How we change what others think, feel, believe and do
The Easier Form of Hacking: Social Engineering
Guest articles > The Easier Form of Hacking: Social Engineering
by: Stuart Gentry
When we talk about hacking, especially in today’s world, we hear the media giving us the stories of how hackers hack into a database and steal information from it, like this story. This is what the world hears about on a regular basis. How about the Stuxnet worm and Flame? Another example of malicious code hitting systems, stealing information, causing malfunctions, and the list goes on. The one thing society does not hear a lot about is how social engineering can play a huge part in hacking. In this article, we will look at how social engineering is one of the easier forms of hacking and what one can do to guard against these type of attacks.
To borrow from the world renowned hacker Kevin Mitnick in his book “Ghost in the Wires”, Mr. Mitnick utilized social engineering throughout the book. Mr. Mitnick would call telephone companies and ask for access to their networks by playing different roles, and receive them effortlessly! Even as a kid he asked a bus driver where he could buy a punch used for punching bus transfer tickets. Then, he bought a punch and found partly used blank bus transfer stubs in a dumpster to ride around San Fernando Valley for free; yet another form of social engineering. Mr. Mitnick was a professional social engineer as a kid all the way up to when he was caught.
Even today, he still performs social engineering in an ethical manner with his own penetration testing company which he talks about in the opening of “Ghost in the Wires.” Kevin Mitnick points something out to all of us: social engineering has been around for a while, and you only need to think about your surroundings and do reconnaissance on your target to figure out a way to get to information.
People say, “It would never happen to me, I wouldn’t fall for something like that.” The scary part is, technology is becoming more sophisticated to the point of where we will give money away without a second thought. For example, I heard of a situation where a woman, I’ll call Shelly, was “called” by her grandson Ralph in Brazil stating he needed money to get out of jail. Shelly said it sounded just like Ralph and she went to get the money to transfer it to the account she was given for his release. When she went to the local grocery store to accomplish the transfer, she was stopped by the clerk who asked some questions before performing the transaction; coincidentally, there had been a couple of other customers getting ready to perform a similar transaction for a loved one to the same account. Shelly could not believe it; it sounded like Ralph on the phone call. Feeling very distraught, she phoned her son Ben and asked if Ralph was there, “Yes, he’s sitting right here next to me.” Shelly was relieved, but still could not believe she was almost lured into a scam.
Shelly was fortunate the clerk questioned the transaction before it happened. She now knows the next time she receives a phone call like this, she will contact the person to verify how legitimate the phone call is. She could also have asked to get the phone number from where the call originated and called it back to verify it was legitimate, or asked the phone operator where the number originated from.
Another example of social engineering for account credentials is receiving an email with a link from a seemingly legitimate person or source (i.e. Bank of America). The email states you need to verify your credentials for your account and to click on the link which typically takes the user to a website that looks exactly like the website the user would see for their bank. However, if one were to look closer, it is not their bank’s website, but has a very close resemblance to it. Something as simple as www.bankof america.com could actually be www.bank0famerica.com; the only difference between URLs being the zero (0) in the “of” on the second URL. The reality is, people don’t look that close at the URL and I don’t blame them; however, the thought should cross a person’s mind to try calling the banking institution or individual to verify they really need this kind of information – they should not.
At some companies, employees are required to wear a badge, and if there is classified information behind closed doors, a personal identification number (PIN) may be required as well. In these situations, if the social engineer knows someone behind the door, they can always wait for someone with access to use their badge and say, “Hi, I’m Jane Doe and I’m doing business in there with Sam Smith, but I don’t have my badge with me today; can you let me through? It’s just this once.” Most people that I have witnessed will just let the person through the door without a second thought to help them out; they won’t even follow Jane Doe to her destination to ensure Sam Smith knows her…this can be a mistake. Of course, if no one questions Jane Doe while she is in the area, no one is the wiser for letting her go about her business. However, if the person badging through states, “Let me find Sam Smith, I know where he sits, and I will have him come get you.” This will likely case Jane Doe to think twice, and there is a good chance Jane Doe will not be there when Sam Smith goes to the door wondering who she is.
Another example of badge entry is one Mr. Mitnick utilized in his book where he searched the Internet to find the company’s website he was doing a penetration test for. Mr. Mitnick copied the company’s logo to make a very similar looking badge to the one worn by the employees. Utilizing his badge, he waited for the smokers to head in from their break. He went up tailgate the last smoker going inside, presented his badge, and was inside the building. The person looking at his badge did not really look up close; had he done so, Mr. Mitnick may not have gained access to the building.
An excellent way to social engineer and gain access to potentially valuable information is via USB thumbdrive. I’ve heard of a situation where a person wanted to get access to information from a company and just left USB drives around in the parking lot. Why? Inevitably, a na´ve employee of the company will pick it up and want to know what is on the drive or who it belongs to. So, they decide to plug it into a company computer to look…voila, malicious code inserted and, if no HIDS or HIPS or antivirus detects anything; the person could have more than just one computer! They could own the network! If this happens to an employee, they should at least take the device to their security personnel and report what happened.
Social engineering is ever present on social media such as Facebook. People LOVE Facebook to the point of letting everyone know, “Going to Mom’s for the weekend! See you tonight Mom!” A person doesn’t even have to ask when they are going to be out of town or when they are leaving. Perfect opportunity to do some snooping around the house, try breaking in, etc. One other thing to notice, most people do not lock down their accounts, so you can peruse their friends and friends of friends, etc. to determine the ultimate target. Use a search engine such as Google to identify who they really are, such as CEO of a company (if they haven’t already posted that on their Facebook profile); find out their interests and hobbies; and potentially steal their identity.
People would say that no one would go to that length to get money from someone; you’d be surprised at how easy it can be as pointed out by the website http://blog.uspystore.com/2012/01/12/seven-easy-steps-to-steal-someones-identity/. Lesson on this one is do not tell the world you are leaving town for the weekend (or whenever); ensure your account is locked down to where only your friends can see your posts and tell your friends to lock down their accounts too for the same reason. Another security feature to consider enabling (under account settings from the drop down arrow, then select Security to the left hand side, and menu will drop down in the middle) is the Recognized Devices setting which allows you to restrict access to the account from only a specified computer(s) vs. from any computer…if a hacker gets your credentials, they can log on from anywhere and do whatever they want to your account. If a user clicks on the down arrow to the right of the home button and clicks on Help, Facebook actually provides valuable information on account settings for security and privacy settings.
I actually had an instance of social engineering for money happen to me a while back. I was trying to sell items on Craigslist and put pictures out for people to look at them. I would let them email me and then I would send my phone number to them if they were interested in an item. I had an item listed for about two weeks with no hits, then I finally got one. The person said they were interested, so I sent my phone number and said to call me to discuss looking at the item. The response was something to the effect of if you send the item to this state (California, I believe), I will send you the money once it is received…yes, OK, not going to happen. No, I did not respond, and coincidentally, neither did the other person (surprise).
Another instance of potential social engineering that I encountered comes from, in my opinion, small state/town mentality. I was staying at a hotel for a couple of days and went down to the bar one night to have an adult beverage. I paid for the beverage in cash, drank it, and went back to my room. Later when I returned from my trip, I was filing a voucher to cover trip expenses and looked at the hotel receipt. The receipt had a $20 charge for the hotel bar. Confused, I called the hotel and explained the situation; fortunately, they said they had mistakenly charged my room for a drink from another customer in another room. My coworker stayed at the same hotel and I explained what happened to which he responded, “Oh yeah, at the bar, all you needed to do is tell them your room number and they will charge it to the room.” So, if I were the social engineering type, I could have just watched someone go to their room, then ordered a drink and charged it to that room…how far I could go before the bartender said something or asked for my room number, who knows.
A more network savvy way of social engineering is utilizing applications like Wireshark to monitor a person’s wireless network activity. Observing the websites they visit and anything unencrypted can give clues to their interests and hobbies. This could give a social engineer enough information to spam an email or contact the person via phone and follow up with an email. Again, another potential entry way into the person’s computer and/or network. However, with some encryption on the wireless router and a good password, as well as password protecting the router’s administrative access, can divert the social engineer to another unprotected wireless network.
One final example of social engineering comes from the book, “Spies Among Us” by Ira Winkler. Mr. Winkler and his assistant were hired to do a penetration test for a nuclear power plant. In this account, Mr. Winkler and his assistant were able to obtain badges from the front desk of the headquarters facility without anyone verifying who they were or who signing off on the paper work for their badges. Then, they traveled to the actual nuclear reactors facility where, once inside the nuclear reactors facility, Mr. Winkler’s assistant plugged into the network and downloaded billions of dollars worth of nuclear information utilizing server names which Mr. Winkler obtained with a little more social engineering.
In summary, there are numerous ways to social engineer people including
dressing and talking like company personnel. All workers should be schooled in
how they can protect the company assets from being stolen by a slip of the
tongue, giving into emotion, or feeling like they do not have the time to check
a person out before giving them access or information. Now, granted we are all
human and make mistakes, especially in the fast paced world we live in today.
However, just caring and thinking about what one is doing can be enough to ask
the person on the phone, “You want Mr. Doe? May I ask who is calling and get a
number to have him call you back at?” Asking these questions could be enough to
deter the social engineer to look for a different target.
Stuart Gentry is an InfoSec Institute contributor and computer security enthusiast/researcher. He holds a Master's degree in Information Assurance with GSEC and GCIH certifications. He has been interested in hacking since 1984 and has become more focused in software reverse engineering and malware research since September 2011. Stuart is always looking to learn new coding languages and exploitation methods. Contact Stuart via email at firstname.lastname@example.org or LinkedIn at www.linkedin.com/in/stuartgentry.
Contributor: Stuart Gentry
Published here on: 27-Jan-13
And the big