Types of Social Engineering

In the previous section, we came to understand what social engineering is and to understand the various psychological mechanisms that are at work in social engineering attacks.

In this next section, we will look at specific techniques that social engineers use to manipulate users into cooperating with their schemes. Human based attacks focus on misleading people in person or over the phone and often use impersonation to trick users into releasing information. Computer based attacks still target the human users of computer systems, but do so via computer based techniques such as email scams, email attachments, websites, instant messaging, etc.

Human based methods

Impersonation is one of the most common social engineering techniques and it takes many forms. Impersonation can occur in person, over the phone or on-line. There are basically seven scenarios where impersonation is used to create a successful social engineering attack:

The overly helpful help desk. A Social Engineer calls the help desk pretending to be an employee. They claim to have forgotten their password and ask the help desk to reset it or give it to them. The Social Engineer will often know names of employees in the organization he is trying to penetrate, and will have learn as much as possible about the person he is trying to impersonate. Help desks are one of the most frequent targets of social Engineering attempts for a reason. They are trained to be helpful to users and will often give out passwords or other important network information without thoroughly verifying the identity of the caller.

Third-party Authorization. The Social Engineer may have obtained the name of someone in the organization who has the authority to grant access to information. They may call the target and claim that the Superintendent, Mr. Big, requested that information be provided.

This attack is particularly effective if the attacker is aware that Mr. Big is out of town. He may say something like, “I spoke with Mr. Big late last week before he went on vacation and he said that you would be able to provide me with this information in his absence.”

Tech Support. The Social Engineer may pretend to be technical support from one of the organization’s software vendors or contractors to gain information. The attacker explains that he is troubleshooting a network problem and has narrowed the problem to a certain computer. He claims to need a user ID and password from that computer to finish tracing the problem. Unless the user has been properly educated in security practices, they will be likely give the “trouble-shooter” the information requested.

Case study:

Three weeks ago Eastern Middle School was hacked. The computer hacker posed as a system administrator for the central corporation and called an administrative assistant in the principal’s office. The conversation went something like this:

Hacker: “Hi, this is Daryl with tech support. We have had some folks in your office report slowdowns in logging in lately. Is this true?”

Clerk: “Yes, it has seemed slow lately.”

Hacker: “Well, we have moved you to a new server, so your service should be much better. If you want to give me your password, I can check your service. Things should be better for you now.”

Unfortunately, Daryl did not really work in the central office at Eastern Middle School. Daryl hacked into the school’s system; from there he found the financial system. Within one week, over 30 per cent of the teachers reported that their bank accounts had been stolen and used.

Roaming the halls. The attacker may enter the building pretending to be an contractor, client or service personnel. They will often dress in business attire or the appropriate uniform and will often be allowed to roam the halls unnoticed. They can look for passwords stuck on terminals, find important data lying on desks or overhear confidential conversations.

Repairman. Most people accept either a telephone repairman or computer technician without suspicion. Acting as a repairman or technician, the attacker can plant a snooping device or look around for hidden passwords or other critical information all the while appearing to be going through the normal activities associated with their duties.

Trusted Authority Figure. According to social engineers, a particularly effective method for in person social engineering is by posing as a trusted authority figure. For example, posing as the fire marshal, or even impersonating the superintendent over the phone.

Snail mail. Regular U.S. mail service can also be an effective means for social engineering. It is effective for the person trying to get information because it is cheap and because people tend to trust the written word. A particularly effective way to get personal information is by simulating a sweepstakes asking for personal information.

Computer based techniques

Pop-up windows. A window will appear on the screen telling the user that the network connection has been lost. The user is prompted to reenter their user name and password. A program previously installed by the intruder will then email the information back to a remote site.

Instant messaging/Internet Relay Chat. Users are directed to sites that claim to offer help or more information but are really designed to plant Trojan horse programs on their computers which the hackers later use to gain access to their computers and the networks to which they are connected.

E-Mail attachments. Programs can be hidden in email attachments that can spread viruses or cause damage to computer networks. This includes malicious software such as viruses, worms and Trojan horses. In order to entice users to open the attachments, they are given names that raise curiosity and interest. The first example of this combination of a traditional virus along with a social engineering component was the “I Love You” virus. Another recent example is the “Anna Kournikova” virus. The user assumes that by opening the attachment, they will see a picture of Anna Kournikova. This particular virus also employs another social engineering tactic – Designers of the virus attempt to hide the file extension by giving the attachment a long file name. In this case, the attachment is named AnnaKournikova.jpg.vbs. Often when displayed the name is truncated so it looks like a harmless jpeg file when it really has a .vbs extension.

Email scams. Email scams are becoming more prevalent. One recent example claims that you have won a trip to the Bahamas and requests “basic information” from the user so that the prize can be awarded. Initially they request relatively harmless information such as name, address and phone number; however, in a subsequent email, credit card information is requested in order to hold your spot on the “free” trip.

Chain Letters and Hoaxes. These nuisance emails rely on Social Engineering to continue their spread. While they do not usually cause any physical damage or loss of information, they cause a loss of productivity and also use an organization’s valuable network resources.

Websites. A common ploy is to offer something free or a chance to win a sweepstakes on a Website. To win the user must enter an email address and a password. Many employees will enter the same password that they use at work, so the Social Engineer now has a valid user name and password to enter an organization’s network.