On designing or analyzing the security in IT systems an important question which has to be taken into account, aside from the wide range of digital security solutions, is the fact that one of the key elements of each and every system is its interaction with the user. Unfortunately, in the prevailing number of cases it is the human factor which proves to be the weakest link of the whole system of security. On one hand, it is the least predictable, while on the other – the most vulnerable to the influence of people who want to break through the security system and obtain the valuable data. The attacks on the IT systems which are launched using the techniques of influencing the users are called social engineering attacks and what they are based on is not the vulnerability of hardware or software but the human’s predisposition to subject involuntarily to others’ influence. Those attacks are aimed at destabilizing the system’s operation (and, in consequence, the operation of an individual or an organization) or obtaining the access to the desired data, such as password to a bank account, PIN or CVC number of the credit card, detailed personal data or any other information which is necessary while accomplishing some other hacking mission (i.e. drawing money from the victim’s account, making a bank loan using the victim’s data, etc.). The attacks may be aimed at individuals, but also at companies or organizations, and the attacker’s goal may be to infiltrate them, learn their organizational pattern as well as their vulnerabilities and eventually – to produce damage or to obtain some desired information.
This article will use a lot of phrases such as “for example”, “i.a.” or “etc.”, which stems from the fact that it covers only a small fraction of the possibilities and techniques available to social engineering attackers. The criminals who use them adjust their attacks to their victims and the situation, while at the same time they often combine various means of social influence and conceal them behind an additional “smokescreen”. All the subsequent information and examples should be treated only as a starting point for further consideration of the potential scenario of an attack.
In order to improve our resistance to such attacks, we should first of all recognize and, what is more important (and more difficult at the same time) – learn some basic techniques of influencing human’s behavior, so that in case of an attack we could immediately identify it and by this – manage to defend ourselves from it. However, the most demanding part is to learn the techniques so thoroughly that we would be able to notice the fact of being attacked and to counteract even in a stressful situation, created on purpose by the attacker in order to confuse us. Unfortunately, the lack of awareness of being the object of an attack, using the victim’s weaknesses (perhaps learnt during some earlier social engineering-based attacks), the multitude of types of attacks, and most of all – their smart concealment in the interaction between the attacker and the victim – make even the top specialists in social psychology catch the attacker’s bait once in a while. Nevertheless, the awareness of the means of exerting the social influence is the basis for any attempt to protect ourselves against them. In the very same way as the martial arts schools teach their students the techniques which may harm the opponent, but at the same time they insist that learning them should only serve the purpose of protection, the trainers in social engineering present their students with the wide range of methods of executing social engineering-based attacks in order to make them resistant to such techniques and all the while they warn them not to use their knowledge in any other case than in a situation of a need to defend themselves from the attacks (or helping others to stay safe). The same applies to the cyber security trainers and the methods of protection against purely IT-based attacks.
Preparing and launching an attack
At the first stage the attacker gathers information which are available without the need for interaction with the individual victim or the employees of the target organization. This stage covers so-called footprinting, i.e. a preliminary recognition of the target. It may also include “dumpster diving”, which is collecting some cast-off data which may prove useful for attack preparation. An attack on a private individual may be preceded by browsing the person’s social media. What is sought prior to an attack on a company are the information on its organization, its emails, names, surnames and the functions of its employees, phone numbers or even discarded elements of its IT equipment, which the intruder may use before and during the attack.
The chances for a successful social engineering-based attack rise if it follows a stage of an adequate “mollifying” the target, so that it becomes more susceptible to influence. This stage is usually based on one of the two opposite strategies: bringing the victim into a state of full trust and comfort or putting him/her under a heavy stress. In the first case the attacker takes actions which make the target let down his/her guard, make the victim feel at ease and build rapport, in order to launch the attack in the least expected moment. In the latter case the attacker starts with putting the target’s environment into chaos, so that he/she would feel threatened or disoriented by the excess of information and due to this – act in the most automatic way. This course of action is associated with one of the most basic modes of operation of the human mind, which has its roots in the very evolution of humankind and the development of the human brain. From the evolutionary point of view the oldest part of our brain is the brainstem. It is responsible for automatic actions of our body, which makes sense, since our ancestors tended to be more concerned about hunting the animals – or escaping them if the hunting went bad – rather than about the fragile beauty of the landscape around them. Thus, creative thinking seems to be some later invention, in times when basic needs such as food and safety have already been dealt with. What all of this has got to do with social engineering? Well, in a situation of a sudden stress our brain “switches” into a rudimental mode, goes back to most primordial actions for the sole aim of survival. The processing of data takes place mainly in the brainstem, which results in mostly automatic actions. And this is where learning some social engineering techniques by heart can prove lifesaving (in a more modern sense). The more we digest this knowledge, the better chance for our brain to take them into account in a case of a sudden need of quick thinking. We need to learn a conditioned response (just as did famous Pavlov’s dogs, reacting to the sound of a bell) and imprint it in our headquarters’ core as an appropriate defense response.
(Not) everyday is Christmas
One of the simplest social engineering-based attacks (though it may be disputable if the level of sophistication of the method allows the attack to be called social engineering) is to present the target with some gift, for instance, a crafted USB stick, containing some malware which will steal the victim’s data. It can also be a reward for filling some kind of questionnaire (a fictional one, of course, serving only as a pretext for handling “a token of gratitude” to the victim) or a gift from a potential business partner on account of the anticipated cooperation. Most of us like to be showered with gifts, so after obtaining one we tend to be less suspicious towards the person who was so kind to us (giving us a present proves good intentions, doesn’t it?) and less prone to suspecting him/her of an attempt of actually robbing us. In the given example of a “free” memory stick it may contain, for instance, a keylogger which will intercept and send information to the attacker, e.g. concerning the bank the victim uses, as well as his/her login and password. Using these data, in connection to taking over the victim’s phone or SIM card, a criminal can easily clear the victim’s bank account. The question whether a full protection against stealing money from a bank account using intercepted access data and a duplicated SIM card or a hacked phone is actually possible is a matter of a heated discussion on the internet, so for now let’s stick to the most basic and general ways to become less susceptible to such attacks. There were cases of companies presenting their business partners with memory sticks containing such software. However, in this instance the aim was not to rob a bank account but to come into possession of some information of strategic importance for their business.
The gift may also be intangible – it may be a prospect of winning a big prize, sent by email along with a link to a page containing the malware.
People just like us
The aforementioned method of making the victim less suspicious by presenting him/her with a gift may also take form of a conversation leading to creating a “bond” (or building rapport) between the target and the attacker and by this – making the former less resistant to disclosing some confidential data or even resulting in his/her sharing the information of his/her own will, which is based on a psychological principle of liking. The more a person is similar to us – by sharing the same name or surname, wearing similar clothes, having the same opinion on political matters and so on – the more we are inclined to consider him/her trustworthy and we instinctively treat him/her better. As a result of such automatic association our restraint against disclosing the information becomes weaker or missing at all. We may regard ourselves as impervious to such methods, however, the bad guys who apply social engineering in their actions are for the most part aware of such automatic behavior and all they need is a moment of their target’s carelessness to launch a successful attack. The attacker may hold a long conversation with us, talking about the things we have in common, pretending to be heading in the same direction or suffering from the same cause. He/she may make use of some information gathered earlier either from us or about us, in order to create in impression that we share a common enemy or to pretend that we know the same people and by this to enter a closer circle of our friends (also called a tribe), i.e. the people worth of our trust. To achieve this, the attacker may use the information already disclosed in the conversation, by taking up our own words (“Yes, I’ve known him/her for years!”) or the information gathered during an preceding reconnaissance, for example by browsing our social media.
Sharing information on whom we know, whom we met, where we spent our holiday or what we have eaten has recently become excessively popular. Even though these information seem harmless, they facilitate an attack on a carefully selected target (so-called spear-phishing), as they may be used for the purpose of making us more susceptible to influence.
Besides, the attempts to make us feel as in a well-known environment and by this – to feel safe, are not just a domain of humans. Web pages are intended to look like familiar login pages of banks, mailboxes or social media websites. On the distinctive colors and layout the users fail to even think that they are under attack right now and enter their access data carelessly. In the case of a victim’s being a layman in terms of IT security or bank procedures, the attacker may even dare to make the target disclose their security codes for making online money transfers or some other information which can be useful for stealing money from a bank account. This is why the banks emphasize that they never ask their clients to disclose any additional data during logging or by email.
Tit for tat
Another way to make the target more willing to disclose information or to fulfill the attacker’s request is to apply in practice the principle of reciprocity. This simple mechanism makes us feel obliged to repay a favor, regardless of whether it was asked for or not. So, a person who uses social engineering tricks will try to produce a situation where we’d feel obliged to return a favor. If someone manages to infiltrate a company they may, for instance, help their target to pick up some dropped documents (after feigning an incidental bumping into a person who dropped them) or to use a facsimile or a printer. Since the victim has received some help, now it’s time for them to repay the kindness and this is when the attacker puts forward a request for some information or for giving access to some off-limits area within a company in order to infiltrate deeper and gain additional information. The attacker may also ask for a favor which is next to impossible to fulfill and on refusal – ask for something far more simple. After being compelled to refuse, the victim will feel even more bound to make up for this situation and will be even more determined to grant the other request.
Please save my world
An alternative way to persuade the targets to fulfill the attacker’s request is to make an impression that what they do is important and needed. In other words, it is creating a situation where the victim feels like a superhero, like a savior of mankind. Contrary to popular belief, a grandparent scam is equally effective to younger people, too. In the case of a cyber attack all a criminal does is to replace a relative’s accident with some system’s failure, a policeman with a web admin and money with login and password – while the mode of action remains exactly the same. This technique is often combined with creating an air of hurry and by this – disorienting the target. The attack can be executed via phone call (“Due to the servers’ down we need a quick access to the server room in order to do the troubleshooting”.), e-mail (“This is your admin, we have detected an attack, please give us the login and password to your computer / mail so that we could identify the perpetrator. Please keep it to yourself, we don’t want the criminals to be warned about our investigation against them”.), as well as during a face to face interaction. Those requests seem irrational in most cases if given a bit of thought, but since they are made in a situation of a faked hurry and responsibility, e.g. for restoring the company’s data, they cause the victim to act exactly as directed by the attacker. In a sudden urgency we do not think of verifying whether the login page is valid or is it a fake one, fabricated by a social engineer or whether the caller is really a trustworthy person. An additional warning not to spread the information on one hand gives the attackers more time for their actions and on the other – makes the target feel like a key element to some important rescue mission.
In a certain variation of the attack we may receive a call with information concerning our holiday leave we were supposed to be enjoying now. If we answer that we’re not on a leave now, the attackers may feign surprise and embarrassment with this situation and the apparent mistake in the system. By this, they create a situation where we may prove helpful if we provide them with some information necessary to amend the error (“So when do you actually have your leave? Is someone from your department on their leave right now? What is your login to the system?”).
Is there a doctor in the house?
The principle of authority is also a powerful tool for making the target feel secure during the attack. The attacker creates an impression of being an unimpeachable person simply by wearing a uniform or some other symbols of typical and well-known occupations. Thus, the attacker pretends to be a doctor, a policeman, a firefighter (as these jobs are easily identified by the outfit a person’s wearing) or an IT engineer (though this profession is not associated with any specific outfit, the impostor may build credibility with a T-shirt bearing a logo of some IT servicing company, a name tag and adequate tools). Numerous studies proved that the “disguise” does not even have to be a policeman’s or doctor’s uniform – wearing a workwear of a garbage collection company is enough to make the target follow the instructions without even inquiring about their legitimacy. In the prevailing number of cases the disguisers did not have the slightest problems with infiltrating companies and persuading people within to fulfill their requests. Moreover, in some instances they were even trusted beyond expectations and managed to gain more than anticipated.
However, infiltrating a company or an organization does not even necessarily require any specific outfit. In some cases all an attacker had to do was just… enter it boldly enough. Most people assume that if you look like you know what you’re doing, then you have a right to do it. Some attackers also use a so-called tailgating technique, in which they follow a person who is genuinely authorized to enter some areas and they just walk inside in the person’s wake.
By all means, a false authority refers not only to humans. We tend to open an attachment more willingly if the mail it was enclosed to contains a phrase: “The attachment has been scanned by X Antivirus and it is diagnosed as safe”.
A principle of social proof is yet another method of influencing others. People tend to do some things just because others do too. A social engineer may make use of this mechanism while persuading the target, for example via email, about being the last person who has not yet provided the access data to the company mail at the request of the admin (a fictional one, of course). The earlier request may not even take place; the mention that others have already done something is enough to disorientate the target at least for a moment, which can be enough to obtain the desired data. The attacker may also make the story more credible by attaching a copy of a fake conversation, in which several people express their opinion and fulfill the request. The victim gets an impression of receiving the message on some advanced stage of discussion and on seeing that others have already complied, tries to catch up with the group as quickly as possible.
Walk your talk
A principle of consistency is also a tool applied in the social engineering-based attacks. Commitment and consistency refrain us from going back on once expressed opinions. One of the techniques based on this principle is FITD – foot-in-the-door. It is rooted in the fact that after consenting to some initial, minor request, we become more prone to fulfilling another one – this time a bigger one and not necessarily connected to the first one.
People also are inclined to follow a beaten track, so if around the end of a month a great number of invoices flock to a company mailbox, it is highly probable that the employee won’t verify the attachment before opening it. If the attachment happens to be infected one, in the best scenario it will result in a warning from a antivirus software and in the worst – in encryption of the hard drive (or, in even worse than the worst case – encryption of the hard drive along with the backup drive if it was connected at the moment) and a demand for ransom.
Sale ends in 5 minutes!
The principle of scarcity is applied to persuade people to certain actions just because if they don’t do it now, they will lose their once-in-a-lifetime chance. This is why a phishing email (phishing is the term used for fraudulent emails) may contain phrases such as “This is the last warning before your mailbox will get erased. Log in using the updated login page <link to a fake login page> to save all your messages and contacts!”, “Your password has expired and it must be changed immediately” or “Your computer has been infected with a dangerous malware! Download this antivirus software as soon as possible!”. Additionally, the mail may be sent on Friday afternoon, so that the target receiving it on Monday morning would think that the actions need to be taken quickly or the data will be lost forever. The element of stress may be enhanced by using names and/or graphic signs of tax authorities or police.
Stress is a bad advisor – everybody has heard these words at least once. At the same time stress is the attackers’ best ally, as it increases their chances to influence the target in the intended way. By creating a fake “crisis” situation around the victim, in which decisions must be taken automatically and with no time for a second thought, accompanied by a multitude of information, the attackers disorientate their target. This is why if someone wants to obtain some information, for instance, by phone, they’ll try to set a quick pace to the conversation, justifying it with a sudden and unexpected situation, like “There’s a fire in the hall, can you give us the code to the door to manager X’s office? We have to check for the people inside!”. A sudden influx of adrenaline resulting from the information about the fire, in connection to the responsibility for the manager’s office may push the victim to disclosing the information without hesitation.
Methods of defense
One simple question
Defense against social engineering-based attacks, just as the attacks themselves, is a complex subject matter and it may combine several different techniques. However, in all cases – from the simplest one, involving obtaining a present, through an attempt of making friends with us or pretending to be someone of authority, to making an effort to destabilize our environment and expecting us to make responsible decisions – the legitimacy of our actions can be verified by asking ourselves one simple question: “Why?”. This trivial question has the power to sober us up in a moment if we realize that there’s actually no good reason for us to take some actions (or that we’re not even allowed to take them). It may also outface the attacker who wasn’t ready for one. Of course it is possible, on the other hand, that our opponent has foreseen some potential alternative scenarios, nevertheless it can be a good starting point for taking some defensive actions against social engineering-based attacks.
Just as in the case of interaction with humans, also when receiving an alarming email we should give ourselves some time to react. Am I sure to open this invoice / information about delivery if there wasn’t any item I have ordered lately? Is it possible that this unusually alluring offer is really for me?
Control is the highest form of trust
In the case of an attempt to influence our actions by suggesting that we should trust an unknown person just because they are worth it (regardless of the technique in use for this purpose) the line of defense may be built around an intentionally introduced element to the conversation – an element being under our full control and allowing us to verify our interlocutor’s story. If this person poses as someone of our friends or relatives, we cannot verify their identity with questions like “Is that you, Steven?” (in the case of a phone call, when we cannot see the person) or “Do you know Kate?”, as it is obvious that the only thing a criminal may answer in such a situation is “Why, of course!”. No way they’d admit that actually: no, I’m a bad guy; to the contrary – they’ll continue with assuring us that they are this reliable person (“Well, of course it’s Steven!”, “Sure I know Kate!”). What the attackers aim at is to give as little information about themselves as possible, so that not to raise any suspicions concerning their identity, but at the same time as much as needed in order to be identified as a person whom we know. In order to verify the identity of such alleged acquaintance of ours, we need to use an affirmative sentence which is false enough to surprise our real friend and make them deny. However, an attacker should fall for our trick (unless being already on the level of being immune to such tricks or the information possessed on us are wide enough to see through this deception). So, we can say for example: “Your brother has aged a lot lately, hasn’t he?” (if we know the person whom someone pretends to be has no brother) or “Your manager has a new wife, doesn’t he?” (if the someone feigns to be a person who actually works in a department run by a woman). If our interlocutor ignores this statement or seems confused, it may mean that such course of events has not been foreseen. And if they affirm our false statement, then we have proof that we’re being attacked.
Do you know where you’re going?
In the case when a social engineer wants to relax our vigilance by showing us a web page that we know well and through which we have logged in safely many times before, it is advisable to make sure that we actually are on a web page we want to log in to and not on a trap page. We have to verify if the address of the page displayed in a browser is the same as the address we’re supposed to see there and not only check the “green padlock” which is not a proof of a trusted website. In the case of links on web pages or sent to us by mail we need to check not only what address is shown as a link, but also where it leads to – after pointing the link with a cursor a real address to which a link directs to should appear. If it’s different from the one in the link or it seems suspicious in any other way, it may mean that this is an attempt of an attack. The situation becomes more complicated in mobile devices, as in the interface we cannot point a link without clicking it (although sometimes we may display the full text of the message and check the way the link is constructed). It is also advisable to check whether in the address (in the link or on the web page we have already entered) there are no misspellings or if there aren’t any characters which only resemble letters and which we would not expect to see in this address. This way of concealing the real address of a web page has become quite popular recently.
Updates and backups above all
An important element of security, not only in connection to social engineering-based attacks, is checking for software updates frequently, both in terms of the operating system and common software. In the case of an attack executed via electronic means (and not verbally or physically, through the mediation of the user) this obstruction may be effective enough to stop it. However, if the protective software fails or we’ll lose data due to a flaw in some other software, it is lifesaving to have a backup, which should be done frequently enough to minimize the potential loss. The data carrier containing our backup should be read-only or connected to our computer only at the times we are sure it is safe and afterwards – disconnected as soon as possible. It is also advisable to perform at least once a full restoration of the data from the backup, as it is commonly known that people can be divided into three categories: those who don’t do backups, those who do, and those who do and have checked that their data can be restored from the backup.
A password to enter them all
Let’s assume that we’ve fallen for the trick and we’ve entered our access data on a forged page. This is when it becomes crucial whether we have the same password for all systems or websites we use or not. If the attacker knows our e-mail and our password (regardless of how super-duper safe it is in terms of complexity) and we happen to use the same access data to our mailbox as well as to many other services (or we use a simple key for generating them, like bank-name123, ebay1, etc.), we may lose much more than just our e-mail messages. It is thus wise to use different passwords everywhere and wherever it is possible – to apply two-factor authentication, with hardware keys, applications or some other appliances which support it.
Even the best passwords can’t help if they’re on display
Another issue is how we keep our passwords. It is advisable to use a password manager, secured with a strong main password. Keeping our passwords (as well as other key information) on our desk, computer case, screen or a board over our desk may result in someone seeing it and remembering, writing it down or taking a picture of it without us even knowing who did it and when.
Such uniform can be acquired in a local shop
Let’s don’t forget that a person wearing a uniform does not actually have to be a doctor. Nowadays almost every working uniform can be easily obtained in an online shop – starting from a doctor’s, paramedic’s or nurse’s uniform (I mean the standard one, though a customized one, from a “specialized” shop, may also prove somehow effective in a social engineering-based attack), through policeman’s or firefighter’s uniform to priest’s cassock. Also, everybody can forge any name tag, stamp or even ID card. So, prior to sharing important information or money, it advisable first to verify a person’s identity, for example by looking them up on the internet.
Training with real-life examples, or show me my weaknesses
Some organizations run special trainings for their employees, developed on the basis of earlier, real-life attacks (we can call them vaccines, although in the light of the recent war of misunderstandings about the vaccines I’m a bit hesitant about my intentions being read in a right way). The employees are acquainted with situations they may find themselves in, so that when one happens they’d recognize it on the spot. Such training comprises i.a. of presenting a list of questions which they may be asked and which should alarm them. The simplest way is to categorize them into “green – yellow – red” alert groups, where the first one contains questions which can be asked by any person without any specific (dangerous) intentions, like “Do you go to work by bike?” in a situation when you’re wearing a cyclist’s clothes. The question may stem from an innocent intention to ask for directions, best tour to be taken, time needed to cover the distance by bike – or just to start a small talk with a person you like. The answer to such a question does not reveal any more information than the ones the person already possesses (if we’re wearing a cyclist’s outfit, it’s rather obvious that the answer’s positive). However, if the conversation runs into a direction where our interlocutor asks more detailed questions (“So, where do you keep your bike?”), we should see the yellow light, as such questions may lead to an attempt to obtain information which the person is not entitled to possess. Of course, it still may be an innocent question, not a part of any attack (let’s not get paranoid!) – this is why the alert color is only yellow. But if we hear a question “So where’s the manager’s office / server room / archive room?”, the alert color switches to red. Such information may be used to launch an attack and should not be shared to people we don’t know and which may not be authorized to obtain them. If we suspect that we might have fallen victims of an attack, we should report this fact (as well as any attempt to obtain information by suspicious individuals) to the people responsible for data protection (IT admin, security inspector, etc.). Prior to disclosing any important data it is advisable to inform our superior on who’s asking for them and make sure if we can comply with such a request. If it’s an attempt of an attack, it’s highly probable that it will be detected on this stage.
Training of employees is a key question, but what it should cover is not only the techniques of attacks, but also preparing for various attempts to intercept information or to destabilize the working environment, so that they’d be able to recognize them and when already in such a situation – to counteract. A key element of such trainings is to raise awareness of the fact that what seems important for the organization is not necessarily important for the attacker and all the way around: that what seems trivial from a company’s point of view may not be such for the attacker. It is worthwhile to present the ways that someone may try to obtain some data from us by pretending to be our friend. The best scenarios for this purpose are the ones which proved to be successful in the past. It is essential to emphasize that the attacking person acts with a purpose of stealing some information and/or making harm to the organization and by this – to obstruct work or even cause loss of victims’ jobs. Such laying down the issue often results in the employees’ being more resistant to the attempts of phishing and destabilizing their working environment. By all means the training should be performed regularly, so that the knowledge presented is updated and consolidated. However, in order to make the employees more aware of their own susceptibility to attacks, it is advisable to run a test prior to the training, which will show just how much information they’d share to the real attackers. Becoming victims of an attack (even a mock one) makes us realize we’re not as smart and resistant as we thought we were.
Play by the rules
Another key element which can be useful for making the organization less vulnerable to social engineering-based attacks are the procedures. They stipulate the actions at numerous levels: how often the passwords should be changed, how to pass information, how to shred the documents, what privileges can be assigned to outsiders, who can access the equipment, whom to report to on incidents, etc. In the reality of big organizations it is also essential to divide the space into sectors in which there is at least one person who knows exactly which people can access it and whom to keep outside. It allows to catch the intruders who got into some off-limits zones by using flaws in this matter.
The above information regarding the most common methods of abuse and defense against them are only a little fraction of the wide topic of preparing an attack, which combines elements of influencing people with purely IT knowledge. As with any other kind of assault, it depends mostly on the knowledge and skills of the attacker. Of course there’s no point in getting paranoid and suspecting everybody, since in normal life and work there’s no time for that and in some cases it may even be regarded as unseemly by others. Nevertheless being familiar with this kind of threat gradually becomes a key element to leading a safe life and work.
– Krzysztof Wosinski (@SEINT_pl)