Social Engineering is essentially the art of influencing some person into doing things that he may or may not do willingly. It is not a concept that got into picture recently, but has probably been existent since hundreds of years. Simply put, every time you try to get someone to do something that is in your interest, you are applying social engineering.
We can observe variants of social engineering in everyday life, from a student trying to escape punishment for not completing his homework, to an employee trying to land a job in a company or score a big promotion.
Social engineering can be performed either using deception or inception i.e. either using the existing trust relationship or else planting a new bond of trust. The nature of impact is vast and extent of loss solely depends upon the skills of attacker.
The idea is to exploit the weakness in human brain to inherently trust things sooner or later.
I will try to throw an insight on Social Engineering, its types and give you a real example of a Social Engineering activity conducted by me and one of my team-mates for an organization.
According to me, Social Engineering is a mix of science and art.
It is art when a sales person manages to sell a comb to a bald person, or a scam artist fools a house lady to give lots of money for phony lottery scheme.
It is a science, when it is used to educate people on potential dangers of misusing it, or when it is used for information gathering, market analysis and even corporate and police investigations.
One can classify social engineering activities into two classes:
- Human based activities involve interacting with humans directly, and trying to manipulate situation to our favor.
- It may involve impersonating some other person and getting few tasks done. Communication of such sorts mostly happens over phone, where attacker may call a lady at her home acting to be her bank employee and ask her to provide her credit card number to update their new database. He may throw in names of actual employees, mention her husband’s name, or tell her that she has won a reward, which will arrive at her place soon, just to increase credibility.
These activities use computer, mobile phone to launch attacks. Attacks maybe
- popups on websites, that may ask to download a software /driver to fix computer issues
- email attachments, containing malicious PDF or image that takes control over the workstation when opened email scams, claiming to send a big reward for a small registration fee
- fake websites, either to trick user into entering credentials of their social networking accounts, or to forcibly open ads and increase their own ad clicks
- sending an SMS to victim and try to lure him/her in giving out sensitive information to win a bogus competition/ lottery.
A Case Study
The CTO of a reputed organization approached me with a concern. There had been leaks of sensitive documents from one of their offices, and he wanted to find out the source. He also wanted to ensure there weren’t other ways that security breach from an outside source could occur. He asked me to help, and I agreed. We tasked ourselves to gather as much sensitive information as possible through on-site (physical) and off-site (remote) activities. Activities were supposed to yield two results: Evaluating whether the office was penetrable from an outsider or not, and finding out the employee involved in the breach of security that happened in the past. Instead of dealing with two problems separately, we decided to have a combined approach, which was partially planned, and some part had to be done as we move ahead.
Basic plan was simple:
1. Gather as much information as possible about the branch, like departments, employees, events, etc.
2. Formulate a plan (Operation ‘Infiltrate’) for penetrating into the branch
3. Formulate a plan (Operation ‘Investigate’) for finding the source of the leak
4. Execute both plans
For our own comfort, we decided to start off with ‘Operation Infiltrate’, and execute ‘Operation Investigate’ somewhere during the time frame. Our team skimmed through the internet to find all information on the organization, its employees, organizational hierarchy etc. This involved analyzing user’s social networking accounts, job sites having their profiles, blogs, forums to company website and other portals accessible publicly.
Here is a summary of what we did, with a little insight on how it was done:
A half cooked lie is most likely to be caught. A good Social engineer will have spoofed almost everything he can, so that all possible calculated scenarios are under his/her control. We created a fake website, populated with testimonials, blogs, address etc. We then created a company profile for each of us who were pretending to be the employees on the website, which we could access and show on logging-in into our “Employee Portal”, just in case we need it while we are interacting with employees and need to prove our authenticity.
Enter the perimeter
It was easy to bypass first security gate by walking in business attire with a costly watch, nice suite and leather bag with sunglasses. This gave easy access as a visitor, without getting involved in much questioning by the security guards.
While walking from main gate to respective building, I removed the jacket and sun glasses, now posing as an interviewee, looking to meet the senior HR of the company. By inquiring about the HR personnel on the inquiry desk, by name and some other information (which had been collected by our team efficiently, from the internet) gave me easy access to the floor she was sitting.
While I was sitting at floor guest area waiting for the HR personnel, I was told by the security personnel that she would be arriving soon. I tried to convince him to let me meet her on my own in an attempt to get a easy access into the employee area, but I was told to wait back.
…continue reading on CYB3R Magazine