.”
    • 4) Tactic 4: Phone-number spoofing: Criminals often use phone-number spoofing to make a different number show up on the target’s caller ID. Of course, unsuspecting victims are more than likely to give private information, like passwords, over the phone if the caller ID legitimizes it. And, of course, the crime is often undetectable after because if you dial the number back, it goes to an internal company number.
    • 5) Tactic 5: Using the news against you: “Whatever is going on in the headlines, the bad guys are using that information as social engineering lures for spam, phishing and other scams,” said Dave Marcus, director of security research and communications for McAfee Avert Labs. For example, a rise in the number of presidential campaign-related and economic crunch-based spam emails lately. “There have been a bunch of phishing attacks related to banks being bought by others,” said Marcus. “The email will say ‘Your bank is being bought by this bank. Click here to make sure you update information before the sale closes.’ It’s an attempt to get you to release your information so they can log into your account to either steal your money or sell your information to someone else.”
    • 6) Tactic 6: Abusing faith in social networking sites: Facebook, Myspace and Linked In are hugely popular social networking sites. And people have a lot of faith in them, according to Marcus. A recent spear-phishing incident targeted Linked In users, and the attack was surprising to many. Marcus said, increasingly, social networking devotees are being fooled by emails that claim to be from sites like Facebook, but are really from scammers. “They will get an email that says: ‘The site is doing maintenance, click here to update your information.’ Of course, when you click on the link, you go to the bad guys’ site.” Advise employees to type Web addresses in manually to avoid malicious links. And also keep in mind that it is very rare for a site to send out a request for a password change or an account update.
    • 7) Tactic 7: Typo Squatting: On the Web, bad guys also bank on the common mistakes people make when they type. When you type in a URL that’s just one letter off, suddenly you can end up with unintended consequences. “Bad guys prepare for typing mistakes and the site they prepare is going to look a lot like the site you thought you were going to, like Google.” Instead of going where they wanted, unsuspecting users who make typing mistakes end up on a fake site that either intends to sell something, steal something, or push out malware.
    • 8) Tactic 8: Using FUD to affect the stock market The security and vulnerabilities of products, and even entire companies, can make an impact on the equities market, according to new research from Avert. Researchers studied the impact of events such as Microsoft’s Patch Tuesday on the company’s stock and found a noticeable swing each month after vulnerability information was released. “Publicly-released information has an effect on stock prices,” said Marcus. “Another recent example is the fake information that was circulated a few weeks ago about Steve Jobs’ health. Apple stock took a dive on that. That is a clear example of someone inserting FUD and a resulting effect on a stock.” Presumably the culprits held a ‘short’ position which allowed them to profit from this trick. The converse approach is to use email to execute the ancient ‘pump-and-dump’ tactic. A scammer can buy a large volume of a penny stock, the blast out emails under the guise of an investment advisor touting that stock’s great potential (that’s the ‘pump’). If enough recipients of this spam email rush to buy the stock, the price will spike upward. The scammer then quickly ‘dumps’ his shares at a great profit.
  • “Should Social Engineering be a part of Penetration Testing?” (Darknet; 2006.03.01) – http://www.darknet.org.uk/2006/03/should-social-engineering-a-part-of-penetration-testing/
  • “Social Engineering Fundamentals, Part I: Hacker Tactics” by Sarah Granger (Symantec; 2001.12.18) – http://www.symantec.com/connect/articles/social-engineering-fundamentals-part-i-hacker-tactics

Tools

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Theme: Silver is the New Black. Get a free blog at WordPress.com

Follow

Get every new post delivered to your Inbox.

Join 31 other followers

%d bloggers like this: