Social Engineering is something we are all exposed to every day, from watching the daily news to advertisements. Social Engineering is psychological manipulation. How can a target be manipulated to do something they normally would not do. This can be as simple as manipulating someone to use your product over another or even buy something that they don't really need, through to divulging sensitive information, such as passwords, or transferring money.
Social Engineering is the process of exploiting a specific set of human weaknesses - sympathy for example. Most people will think of themselves as nice people and willing to help others, and attackers will use this to exploit a target's weakness. A common trick is to hack someone's Facebook or email account. They will then send a message to a friend, or frequent contact, stating that they are on holiday, had their money stolen and ask for a loan in order for them to get them home. Being a nice person you agree to send money over the internet to your friend, unknowing that the destination bank details are that of an attacker, not your friend.
Greed is another weakness that is exploited, especially by the "Nigerian Scam". These usually revolve around someone with a lot of money looking to get it out the country. They require a small amount of money to set up an account in your name, whereby they promise to transfer all their money to you for holding. When they leave the country, you return half the money to them and keep the other half for yourself. The reality is that you transfer the "set-up fee" to them and you never hear anything from them again.
Social engineering is not limited to social media and email though, it can happen human to human - either in person or via telephone, whereby they can convince you to do things that you would not normally do. Some would call that marketing, and it is a very fine line, but it can be a lot more sinister than that. The intent is usually the decisive factor. The intent may be to simply sell you a product, or it could be to get you to disclose a password or bank details.
Computer-based social engineering is very cheap and incredibly easy to perform. It typically requires a vulnerable site to expose a cross site scripting vulnerability, this is then exploited to include anything from key loggers (a program which captures every key you press) to malware and even Ransom-ware. Even ad servers can be infected, so legitimate websites running adverts can also become infected in this way. A typical attack would be to show the user a fake Facebook login box, simply stating that their session has timed out and to re-enter their details. The unsuspecting user, usually on autopilot, fills in their details, hits OK, and carries on browsing as if nothing happened. In reality, the username and password were just sent to the attacker. Some attacks can be more sophisticated, and the payload (the content of the attack) can be anything from a key logger or even take control of your computer, to the point of activating your webcam, installing a botnet or even more sophisticated persistent monitoring software.
Curiosity is another weakness. If you don't do this then you miss out on... A common trick is the "Find out which of your [Facebook/Instagram/Twitter] friends have viewed your profile." Who isn't curious about that? It then lists the steps required for the user to perform in order to see which of their friends has looked at the profile. In reality, these users have been duped into performing an XSS attack on themselves by executing scripts on their own browser. The end result is similar to the above example and the attacker now has access to that person's browser. The social engineering aspect of this relies on the fact that the person is so focused on the goal of the end goal, they don't pay as much attention to the steps being executed. How many Facebook users know what a malicious script looks like? They will just copy and paste the code as directed.
Social engineering doesn't necessarily involve computers. They can also involve phone calls or in-person meetings. Typical examples can be fake IT support voice calls, either claiming to be from the IT help desk of your company or in the case of individuals Microsoft support or Apple support. In either case, they will typically state that they are from whichever department or company, that a problem or virus has been detected on your computer and that you need to perform these steps to remove the threat or face having your internet disconnected or computer locked out to ensure that the threat is contained and cannot spread to other devices. The unsuspecting victim, panicked by these threats, then performs the actions given over the phone and grants the attacker access to the computer. From then on any number of malicious programs can be installed.
Another telephone example comes from the bank. Someone, or an automated system, will call you stating that fraudulent activity has been detected on your account. They will then prompt you to read out or key in your card number to verify your details. They will then list a few transactions (which are obviously not genuine) and ask for further details in order for these transactions to be reversed and the block on your card removed. Bingo! They now have the details they need to empty your account.
Both of these examples of social engineering exploit the human weakness of fear. Fear of being disconnected or blocked.
Another example of exploiting curiosity is that of the ubiquitous USB stick. An attacker will deliberately leave USB sticks around in a public place, car packs, on a train or in a cafe for example. The average person will be curious as to its contents, maybe take the device home and plug it into their computer. Simply by plugging in the device, your computer is then infected with virus, malware or ransomware. In seconds.
In person, social engineering can also take many forms and exploit various weaknesses. In your place of work, have you ever held a door open for someone you don't know, maybe they are carrying something large or heavy? Who was that person you let in? Should they be allowed in, or did you just let in a social engineer who now has physical access to your company network? With physical access, a social engineer can now plug any device into the network to capture and re-transmit information. They can swipe printouts from the printer, copier or fax machine. They can even steal information from the trash can or recycling bins.
Digital forensics is the process of gathering information about a target by analysing their digital signature. Think about the amount of information on your Facebook profile - when you went on holiday, where you went, maybe even a photograph revealing the airline you used. From that information, they can get your flight number and other details, so that the fake email asking for confirmation of payment details clearly stating your airline, travel times and dates and even the flight number, looks even more legitimate.
Last updated: 2017-06-17