Social Engineering is the art of what things?

With their mantra, “I am only as good as the information I gather,” Social engineers hold, if not the most powerful, the best tool for hammering the reader.

Social engineering happens in government or small business marketing. Unfortunately, it is also present when criminals, conmen, and the like trick people into giving away information that makes them vulnerable to crimes.

Like any tool, social engineering is not good or evil but a tool with many different uses. But before I define this often misunderstood technique, discern the following best application example of social engineering. It happens worldwide.

When a group or person does not support the “right” leader, life necessities, especially foodstuffs and water, become scarce and/or expensive. Their jobs are given to others who are more supportive. When people see this in action, getting them in line doesn’t take long.

This is a very malicious and hurtful form of social engineering, but nonetheless, one to learn from. It is often the case that people want what is scarce, and they will do anything if they are led to believe that certain actions will cause them to lose out on those items. What makes the cases even worse is that the social engineer(the government) took something necessary to live and made it “scarce” and available only to supporters—a malicious but very effective manipulation tactic.

As with the above example, the engineer is often more knowledgeable than the victim of what is going on. The victim often falls for the common mantra,” But this is more humane!” As Sun Tzu says - if you know the enemy and know yourself, you need not fear the results of a hundred battles. But I would add that effective intelligence (action on knowledge) defines wisdom, not just knowledge alone. Yet without education, the motivation for change just isn’t there.

While software companies are learning how to strengthen their programs, hackers and malicious social engineers are turning to the weakest part of the infrastructure—the people. Their motivation is all about return on investment (ROI); as Christopher Hadnagy (a very famous author on the subject) would put it, no self-respecting hacker will spend 100 hours to get the same results from a simple attack that takes one hour or less.

But what attack can this be? From Webster’s dictionary, the definitions of ‘social’ and ‘engineering’, when coined together, would best define this technique. Social engineering is the art or science of skillfully manoeuvring human beings to take action in some aspect of their lives.

Kaspersky Labs, a leading provider (Russian based) of antivirus and protection software, estimated that more than 100,000 malware samples were spread through social networks in 2009. How else can the attack succeed if it’s not engineered appropriately? And In a recent report, Kaspersky estimated that “attacks against social networks are 10 times more successful” than other types of attacks.

Types of social engineering attacks.

Physical approaches

As the name implies, physical approaches are those where the attacker performs some form of physical activity to gather information on a future victim. This can range from personal information (such as social security number and date of birth) to valid credentials for a computer system.

An often-used method is dumpster diving, i.e. searching through an organization's trash. Yes, as hard as it is to imagine enjoying jumping through the trash, it can yield one of the most lucrative payoffs for information gathering.

People often throw away invoices, notices, letters, CDs, computers, USB keys, and many other devices and reports that can truly give amazing amounts of information. If people are willing to throw away art worth millions, then things they view as trash will often go right into the garbage without a second thought.

Sometimes companies shred documents they deem as too important to just throw out, but they use an inefficient shredder that leaves paper too easy to put back together.

A dumpster is indeed a valuable source of information for attackers, who may find personal data about employees, manuals, memos and even print-outs of sensitive information, such as user credentials. In addition, if an attacker can gain access to a targeted organization's offices - e.g., in open-plan workspaces - they may find information such as passwords written on Post-it notes.

Less sophisticated physical attacks involve theft or extortion to obtain information.

Social approaches

The most important aspect of successful social engineering attacks is social approaches. Here attackers rely on socio-psychological techniques such as elicitation, which means-As the National Security Agency (NSA) of the United States government defines it- “the subtle extraction of information during an apparently normal and innocent conversation.”  

The goal is to obtain and utilize that information to motivate a target to the path the social engineer wants him to take. Consider the short conversation below;

Attacker: You must be having an important job; so and so seems to think very highly of you.”

Target: Thank you, that is nice of you to say, but my job isn’t that important. All I do here is…

Of course, the victim had to open up. Who else wouldn’t, even if in a different direction? But the jackpot is hit; more information was all that was required. This is a perfect example of hitting on the victim's ego. 

Reverse social engineering

Instead of contacting a potential victim directly, an attacker can attempt to make them believe that he/she is a trustworthy entity. The goal is to make potential victims approach him, e.g. to ask for help.

This indirect approach is known as reverse social engineering and consists of three major parts: sabotage, advertising and assisting.

The first step in this is sabotaging the company's computer system. This can range anywhere from disconnecting someone from the company's network to sophisticated manipulation of the victim's software applications.

The attackers (often another anonymous group, of which the seen attacker is part) then advertises that they can fix the problem. Better still (they can fix it immediately), when the victim asks for help, the social engineer will resolve the problem they created earlier while, e.g., asking the victim for their password ("so I can fix the problem") or telling them to install certain software.

Technical attacks

Technical attacks are mainly carried out over the Internet. The Internet is especially interesting for social engineers to harvest passwords, as users often use the same (simple) passwords for different accounts.

Most people are also not aware that they are freely providing attackers (or anyone who will search for it) with plenty of personal information. Attackers often use search engines to gather personal information about future victims. There are also tools that can gather and aggregate information from different Web resources. One of the most popular tools of this kind is Maltego1. Social networking sites are becoming valuable sources of information as well.

Social-Technical

Socio-technical approaches have created the most powerful weapons of social engineers. One example is the so-called baiting attack: Attackers leave malware-infected storage media in a location where it is likely to be found by future victims. Such could be a USB drive containing a Trojan horse.

Attackers exploit people's curiosity by adding very juicy but tempting labels to these traps (storage media), such as ‘confidential’ and ‘classified’. Who wouldn’t like to read ‘classified’ information?

Another common combination of technical and social approaches is phishing. Phishing is usually done via e-mail or instant messaging and is aimed at a large user group rather indiscriminately, similar to spam.

Social engineering, in contrast, is typically directed at individuals or small groups of people. Scammers hope that sending messages to many users will fool enough people to make their phishing attacks profitable.

The above is the classification of the various social engineering types. However, the attackers use methods to mitigate such attacks. Methods such as baiting and phishing attack have been mentioned, but further discussion of these is necessary.  An article about the same is now available.