The human mind has always been influenced from the outside. As groups formed in order to improve the chance of survival, different positions emerged. A ranking was established, from the lowest tier up to the alpha male and female. Each position contained more and more responsibilities, as well as benefits. We can still see this behaviour in the animal kingdom, as it provides enough benefits to guarantee the survival of the group. At the very beginning, the strongest were in the leading positions. This has always lead to a struggle for power. Some obtained power through pure strength; later others used their wits to manipulate others to gain some sort of advantage over them. I want to take a closer look at how precisely others can be manipulated in the computational era into doing what someone wants. Hereby, the following definition from webopedia is going to provide a guideline to what is considered to be Social Engineering.
„In the realm of computers, the act of obtaining or attempting to obtain otherwise secure data by conning an individual into revealing secure information. Social engineering is successful because its victims innately want to trust other people and are naturally helpful.“
Everybody who has an email account and is active on the Internet, be it as a regular online shopper using PayPal or Internet Banking, a businessman, or as a gamer playing World of Warcraft, has received a phishing email. But what is Phishing?
The word sound s really familiar. Just like fishing, you but bait on your hook, throw it into the water and then wait for something – or in our case, somebody – to take the bait. The only difference is that a phisher has to do a lot of more work to get to his goal.
The plan behind a phishing attack is the following: You know that a lot of people, some of them hopefully unsuspicious and gullible, use online services. Common knowledge says that these people need to log into said services in order to use them. Therefore, they have to provide a password and username. Phishers are highly interested in those. But they can’t simply hack into the database to steal them. If one could joyfully waltz through the server security, one would just to so. That’s why hackers have created a smart way to get the victims to give their personal information to them. To successfully do so, all they need is a list of email addresses, which can be easily bought at certain places, and a duplicated login site of their targeted website. Over the last years, these copies have become top-notch. On the first glance, you can tell no difference at all. They are so sophisticated that you need the original website right beside the copy in order to tell the difference. But who suspects such a thing and always compares every website they log into? Hackers believe in the trust that users have in their websites. Especially in websites using HTTPS. However, these sites are no longer safe from phishing attacks as well, as this graph implies.
As phishing emails can be sent out to thousands, even millions of users at the same time, it is highly efficient, provided the setup is convincing. A good example is the following picture.
The majority of phishing attempts are taking place in Russia, the USA, India, and Germany. Depending on the location, hackers can tailor emails to better fit their targets. Kaspersky has released an interesting report containing information about where the attacks have been hosted, by how much they have increased and who was targeted, using their anti-virus software. It implies that the situation is not getting better, and that more and more people are victims of phishing.
We might think that phishing is a side effect of our modern age. However, it has been around for centuries. Most people have heard about the Nigerian Prince, who, poor soul, has just too much money on his hand. He needs your bank account info in order to transfer some of that money to you. A similar scam has been tricking people around 1900, called to „Spanish Prisoner“. It was a finely crafted letter, which tried to trick people just like our phishing websites into giving them their money under false pretenses.
This term is tightly connected to phishing. It stands for Voice Phishing. In this case however, no emails are sent out. It is a more tedious approach to collect the wanted data from a target. The Social Engineer calls the person who holds the wanted information, and tries to manipulate him or her into handing it over. This can be done by pretending to be somebody else, usually someone from a credit card company, or even the telephone company they have a contract with. They act as if something has to be confirmed, and get the target to reveal their password or credit card information.
In Europe, especially in Germany, there is a huge Vishing ring, focusing solely on the elderly. They use the so-called „Grandchild fraud“. They call random numbers, wait to hear who answers and determined whether the person fits their pattern or not. Afterwards they talk to them, pretending to be a grandchild who is in financial trouble and in need of some money. It sounds rather conspicuous, but it is shocking how easily people give the information away. A simple
„Hi Grandma Gretel, it’s me, your grandson.“
„Oh, is that you Klaus?“
is enough information for them to start their ruse. After they know that there is a grandson named Klaus, they start building up their trust. Once they are regarded as someone familiar, which doesn’t take too long considering the advanced psychological skills the Social Engineers possesses, they start asking for money. Often, grandparents only want the best for their family, and agree to it. Then they set a date to meet up. Shortly before the meeting, Klaus suddenly can’t make it, but will send somebody else to pick up the money. And once the money is gone, there is no getting it back. The scale of this fraud is unbelievable and can not be precisely estimated, as a lot of the victims are either to ashamed to have fallen for it, or are simply no longer in the mental condition to go to the police. And as the scam is still going on, there is no way of knowing how many more people will fall for it. The caused damage up to now goes into the millions. In 2008/2009 alone, the tricksters collected over 5 million SFr in Switzerland.
We all see the „Protect your PIN“ signs whenever we go to the ATM. And shoulder surfing is the reason for that. If somebody wishes to get information from you, the easiest way is to simply observe it while you type or fill it in. Especially in crowded places, shoulder surfing is a big problem. But not only PINs are a target. Social Security Numbers, access codes, locker codes, basically any type of code is valuable. But shoulder surfing has been around for much longer. Especially in school, when you forgot you homework and didn’t want to get in trouble, just copying it from the person in front of you has always been an attractive alternative.
Another more or less direct form of shoulder surfing is outright interfering in another person’s business. These two gentleman are a good representation for this method. While standing in front of an ATM, person A approaches the victim. He distracts the woman, who has just entered her PIN to withdraw money. Partner-in-crime B uses the distraction to hastily grab the card, or the dispensed money, from the cash machine.
This form of Social Engineering relies on human curiosity. An item used to store data is left at a location where people will definitely see it, and pick it up. For example , in the staff lounge of a big office building, someone leaves a USB-Stick which has written “John” on top of it. As there is a high chance that people know somebody named John, they will either return it directly to him, or take a look at the content first. Either way, the stick will be plugged into a corporate computer, as nobody wants to endure the suspense of not knowing. As soon as it gets plugged in, a virus, malware, Trojan , or worm spreads out into the whole corporate network. These are sometimes disguised as photos or files people would be interested in. This allows the hackers to bypass firewalls and security points in a network. Thanks to that, they can steal important corporate secrets, or install a live feed inside meeting rooms by activating microphones and cameras on laptops or security cameras. It has been tested by many security companies, and a significant number of tests showed that the curiosity of the human mind outweighed its sense of possible danger. The famous worm Stuxnet was spread this way. That’s why the US government did some testing on the effectiveness of baiting as well. And the findings of that test prove that a random data storage device was inserted 60% of the time, and even 90% of the time if it had a company logo on it.
This term has been borrowed from traffic. Instead of tailgating (following someone extremely close without keeping a safety distance) a car, you tailgate a person . This is especially effective if you need to get into a restricted area in a hospital, office building, or even university. Simply stick to a person when they enter a room. Common courtesy usually makes them hold the door for you. And if they don’t, just wait for another person, mumble something about forgotten keys and put on a sad face . The desire to help and appeal to another person gets you that door open.
This is the most elaborate, and final form of Social Engineering. To create an authentic pretext, one must gather enough information about a company or person. Depending on the goal, more information is needed. It combines various forms of Social Engineering in order to convince the victim to release the desired information. A good pretexters does his sufficient research to achieve this. This includes: The website of the company, employers and employees, costumers, personal information about employees, security structures, locations, possible governmental affiliations or institution the company deals with, etc. The following video shows however, that sometimes, you just need one person to hack into a system.
At the annual hacker convention DefCon in 2010, a contest was held. The goal of this contest was to use Social Engineering in order to infiltrate various companies, including big players like Microsoft, Apple, Google, Cisco, and many more. There was no sensitive information hacked, like financial reports, IDs or passwords. In fact, such information was strictly off-limits. The targets, called flags, were schedules, browser versions, or getting employees to open certain URLs. And it is important to know, that the majority of the participants were not experts on the field. Two weeks before the event, each contestant was given a company name. They were allowed to use these two weeks to prepare for the contest. Gathering information about the company was the main activity during that time. During the contest, each participant had 30 minutes. 5 minutes were used to explain their strategy, and the rest to capture as many flags as possible. They all approached the goal in a different way, but as long as there was a human interaction over the phone, flags were captured.
After all that scary manipulation and hacking, one can hopefully understand that it’ll make every person administering computers the happiest person in the world by following the three magic words they love so much: Don’t trust anybody. Ever. Always ask yourself why somebody would need that information. If your grandmother calls you because she has gone into debt and needs some money wired via PayPal, just laugh and hang up. Because you know that your granny still thinks that emails need 2-3 days to get delivered by the mailman.
Social Engineers can be dangerous and harmful if they have the wrong intentions. We cannot fix the problem of Social Engineering. No matter how refined a software is, no matter how outstanding the security, at the end of the day, a company relies on its employees. And since there has been a way of communication, people have been lying to get what they want. We can only protect ourselves through education.