Social Engineering

Methods and protective measures

What is social engineering?

Social engineering itself is nothing new. This used to be called ‘scamming’, only now in the digital age this communication is used extremely effectively.

Social engineering uses human traits such as helpfulness, trust, fear, or respect for authority by scammers to manipulate people into doing things the social engineer asks them to do. Victims are often tricked into disclosing confidential information, overriding security functions, making bank transfers or installing malware on their private device or a computer in the company network.

Social engineering exploits people skills to bypass security controls. Social engineering is often just the beginning (gateway) to being able to use other hacking methods, eg breaking into a data center to gain access to a customer’s IT system (“Oceans 11” says hello).

The “social engineering” became publicly known primarily through the hacker Kevin Mitnick. He was the most wanted person in the United States for a while. After his release, Mitnick became a security consultant and published the book “The Art of Deception” [1]. This book describes the techniques of social engineering using examples. I would like to briefly list and describe the most important ones and explain how you can best protect yourself against such attacks. Mitnick himself says that social engineering is by far the most effective way to get a password. It beats technical approaches to hacking by far in terms of speed. 

In my opinion, all social engineering attacks are based on the following human characteristics:

• Reciprocity: Here the need to return a favor received is exploited by the social engineering attacker.
• Consistency: This is where people’s almost compulsive behavior to stay consistent with their previous actions is exploited by the social engineer attacker.     
• Trust: Here the victim of the socially engineered attacker is fooled into believing that they are someone the victim can trust. For this reason, the victim also does what the socially engineered attacker tells them to do. 
• Authority: Here the victim is intimidated by the social engineer attacker into doing what is asked of them. The reason they do it is because the social engineer attacker poses as an authority figure—often a boss, customer, police officer, or salesperson.
• Sympathy: Here the social engineer attacker appears with sympathy and entices the victim to do something that they would otherwise never do. Often the social engineer attacker exudes beauty and sexuality.  

What are the most common social engineering attacks?

Phishing emails:

These are email messages designed to trick victims into clicking a link or opening files from the attachment. The senders of such emails appear as trustworthy senders, although they are not. 

Phone calls: 

Here, a social engineering attacker calls employees of an organization or private individuals, identifying themselves as a trusted person. This he is not. The goal is to gain trust and to trick the victim into performing certain tasks, eg the attacker pretends to be an IT service worker from a telephone company and asks the private customer for his password. 

Tailgating: 

This is an attempt to enter a restricted workspace. For example, social engineering attackers pose as smokers and enter the premises during “illegal smoking breaks” along with other smokers, disguised as associated employees.

Scarcity: 

Here, the social engineer makes the victim believe that there is scarcity. For example, a message that only 200 pieces of the new iPhone offer are available. Such “proactive” action often leads to a phishing or Trojan horse attack.

Urgency:

You guessed it: Here the victim is fooled into thinking that he should act immediately. For example, the case where the company appears to be sued for €1,000,000 if certain forms are not promptly completed, signed and mailed before Friday. A link in an email often leads to this “trustworthy” form, where you must of course also enter your “password”.

Pretexting:

“Pretexting” is part of the high art of social engineering. Here, the attacker tries to establish a mutual relationship with his victim by means of what is known as pretexting. Social engineering attackers often do research on their victims before the first conversation. In order to find an excuse for the first conversation, the hacker researches the private and professional lives of his victims. From this he derives a first made-up story, which he uses as a starting point (hence pretexting) for a first conversation. This social engineering methodology is very old and has already been used by secret services, authorities and the press to gain access to information. Today, because of the numerous social networks, it has become even easier to collect information about your victims, to create a first story for the “pretexting”. In my opinion, this is the most efficient and dangerous tactic of social engineering.  

Quid pro quo: 

This social engineering attack is based on trust, or the “one hand washes the other” principle. Here, the social engineer attacker offers the victim something desirable in exchange for personal or business information. Such “favors” often involve assistance in completing certain tasks for the victim, and in return the attacker receives trustworthy information. 

Boss call:

This social engineering attack is also called boss trick/CEO scam/CEO fraud. The social engineer attacker impersonates a board member or CEO in a fake email or phone call, asking for sensitive company information or activities. This trick is based on the fact that if a supposed authority figure asks you to ignore general safety regulations, the employees will do so. Especially when an emergency situation is being played out. Enormous preparation (pretexting) is required to carry out this attack successfully. In my opinion, the boss trick is one of the most dangerous social engineering attacks for companies. The economic damage from such attacks is enormous.

Honey pot

Honeypots are people or institutions that are perceived as physically or economically attractive. Private honeypots are aimed at private individuals and pretend a personal relationship. Economic honeypots target companies and pose as important and lucrative business relationships. The aim of the social engineering attacker is to collect compromising material or to obtain sensitive company data. 

Baiting:

Here, the social engineer attacker capitalizes on human curiosity by offering a digital or physical lure. This often contains malware, eg a USB stick which is distributed at trade fairs disguised as a promotional gift and contains a download link which leads to a “free” program for the “customer”. It’s very similar to phishing, but often something specific is used as the bait.

How to protect yourself from social engineering attacks?

1. Security Awareness: Employees should be informed regularly about the dangers and how to proceed in the event of an attack, eg through test phishing messages. These are harmless messages used by security departments to see how many employees are following company security policies.
2. Privacy Awareness: In principle, you should be careful when disclosing private information or information about the employer in social networks. These are often misused by social engineers for the pretexting described above.
3. Communicationcy Awareness: Never share passwords or other personal information over the phone or via email.
4. Email Awareness: Emails have a special role for me. In principle, these should always be treated with caution if they come from unknown senders! When in doubt, never reply, or worse, open attachments. Report it in an emergency or, if there is no other option, obtain information about the sender. The domain name of the sender is often “disguised” in another domain that is spelled similarly, e.g. instead of ” meinebank.de ” the domain of the email is “menebank.de”.

Summary

What they all have in common is that a victim who falls for a social engineer’s deception has a good faith belief that they are doing the right thing. I recommend everyone to watch the sitcom “The Americans” [2]. There you will find social engineering entertainingly presented in its purest form. I don’t want spoilers, but it’s about KGB officers posing as a normal American couple during the Cold War in the 80’s. I would also like to refer to the website of the BSI [3].

I hope that I was able to enlighten you a bit about the topic of “social engineering”. Don’t trust anyone you don’t know!

Your Simon 

credentials

[1] Kevin D. Mitnick, William L. Simon: ” The Art of Deception, Human Risk Factor” , Heidelberg 2013, ISBN 978-3-8266-9606-0

[2] https://de.wikipedia.org/wiki/The_Americans

[3] https://www.bsi.bund.de/DE/Themen/Verwachsenerinnen-und-Konsumer/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Social-Engineering/social-engineering_node.html