Introduction
It's been my experience that a lot of IT professionals don't like to talk
about social engineering. Perhaps they don't view it as a credible threat,
or maybe they have a hard time accepting the idea that all of their hard
work and countless hours spent securing the network could be so easily
undone by the act of an end user answering an "innocent" question. What
ever the reason, social engineering is a very real threat that needs to
be addressed.
There
are a lot of different social engineering techniques, but they all have
the same basic idea. The trick behind social engineering is to get the
user to give up valuable information without them suspecting anything.
Getting
Inside Information
Usually, hackers use the telephone for social engineering purposes since
E-mail would tend to be suspicious and can easily be traced. To pull off
social engineering successfully, the hacker usually needs a little inside
information. This could come in the form of a buddy who works for the
company providing them with a corporate phone directory or the name of
a particularly nave user. Although such information is helpful, it isn't
necessary.
If
a hacker can't get their hands on the name of a particularly vulnerable
user or a corporate directory, they will often look up the company's phone
number on the Internet or in the phone book. Since many companies have
voice mail that gives an employee directory, all that the hacker has to
do is to listen for someone with an upper management title. Upper management
staff tend to have relatively few rights on the network, but also tend
to be extremely unknowledgeable of computers (unless it's an IT company).
I've seen countless examples of this over the years. The president of
a major insurance company that I used to work for only knew how to use
his computer for E-mail and golf. The president of a transmission parts
company doesn't even know how to turn his computer on. My point is that
a hacker can be reasonably sure that if they select a high level executive
from the company's phone directory, that although the person may have
some computer knowledge, it probably won't be enough for the person to
catch on to what's going on.
Falling
For The Act
Once the hacker has an unsuspecting employee on the phone, it's time for
the act to begin. The hacker will usually pose as an employee. If it's
a big company with a lot of offices, they might pose as support personnel
from another office. If it's a smaller company, they may pretend to be
a new helpdesk employee, a consultant, or a representative from the phone
company. What ever the role, a social engineer's first job is to convince
the employee of their bogus identity.
Once
the employee has fallen for the act, it's time to begin gathering information.
The hacker will usually mix several innocent questions with some serious
questions. This is done to get the user to let their guard down. For example,
a social engineer's conversation might start out something like this:
Hello
I'm John Doe, with XYZ corporation. Bob Smith (the network manager's name)
has hired me as a consultant to help him with the next phase of the network
upgrade. Before we start the upgrade though, we're trying to find out
if any of the users have been having any problems, so that we can make
sure to address those problems with the new software.
More
times than not, the user will think of some sort of problem to tell the
hacker about. The hacker's job is to listen to the problem, and then begin
the "troubleshooting process". For example, the hacker might ask the user
to look up several pieces of information for him. Some of this information
will be harmless (to throw the user off), while some will be valuable.
For instance, during the phone call, the hacker may ask for the following:
- How much
memory the system has
- How much
free hard disk space
- The system's
IP address
- The phone
number of a modem that's connected to the machine
- Any remote
access software that may be running
During the
call, a good social engineer will walk the employee through the steps
of looking this information up. The steps can be easily disguised as a
part of the troubleshooting process, and having the user read the information
directly off of the screen insures that the hacker gets accurate information.
Coaxing
The User For Information
What happens next really depends on how the conversation goes. If the
user tells the hacker that they use PC Anywhere for remote support, the
hacker may immediately tell the user to let them dial in and "fix" the
problem. The hacker may actually fix the user's problem so that the user
won't be suspicious, but more than anything, this technique provides the
hacker with the remote access password and an opportunity to test it.
If
the user isn't having a problem or doesn't have any remote access software,
the hacker will have to get their hands on a password, whether the local
password or the domain password (these are often one in the same). Getting
the user's password is tricky, because most of the time, the user's have
been warned not to give out their passwords. Therefore, most good hackers
won't simply ask for a password unless they find the user especially friendly.
Instead, they must trick the user into giving the password up.
One
of the most effective techniques for this is for the hacker to tell the
user that they are uploading a new security patch right this moment, but
something must have gone wrong because it isn't letting them complete
the operation. The hacker would then tell the user something like "I must
be spelling your user name wrong, spell it for me" The user will usually
then provide the hacker with the exact spelling of their user name (one
of the two "keys to the kingdom"). The hacker will then wait a few minutes,
and possibly bang on a keyboard just to make it all sound real, before
telling the user that it still isn't working. Next the hacker will ask
the user to confirm the spelling of their password. Hopefully, by now,
the hacker has gotten the user to relax and let their guard down enough
that the user will spell the password without even thinking about security.
If
the user refuses to give up the password, the hacker may briefly try to
coax it out of the user, but will quickly move on to someone else, so
as not to be discovered. They will usually conclude the phone call by
saying something like, "That's OK, I'll just use the master password"
or "I wish that everyone was as security conscious as you." This will
help to put the user at ease again so that they don't report the incident.
The
Final Objective
Now, suppose that the hacker did trick the user into giving up the password.
The hacker must still maintain an image of legitimacy so that the user
doesn't get suspicious. This is usually done by not rushing to get off
the phone. The hacker may walk the user through the steps to fix some
minor problem, or might probe the user for more information. What ever
technique is used, the hacker must always appear to be very pleasant and
helpful.
Once
a hacker has gathered all of the information that they need, their final
objective is to get off the phone, and be sure that the conversation goes
unreported. Naturally, the hacker can't just say, "Don't tell anyone about
this call." Instead, they will usually say something like "I'll call you
in a few days to follow up on your problem" or "you can reach me at ."
The call back method is preferred though, because the hacker can rest
assured that the user won't call some bogus number and be alerted to their
phony identity. Remember that a hacker's job is to not be discovered.
This doesn't just apply to the short term, a hacker wants to remain undetected
forever. Therefore, a hacker will usually tell the user that they will
call them back in a few days. This not only puts the user at ease, but
it also gives the hacker a few days to see how good the information that
they were given actually is before they call the user back. The callback
gives the hacker a chance to get more information if it's needed.
Many
times a user will ask the hacker for a phone number, but a skilled hacker
knows to use the bogus phone number trick as a last resort. It's better
for the hacker to leave their doors open by making up a bogus story about
being on vacation for the next few days or something, and promising to
call the user immediately upon returning to the office. Of course if the
hacker has everything that they need, they won't ever call back, but one
of the biggest signs of a social engineering scam is a reluctance to provide
a phone number, and a promise to call back.
About
The Author
Brien Posey is the Vice President of Research of Relevant Technologies.
Brien is an MCSE and a renown technology journalist. He was recently voted
the most popular server author on CNET's TechProGuild portal.
Brien
can be reached at bposey@relevanttechnologies.com.